ModSecurity

From MediaWiki.org

I am creating this page to start a discussion about the use of the Apache module 'ModSecuity' with MediaWiki. Sorry for the rough nature of this page, but I figure something is better than nothing (to get the ball rolling so to speak).

We were getting some strange behaviour from our MediaWiki install (running on Apache) after a recent update of ModSecuity. After checking the server logs, we found errors like this...

[Tue May 06 00:12:00 2008] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:(?:[\\\\;\\\\|\\\\`]\\\\W*?\\\\bcc|\\\\bwget)\\\\b|\\\\/cc(?:[\\\\'\\"\\\\|\\\\;\\\\`\\\\-\\\\s]|$))" at ARGS:wpTextbox1. [id "950907"] [msg "System Command Injection. Matched signature <|cc>"] [severity "CRITICAL"] [hostname "oururl.org"] [uri "/index.php?title=ourPageTitle&action=submit"] [unique_id "J0mzfsCoAHoAAGfHsfsAAAAw"]

The problem was being triggered by code like the following ... [[Category:Some such category|CC]] or, to our surprise, [[Category:Some such category|GCC]]

Following the advice found on LinuxQuestions.org [1] we added the following rule to our '/etc/httpd/modsecurity.d/modsecurity_localrules.conf' file (which is Apache-'Include'-ed by '/etc/httpd/conf.d/mod_security.conf'):

## Fixes a problem for certain content of wiki pages.                                                                                                   
<LocationMatch "/index.php.*">
        SecRuleRemoveById 950907
</LocationMatch>

But is it safe to just lob in such rules in an ad-hock way? Can anyone suggest a set of ModSecurity patches for use with MediaWiki? Or is MediaWiki just a gaping security whole (at least as far as ModSecurity is concerned)?

What categories should this page be in?

Thanks for your patience.