Talk:ModSecurity

Add topic
From mediawiki.org
Latest comment: 3 years ago by Knomanii in topic ModSecurity is filtering legitimate content

I ran into a similar problem...mod_security2 on apache2 would just fail sometimes...I added this to /usr/local/apache/conf/modesec2/exclude.conf 

## Fixes a problem for certain content of wiki pages.
<LocationMatch "/wiki/index.php*">
  SecRuleRemoveById 300016
</LocationMatch>

— Preceding unsigned comment added by 174.59.192.74 (talk • contribs) 15:45, 12 March 2010 174.59.192.74

ModSecurity is filtering legitimate content[edit]

Latest comment: 3 years ago3 comments3 people in discussion

I found that ModSecurity would would trip and block any page with the word "Casino" (and presumably other spammy words) from being edited, history, protected etc. Just thought that information may be useful. 194.75.14.28 19:12, 29 May 2016 (UTC)Reply

I found the same. In my case, the wiki is supposed to contain code in a programming language. ModSecurity howev er thinks all if statements in page content are not allowed. Seems I still need to fix the config somehow... --2001:16B8:1021:9D00:40E7:7BDA:221C:32C0 23:47, 11 April 2020 (UTC)Reply
I ran into this issue today as well. I had checked "Extra Web Security" in my host's web options, then my wiki started generating "Internal Server Errors" until it finally blacklisted my own IP address while I was trying to troubleshoot the issue. Unfortunately, my shared host doesn't allow ModSecurity modifications via .htaccess, so I just had to disable (more info: Topic:Vt9katmxvlvfy9eb) --Knomanii (talk) 14:44, 3 September 2020 (UTC)Reply

Chat moved from article's main page.[edit]

I am creating this page to start a discussion about the use of the Apache module 'ModSecurity' with MediaWiki. Sorry for the rough nature of this page, but I figure something is better than nothing (to get the ball rolling so to speak).

We were getting some strange behavior from our MediaWiki install (running on Apache) after a recent update of ModSecurity. After checking the server logs, we found errors like this... 

[Tue May 06 00:12:00 2008] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 501 (phase 2). 
Pattern match "(?:(?:[\\\\;\\\\|\\\\`]\\\\W*?\\\\bcc|\\\\bwget)\\\\b|\\\\/cc(?:[\\\\'\\"\\\\|\\\\;\\\\`\\\\-\\\\s]|$))" 
at ARGS:wpTextbox1. [id "950907"] [msg "System Command Injection. Matched signature <|cc>"] [severity "CRITICAL"] 
[hostname "oururl.org"] [uri "/index.php?title=ourPageTitle&action=submit"] [unique_id "J0mzfsCoAHoAAGfHsfsAAAAw"]

The problem was being triggered by code like the following ... [[Category:Some such category|CC]] or, to our surprise, [[Category:Some such category|GCC]]

Following the advice found on LinuxQuestions.org [1] we added the following rule to our '/etc/httpd/modsecurity.d/modsecurity_localrules.conf' file (which is Apache-'Include'-ed by '/etc/httpd/conf.d/mod_security.conf'): 

## Fixes a problem for certain content of wiki pages.                                                                                                   
<LocationMatch "/index.php.*">
        SecRuleRemoveById 950907
</LocationMatch>

But is it safe to just lob in such rules in an ad-hock way? Can anyone suggest a set of ModSecurity patches for use with MediaWiki? Or is MediaWiki just a gaping security whole (at least as far as ModSecurity is concerned)?

What categories should this page be in?

Thanks for your patience. --141.14.26.125 5 May 2008

It should be possible to disable by putting 

SecRuleEngine Off

inside the virtual host or a .htaccess [2]

[Comment by Platonides, 10 November 2011]

Retrieved from "https://www.mediawiki.org/w/index.php?title=Talk:ModSecurity&oldid=4513304"