User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:126.96.36.199) Gecko/20100330 Fedora/3.5.9-2.fc12 Firefox/3.5.9 Build Identifier: RPM: bugzilla-3.4.5-1.fc12.noarch I have installed Bugzilla on a fresh install of Fedora 12. All aspects of Bugzilla appear to be working, i.e. able to log in, create and edit bugs, search, etc. with one exception. if I attempt to generate a tabular or graphical report, the server returns: 403 Forbidden - You don't have permission to access /bugzilla/report.cgi on this server. I receive this error only after accessing report.cgi from the reports link on the main page, following either the tabular or graphical reports links, entering reporting criteria and pressing the generate report button. I can initially access report.cgi with no error when selecting the reports link off the main page. The error occurs only after entering reporting criteria in query.cgi and requesting to generate the report. The only criteria for a tabular report that I select are the vertical and horizontal axes for the table: Product and Assignee. My database does contain several bug entries. Reproducible: Always Steps to Reproduce: 1. Login 2. Click reports link 3. Click tabular reports link 4. Select Assignee for vertical axis 5. Select Product for horizontal axis 6. Press "generate report" button Actual Results: Forbidden You don't have permission to access /bugzilla/report.cgi on this server. Apache/2.2.15 (Fedora) Server at localhost Port 80 Expected Results: Should have produced a page containing a table listing bug occurrences by product and assignee. Tail /etc/httpd/logs/error_log while attempting this operation. No messages are logged. checkconfig.pl runs without error. testserver.pl runs without error. sanitycheck.cgi runs without error. Using mod_cgi. Assigned to urlbase is: http://localhost/bugzilla All cgi files have 750 permissions.
In localconfig, $webservergroup='apache' All bugzilla site files have apache assigned as group.
Do you have SELinux enabled? If so, disable it and try again.
SELinux was enabled. I completely disabled SELinux as follows: 1. edited /etc/selinux/config to set SELINUX=disabled 2. rebooted After reboot, the problem still occurred.
I have discovered that this is an apparent conflict between mod_security and Bugzilla in Fedora 12. When I added a mod_security directive to /etc/httpd/conf.d/mod_security.conf that turned off the rules engine, the problem cleared. The line added was SecRuleEngine Off. So the content of mos_security.conf was changed to: LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so SecDataDir /usr/local/apache/modsec_data <IfModule mod_security2.c> # This is the ModSecurity Core Rules Set. # Basic configuration goes in here Include modsecurity.d/*.conf Include modsecurity.d/base_rules/*.conf Include modsecurity.d/modsecurity_localrules.conf # Added the following line to temporarily totally turn off the SecRuleEngine SecRuleEngine Off </IfModule> I still do not know why mod_security does not inform Apache to log the error. When the rule engine is turned on, I get 403 Forbidden errors on selected query pages but see no messages recorded in the Apache error_log. So the default rules for mod_security under the Fedora 12 distro appear to break Bugzilla's ability to perform queries. I also learned from another helpful posting that rather than turning SecRuleEngine Off totally (rather extreme), I can alternatively turn off selected mod_security rules for Bugzilla by adding directives to /etc/httpd/modsecurity.d/modsecurity_localrules.conf. The posting indicates disabling certain rules that appear to cause problems for Bugzilla: <Location /bugzilla> SecRuleRemoveById 950108 SecRuleRemoveById 959913 SecRuleRemoveById 959914 SecRuleRemoveById 960010 SecRuleRemoveById 960012 SecRuleRemoveById 960904 SecRuleRemoveById phpids-19 SecRuleRemoveById phpids-21 SecRuleRemoveById phpids-23 </Location> Since I am still unable to see the problem mod_security messages in the Apache error_log, I cannot verify that all these rules need to be removed for Bugzilla. But I do know I can now reach the pages that were previously failing with 403 Forbidden errors. I have also been unable to verify whether this is only occurring in the Fedora 12 distro or if others are affected similarly. While this may become a finger-pointing exercise with Bugzilla claiming it is a mod_security issue and vice-versa, I would be helpful if the Bugzilla Installation Guide could include some instructions so others are not confronted with this issue.
Forgot to mention the mod_security release in my distro: mod_security-2.5.12-1.fc12.i686
Ahh, Bugzilla does not support mod_security--it never has, actually. If you want to document how to make Bugzilla work with mod_security, you can do so on the wiki, perhaps at http://wiki.mozilla.org/Bugzilla:ModSecurity and then inform the support-bugzilla list about the page. But there won't be official support for mod_security from the Bugzilla Project, at least not now.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.