Apparantely the issue with wiki(s) and ModSecurity was rather well
known for people running ther software on hosting providers. Here's what
the PmWiki documentation says:
Some of my posts are coming back with "403 Forbidden" errors, "Not
Acceptable", or "Internal Server Error". This happens with some
posts but not others.
Your webserver probably has mod_security enabled. The mod_security
"feature" scans all incoming posts for forbidden words or phrases
that might indicate someone is trying to hack the system, and if
any of them are present then Apache returns the 403 Forbidden
error. Common phrases that tend to trigger mod_security include
"curl ", "wget", "file(", and "system(", although there are many
others.
Since mod_security intercepts the requests and sends the
"forbidden" message before PmWiki ever gets a chance to run, it's
not a bug in PmWiki, and there's little that PmWiki can do about
it. Instead, one has to alter the webserver configuration to
disable mod_security or reconfigure it to allow whatever word it
is forbidding. Some sites may be able to disable mod_security by
placing SecFilterEngine off in a .htaccess file.
Lars, how do you think we should handle this? Are we allowed to disable
ModSecurity for a certain hosts? Can we configure it differently?
/Christian
On Fri, 27 Mar 2009, Christian Ridderström wrote:
On Thu, 26 Mar 2009, rgheck wrote:
> > > [Thu Mar 26 00:18:34 2009] [error] [client 201.38.240.167]
> > > ModSecurity: Access denied with code 400 (phase 2). Pattern match
> > > "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:text. [id
> > > "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity
> > > "WARNING"] [hostname "wiki.lyx.org"] [uri
> > > "/LyX/LyxFunctions?action=edit"] [unique_id
> > > "t-bZsNTJRSsAAFdQ568AAAAB"]
> You mean check for a %, right? The rule seems to protect against
> characters hidden in hex codes.
>
Yes, sorry. I still don't see a %, though.
Thanks for the thips, you're right on I believe. There are '%' in the
arguments that are posted, more specially in the argument that contains the
wiki markup for the entire page. This is of course sent to the server when
saving a page.
I checked, and it's possible to edit a wiki page that does _not_ contain a
'%' in the wiki markup, whereas the page that failed does contain one...
It'll be highly unpractical if we don't allow '%' as part of the wiki markup.
Lars, any thoghts on this? I thought I saw something when logging in about
not disabling mod_security, but can we configure it to do exceptions or
something?
/Christian
--
Christian Ridderström Mobile: +46-70 687 39 44
