Talk:ModSecurity

I ran into a similar problem...mod_security2 on apache2 would just fail sometimes...I added this to /usr/local/apache/conf/modesec2/exclude.conf

 SecRuleRemoveById 300016 
 * 1) Fixes a problem for certain content of wiki pages.

ModSecurity is filtering legitimate content
I found that ModSecurity would would trip and block any page with the word "Casino" (and presumably other spammy words) from being edited, history, protected etc. Just thought that information may be useful. 194.75.14.28 19:12, 29 May 2016 (UTC)


 * I found the same. In my case, the wiki is supposed to contain code in a programming language. ModSecurity howev er thinks all if statements in page content are not allowed. Seems I still need to fix the config somehow... --2001:16B8:1021:9D00:40E7:7BDA:221C:32C0 23:47, 11 April 2020 (UTC)


 * I ran into this issue today as well. I had checked "Extra Web Security" in my host's web options, then my wiki started generating "Internal Server Errors" until it finally blacklisted my own IP address while I was trying to troubleshoot the issue. Unfortunately, my shared host doesn't allow ModSecurity modifications via .htaccess, so I just had to disable (more info: Topic:Vt9katmxvlvfy9eb) --Knomanii (talk) 14:44, 3 September 2020 (UTC)

Chat moved from article's main page.
I am creating this page to start a discussion about the use of the Apache module 'ModSecurity' with MediaWiki. Sorry for the rough nature of this page, but I figure something is better than nothing (to get the ball rolling so to speak).

We were getting some strange behavior from our MediaWiki install (running on Apache) after a recent update of ModSecurity. After checking the server logs, we found errors like this...

[Tue May 06 00:12:00 2008] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:(?:[\\\\;\\\\|\\\\`]\\\\W*?\\\\bcc|\\\\bwget)\\\\b|\\\\/cc(?:[\\\\'\\"\\\\|\\\\;\\\\`\\\\-\\\\s]|$))" at ARGS:wpTextbox1. [id "950907"] [msg "System Command Injection. Matched signature <|cc>"] [severity "CRITICAL"] [hostname "oururl.org"] [uri "/index.php?title=ourPageTitle&action=submit"] [unique_id "J0mzfsCoAHoAAGfHsfsAAAAw"]

The problem was being triggered by code like the following ... or, to our surprise,

Following the advice found on LinuxQuestions.org we added the following rule to our '/etc/httpd/modsecurity.d/modsecurity_localrules.conf' file (which is Apache-'Include'-ed by '/etc/httpd/conf.d/mod_security.conf'):

 SecRuleRemoveById 950907 
 * 1) Fixes a problem for certain content of wiki pages.

But is it safe to just lob in such rules in an ad-hock way? Can anyone suggest a set of ModSecurity patches for use with MediaWiki? Or is MediaWiki just a gaping security whole (at least as far as ModSecurity is concerned)?

What categories should this page be in?

Thanks for your patience. --141.14.26.125 5 May 2008