Thread: [mod-security-users] 960035 "URL file extension is restricted by policy"
Brought to you by:
victorhora,
zimmerletw
From: Jerry <gm...@ho...> - 2007-02-16 13:01:46
|
shtml pages are triggering the above rule. How can I allow all shtml pages to bypass this rule? modsec 2.1.0rc7 |
From: Jerry <gm...@ho...> - 2007-02-17 18:22:02
|
After reading Ryan's blog entry on dealing with false positives I think I can solve this one. Can someone check what I have done is correct? re: modsec 2.1.0 is blocking all .shtml files and yet one of my sites uses this file type. Here's how I think it goes: 1. Create modsecurity_crs_60_customrules.conf 2. Copy and Paste rule 960035 into crs_60 3. Edit this rule SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?| sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)| res(?:ources|x)|l(?:icx|nk|og)|\w{,5}~|webinfo|ht[rw]|xs[dx]|exe|key|mdb|old)$" \ "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'" Change this: s(?:html?|ql|tm|ys) to this: s(?:ql?|tm|ys) Save file and restart httpd How does that sound? "Jerry" <gm...@ho...> wrote in message news:er49v7$400$1...@se...... > shtml pages are triggering the above rule. How can I allow all shtml pages > to bypass this rule? > > modsec 2.1.0rc7 > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV |