DokuWiki

It's better when it's simple

User Tools

Site Tools


Sidebar

Translations of this page?:

Learn about DokuWiki

Advanced Use

Corporate Use

Our Community


Follow us on Facebook, Twitter and other social networks.

faq:mod_security

Error on certain page content

:?: When certain code examples are entered on a page, the Server returns a “Error 403 – Forbidden”, “Error 406 – Not Acceptable”, “Error 403 – Forbidden”, “503 – Service Temporarily Unavailable” or similar errors. What's the problem?

:!: This is usually a problem caused by overly-restrictive security policies set in the webserver (usually mod_security) or an application level Firewall (Sophos Firewall Webapp Control is known to be problematic).

There is no way to fix this in DokuWiki, because it is not a problem caused by DokuWiki itself. You need to check your webserver or application firewall audit logs to identify the problematic rule and disable it.

Commonly problematic words are parts of SQL statements, mail or UNIX commands like:

  • select … from
  • drop …
  • to: …
  • wget …

Sometimes the problem also occurs when certain parameters are passed in the URL, especially when they contain external URLs like when using external images that are loaded from DokuWiki's image cache system in lib/exe/fetch.php.

Possible Resolution

On apache, mod_security can be disabled at a user or hosted domain level. The following two lines can be inserted in an .htaccess file that is saved in the [home_directory]/public_html directory:

SecFilterEngine Off
SecFilterScanPOST Off

Chris Freyer 7/23/09

This could be a trade off between security and usability.

Other Solution

In some cases it is not allowed to disable the mod_security option in the .htacces file. You have to contact your provider and ask for disabling some rules. In my case:

  • Rule 340009:
    ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|tmp|kern|[br]oot|sys|windows|winnt)/|(?:\\/|\\\\)+inetpub|localstart\\.asp|boot\\.ini)" at ARGS:suffix. [file "/etc/apache2/modsec2/10_asl_rules.conf"] [line "215"] [id "340009"] [rev "26"] [msg "Atomicorp.com WAF Rules:Protected Path Access denied in URI/ARGS"] [data ""] [severity "CRITICAL"]
  • Rule 300001:
    ModSecurity: Access denied with code 403 (phase 2). Matched phrase "home.arcor.de" at REQUEST_BODY. [file "/etc/apache2/modsec2/30_asl_antispam.conf"] [line "38"] [id "300001"] [rev "8"] [msg "Atomicorp.com WAF Rules: Blacklist Spam Domain"] [data ""] [severity "CRITICAL"]

A rule in mod_security

Not having worked on my wiki site for some months, my attempts to edit and then save produced the problem described above. Working with my site provider, I created a userid for the technician, who then diagnosed that the rule being triggered was “checking for 4 or more URLs in a single post”. This rule was safely disabled.

We had suspected that the rule being triggered was:

Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post) .

Changing the setting on that one rule was done. A warning was given on removing mod_security:

While many sites (such as forums) would need this rule enabled to prevent spamming on their forums and usually limit the number of urls a post can have, sites that have posts with a large number of links in them (like wikis) can easily trigger this rule and may need it disabled.
Mod_security is m to the type of attack that the particular rule prevents, but disabling one rule is better then disabling all.

A little more problem determination gave a better solution.

faq/mod_security.txt · Last modified: 2017-02-24 12:10 by 114.86.110.93