ModSecurity is an open-source module for Apache and other webservers. It is designed to take security measures in web traffic, including request filtering.
This page is a stub about the use of ModSecurity with MediaWiki. For general recommendations and instructions on how to make your MediaWiki site a safer place, see Manual:Security. For issues specific to ModSecurity, see GitHub.
I am creating this page to start a discussion about the use of the Apache module 'ModSecurity' with MediaWiki. Sorry for the rough nature of this page, but I figure something is better than nothing (to get the ball rolling so to speak).
We were getting some strange behavior from our MediaWiki install (running on Apache) after a recent update of ModSecurity. After checking the server logs, we found errors like this...
[Tue May 06 00:12:00 2008] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 501 (phase 2).
Pattern match "(?:(?:[\\\\;\\\\|\\\\`]\\\\W*?\\\\bcc|\\\\bwget)\\\\b|\\\\/cc(?:[\\\\'\\"\\\\|\\\\;\\\\`\\\\-\\\\s]|$))"
at ARGS:wpTextbox1. [id "950907"] [msg "System Command Injection. Matched signature <|cc>"] [severity "CRITICAL"]
[hostname "oururl.org"] [uri "/index.php?title=ourPageTitle&action=submit"] [unique_id "J0mzfsCoAHoAAGfHsfsAAAAw"]
The problem was being triggered by code like the following ... [[Category:Some such category|CC]] or, to our surprise, [[Category:Some such category|GCC]]
Following the advice found on LinuxQuestions.org  we added the following rule to our '/etc/httpd/modsecurity.d/modsecurity_localrules.conf' file (which is Apache-'Include'-ed by '/etc/httpd/conf.d/mod_security.conf'):
## Fixes a problem for certain content of wiki pages.
But is it safe to just lob in such rules in an ad-hock way? Can anyone suggest a set of ModSecurity patches for use with MediaWiki? Or is MediaWiki just a gaping security whole (at least as far as ModSecurity is concerned)?