If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

report.cgi: 403 Forbidden error when requesting tabular or graphical report.

RESOLVED INVALID

Status

()

Bugzilla
Reporting/Charting
RESOLVED INVALID
8 years ago
8 years ago

People

(Reporter: Tim Stechert, Unassigned)

Tracking

Details

(URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100330 Fedora/3.5.9-2.fc12 Firefox/3.5.9
Build Identifier: RPM: bugzilla-3.4.5-1.fc12.noarch

I have installed Bugzilla on a fresh install of Fedora 12. All
aspects of Bugzilla appear to be working, i.e. able to log in, create and
edit bugs, search, etc. with one exception. if I attempt to generate a
tabular or graphical report, the server returns:

403 Forbidden - You don't have permission to access /bugzilla/report.cgi
on this server.

I receive this error only after accessing report.cgi from the reports
link on the main page, following either the tabular or graphical reports
links, entering reporting criteria and pressing the generate report
button. 

I can initially access report.cgi with no error when selecting the reports link off the main page. 

The error occurs only after entering reporting criteria in query.cgi and
requesting to generate the report. The only criteria for a tabular
report that I select are the vertical and horizontal axes for the table:
Product and Assignee.  My database does contain several bug entries.


Reproducible: Always

Steps to Reproduce:
1. Login
2. Click reports link
3. Click tabular reports link
4. Select Assignee for vertical axis
5. Select Product for horizontal axis
6. Press "generate report" button
Actual Results:  
Forbidden

You don't have permission to access /bugzilla/report.cgi on this server.
Apache/2.2.15 (Fedora) Server at localhost Port 80


Expected Results:  
Should have produced a page containing a table listing bug occurrences by product and assignee.


Tail /etc/httpd/logs/error_log while attempting this operation. No
messages are logged.

checkconfig.pl runs without error.
testserver.pl runs without error.
sanitycheck.cgi runs without error.

Using mod_cgi.

Assigned to urlbase is: 
http://localhost/bugzilla

All cgi files have 750 permissions.
(Reporter)

Updated

8 years ago
Version: unspecified → 3.4.5
(Reporter)

Comment 1

8 years ago
In localconfig, $webservergroup='apache'

All bugzilla site files have apache assigned as group.

Comment 2

8 years ago
Do you have SELinux enabled? If so, disable it and try again.
(Reporter)

Comment 3

8 years ago
SELinux was enabled.  

I completely disabled SELinux as follows:

1. edited /etc/selinux/config to set SELINUX=disabled
2. rebooted 

After reboot, the problem still occurred.
(Reporter)

Comment 4

8 years ago
I have discovered that this is an apparent conflict between mod_security and Bugzilla in Fedora 12.

When I added a mod_security directive to /etc/httpd/conf.d/mod_security.conf that turned off the rules engine, the problem cleared.  The line added was SecRuleEngine Off. So the content of mos_security.conf was changed to:

LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so

SecDataDir /usr/local/apache/modsec_data

<IfModule mod_security2.c>
       # This is the ModSecurity Core Rules Set.

       # Basic configuration goes in here
       Include modsecurity.d/*.conf
       Include modsecurity.d/base_rules/*.conf
       Include modsecurity.d/modsecurity_localrules.conf

       # Added the following line to temporarily totally turn off the SecRuleEngine
       SecRuleEngine Off
</IfModule>


I still do not know why mod_security does not inform Apache to log the error.  When the rule engine is turned on, I get 403 Forbidden errors on selected query pages but see no messages recorded in the Apache error_log.


So the default rules for mod_security under the Fedora 12 distro appear to break Bugzilla's ability to perform queries.

I also learned from another helpful posting that rather than turning SecRuleEngine Off totally (rather extreme), I can alternatively turn off selected mod_security rules for Bugzilla by adding directives to /etc/httpd/modsecurity.d/modsecurity_localrules.conf.  The posting indicates disabling certain rules that appear to cause problems for Bugzilla:

<Location /bugzilla>
   SecRuleRemoveById 950108
   SecRuleRemoveById 959913
   SecRuleRemoveById 959914
   SecRuleRemoveById 960010
   SecRuleRemoveById 960012
   SecRuleRemoveById 960904
   SecRuleRemoveById phpids-19
   SecRuleRemoveById phpids-21
   SecRuleRemoveById phpids-23
</Location>

Since I am still unable to see the problem mod_security messages in the Apache error_log, I cannot verify that all these rules need to be removed for Bugzilla.  But I do know I can now reach the pages that were previously failing with 403 Forbidden errors.

I have also been unable to verify whether this is only occurring in the Fedora 12 distro or if others are affected similarly.

While this may become a finger-pointing exercise with Bugzilla claiming it is a mod_security issue and vice-versa, I would be helpful if the Bugzilla Installation Guide could include some instructions so others are not confronted with this issue.
(Reporter)

Comment 5

8 years ago
Forgot to mention the mod_security release in my distro:

mod_security-2.5.12-1.fc12.i686

Comment 6

8 years ago
Ahh, Bugzilla does not support mod_security--it never has, actually. If you want to document how to make Bugzilla work with mod_security, you can do so on the wiki, perhaps at http://wiki.mozilla.org/Bugzilla:ModSecurity and then inform the support-bugzilla list about the page. But there won't be official support for mod_security from the Bugzilla Project, at least not now.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.