ModSecurity

From MediaWiki.org
Jump to navigation Jump to search

ModSecurity is an open-source module for Apache and other webservers. It is designed to take security measures in web traffic, including request filtering.

This page is a stub about the use of ModSecurity with MediaWiki. For general recommendations and instructions on how to make your MediaWiki site a safer place, see Manual:Security. For issues specific to ModSecurity, see GitHub.

Potential issues[edit]

False positives[edit]

In some cases, file uploads and the use of syntax such as parser functions may trigger false positives.

Other issues can happen if you attempt to save an edit that contains more than X external links. Some hosts use rules to trap spambots that try to insert 3 or more external links on a page.

When an edit triggers a mod_security rule, the behavior is usually a 403 Forbidden error, or a redirect to the main page.

User notes[edit]

I am creating this page to start a discussion about the use of the Apache module 'ModSecurity' with MediaWiki. Sorry for the rough nature of this page, but I figure something is better than nothing (to get the ball rolling so to speak).

We were getting some strange behavior from our MediaWiki install (running on Apache) after a recent update of ModSecurity. After checking the server logs, we found errors like this...

[Tue May 06 00:12:00 2008] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 501 (phase 2). 
Pattern match "(?:(?:[\\\\;\\\\|\\\\`]\\\\W*?\\\\bcc|\\\\bwget)\\\\b|\\\\/cc(?:[\\\\'\\"\\\\|\\\\;\\\\`\\\\-\\\\s]|$))" 
at ARGS:wpTextbox1. [id "950907"] [msg "System Command Injection. Matched signature <|cc>"] [severity "CRITICAL"] 
[hostname "oururl.org"] [uri "/index.php?title=ourPageTitle&action=submit"] [unique_id "J0mzfsCoAHoAAGfHsfsAAAAw"]

The problem was being triggered by code like the following ... [[Category:Some such category|CC]] or, to our surprise, [[Category:Some such category|GCC]]

Following the advice found on LinuxQuestions.org [1] we added the following rule to our '/etc/httpd/modsecurity.d/modsecurity_localrules.conf' file (which is Apache-'Include'-ed by '/etc/httpd/conf.d/mod_security.conf'):

## Fixes a problem for certain content of wiki pages.                                                                                                   
<LocationMatch "/index.php.*">
        SecRuleRemoveById 950907
</LocationMatch>

But is it safe to just lob in such rules in an ad-hock way? Can anyone suggest a set of ModSecurity patches for use with MediaWiki? Or is MediaWiki just a gaping security whole (at least as far as ModSecurity is concerned)?

What categories should this page be in?

Thanks for your patience. --141.14.26.125 5 May 2008

It should be possible to disable by putting

SecRuleEngine Off

inside the virtual host or a .htaccess [2]

[Comment by Platonides, 10 November 2011]