Mod_security silliness


[Wed Jul 28 09:04:18 2010] [error] [client x.x.x.x] ModSecurity: Access denied with code 501 (phase 2). Pattern match “…/etc/(?:passwd|shadow)” at ARGS:text_more. [file “/dh/apache2/template/etc/mod_sec2/mod_sec.conf”] [line “7”] [id “1990010”] [msg “passwd/shadow access”] [data “g /etc/passwd”] [severity “CRITICAL”] [tag “WEB_ATTACK/COMMAND_INJECTION”] [hostname “”] [uri “/mt/mt.cgi”] [unique_id “TFBVAkWjzVcAAHVuQ0QAAAAN”]

happened when I was trying to post a blog entry about my new NAS box, in which I used the phrase “editing /etc/passwd”

From the actual pattern listed, it looks like the match pattern should be “…/etc” rather than “…/etc”


Indeed it should. I’ve now fixed the rule in question.


Great, it works now. Thanks!

Although I could see this getting in the way of discussing security implications in a blog post, like if you want to talk about injection holes or whatever. On the other hand, anything that allows that in would allow the possibility of, say, injecting it into PHP code, so… tricky situation all around.