modsecurity and moin-moin
I'm having a problem with modsecurity and moin-moin. The following rule
is preventing wiki pages with the word '/etc' from posting. I'd like to
find a way to disable this rule for just the wiki (e.g. not for the
whole site) but am not sure how to do that in a granular way.
It seems like a generally sensible rule, but makes it impossible to post
pages that reference the names of configuration files. That's obviously
not what I want.
The rule is:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959005
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'950005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'959005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
and is part of the standard modsecurity_crs_40_generic_attacks.conf
file. How can I override this rule for the just the wiki page contents?
--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"
Reply to: