ModSecurity

I am creating this page to start a discussion about the use of the Apache module 'ModSecuity' with MediaWiki. Sorry for the rough nature of this page, but I figure something is better than nothing (to get the ball rolling so to speak).

We were getting some strange behaviour from our MediaWiki install (running on Apache) after a recent update of ModSecuity. After checking the server logs, we found errors like this...

[Tue May 06 00:12:00 2008] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:(?:[\\\\;\\\\|\\\\`]\\\\W*?\\\\bcc|\\\\bwget)\\\\b|\\\\/cc(?:[\\\\'\\"\\\\|\\\\;\\\\`\\\\-\\\\s]|$))" at ARGS:wpTextbox1. [id "950907"] [msg "System Command Injection. Matched signature <|cc>"] [severity "CRITICAL"] [hostname "oururl.org"] [uri "/index.php?title=ourPageTitle&action=submit"] [unique_id "J0mzfsCoAHoAAGfHsfsAAAAw"]

The problem was being triggered by code like the following ... or, to our surprise,

Following the advice found on LinuxQuestions.org we added the following rule to our '/etc/httpd/modsecurity.d/modsecurity_localrules.conf' file (which is Apache-'Include'-ed by '/etc/httpd/conf.d/mod_security.conf'):

 SecRuleRemoveById 950907 
 * 1) Fixes a problem for certain content of wiki pages.

But is it safe to just lob in such rules in an ad-hock way? Can anyone suggest a set of ModSecurity patches for use with MediaWiki? Or is MediaWiki just a gaping security whole (at least as far as ModSecurity is concerned)?

What categories should this page be in?

Thanks for your patience. --141.14.26.125 5 May 2008