Ap[ache "Internal Server Error" on some files

Gilbert Sebenste sebenste at weather3.admin.niu.edu
Tue Aug 7 20:10:39 UTC 2007 

On Mon, 6 Aug 2007, Andy Green wrote:

>> Starting with FC7, if I type in http://mywebserver.com/sjfdfgsx.conf
>> or anything that ends in .conf, I get the dreaded "internal server error":
>>
>> [Sun Aug 05 12:24:57 2007] [error] [client 131.156.129.66] ModSecurity:
>> Access denied with code 500 (phase 1). Pattern match
>> "\\\\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:p
>> roj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:a
>>
>> x?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|cku
>>
>> p)|res(?:ources|x)|l(?:icx|nk|og)|\\\\w{,5}~|webinfo|ht[rw]|xs ..." at
>> REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by
>> policy"] [severity "CRITICAL"] [hostname "mymachine.com"] [uri
>> "/wge.conf"] [unique_id "EkHLBIOcCC8AAGU8vbwAAAAd"]
>
> It sounds a pretty cool feature actually, in case someone is trying to
> retreive your httpd config files over the webserver itself.  But
> mod_security isn't part of the base httpd, you must have installed the
> mod_security package.

Yes, by accident. Removing it...

> # grep webinfo /etc/httpd/* -R
> /etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf:SecRule
> REQUEST_BA...
>
> If you have a look in there, you see this:
>
> # Restrict file extension
> #
> # TODO the list of file extensions below are virtually always considered
> unsafe
> #      and not in use in any valid program. If your application uses one of
> #      these extensions, please remove it from the list of blocked
> extensions.
> #      You may need to use ModSecurity Core Rule Set Templates to do so,
> otherwise
> #      comment the whole rule.
> #
> SecRule REQUEST_BASENAME
> "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|l(?:icx|nk|og)|\w{,5}~|webinfo|ht[rw]|xs[dx]|exe|key|mdb|old)$"
> \
>    "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL
> file extension is restricted by policy', severity:'2',id:'960035'"
>
>
> Don't forget to restart httpd afterwards.

Gets rid of the problem. Thank you!

*******************************************************************************
Gilbert Sebenste                                                     ********
(My opinions only!)                                                  ******
*******************************************************************************

More information about the users mailing list