[Tickets #9420] Re: ModSecurity Access denied with code 503 on shell.png

bugs at horde.org bugs at horde.org
Wed Dec 1 20:58:54 UTC 2010


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/9420
------------------------------------------------------------------------------
  Ticket             | 9420
  Updated By         | cor3huis at gmail.com
  Summary            | ModSecurity Access denied with code 503 on shell.png
  Queue              | Horde Groupware Webmail Edition
  Version            | 1.2.8
  Type               | Enhancement
  State              | New
  Priority           | 2. Medium
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


cor3huis at gmail.com (2010-12-01 15:57) wrote:

Change silver theme image name "shell.png" to avoid Modsecurity big logs with

Generic Attempt to run rootkit

ModSecurity: Access denied with code 503 (phase 2). Pattern match
"/(?:(?:linuxdaybot|suntzu|shell_vup|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2?|too20|backdoor|terminatorx-?exp)\\.(?:dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:r57|fx29|c(?:99|100))\\.(?:txt|php))"  
at

WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit"]  
[data "/shell.png"] [severity "CRITICAL"

For the file .../horde/themes/silver/graphics/shell.png

YES, a perfectly normal file no problem, however names in modsecurity  
give allerts in ModSecurity if installed on an Apache server

A quickfix would be to rename the file from shell.png to e.g. shll.png  
and theme code referring to the name.






More information about the bugs mailing list