I'm having a problem with modsecurity and moin-moin. The following rule
is preventing wiki pages with the word '/etc' from posting. I'd like to
find a way to disable this rule for just the wiki (e.g. not for the
whole site) but am not sure how to do that in a granular way.
It seems like a generally sensible rule, but makes it impossible to post
pages that reference the names of configuration files. That's obviously
not what I want.
The rule is:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm
.www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa
.wwwacl" \
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959005
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES
"(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)"
\
"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote
File Access
Attempt',id:'950005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*
"(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)"
\
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote
File Access
Attempt',id:'959005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
and is part of the standard modsecurity_crs_40_generic_attacks.conf
file. How can I override this rule for the just the wiki page contents?
--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
