[Tickets #9420] Re: ModSecurity Access denied with code 503 on shell.png
bugs at horde.org
bugs at horde.org
Wed Dec 1 20:58:54 UTC 2010
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/9420
------------------------------------------------------------------------------
Ticket | 9420
Updated By | cor3huis at gmail.com
Summary | ModSecurity Access denied with code 503 on shell.png
Queue | Horde Groupware Webmail Edition
Version | 1.2.8
Type | Enhancement
State | New
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
cor3huis at gmail.com (2010-12-01 15:57) wrote:
Change silver theme image name "shell.png" to avoid Modsecurity big logs with
Generic Attempt to run rootkit
ModSecurity: Access denied with code 503 (phase 2). Pattern match
"/(?:(?:linuxdaybot|suntzu|shell_vup|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2?|too20|backdoor|terminatorx-?exp)\\.(?:dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:r57|fx29|c(?:99|100))\\.(?:txt|php))"
at
WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit"]
[data "/shell.png"] [severity "CRITICAL"
For the file .../horde/themes/silver/graphics/shell.png
YES, a perfectly normal file no problem, however names in modsecurity
give allerts in ModSecurity if installed on an Apache server
A quickfix would be to rename the file from shell.png to e.g. shll.png
and theme code referring to the name.
More information about the bugs
mailing list