DokuWiki

It's better when it's simple

User Tools

Site Tools

Trace:
faq:mod_security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
faq:mod_security [2017-06-21 10:52] – Update for apache2 and clarification around security. 2.98.36.101faq:mod_security [2023-09-13 08:50] (current) – [Error on certain page content] 37.24.179.178
Line 3: Line 3:
 :?: When certain code examples are entered on a page, the Server returns a "Error 403 -- Forbidden", "Error 406 -- Not Acceptable", "Error 403 -- Forbidden", "503 -- Service Temporarily Unavailable" or similar errors. What's the problem? :?: When certain code examples are entered on a page, the Server returns a "Error 403 -- Forbidden", "Error 406 -- Not Acceptable", "Error 403 -- Forbidden", "503 -- Service Temporarily Unavailable" or similar errors. What's the problem?
  
-:!: This is usually a problem caused by overly-restrictive security policies set in the webserver (usually [[http://www.modsecurity.org|mod_security]]) or an application level Firewall (Sophos Firewall Webapp Control is known to be problematic).+:!: This is usually a problem caused by overly-restrictive security policies set in the webserver (usually [[http://www.modsecurity.org/|mod_security]]) or an application level Firewall (Sophos Firewall Webapp Control is known to be problematic).
  
-There is no way to fix this in DokuWiki, because it is not a problem caused by DokuWiki itself. You need to check your webserver or application firewall audit logs to identify the problematic rule and disable it.+There is no way to fix this in DokuWiki, because it is not a problem caused by DokuWiki itself. You need to check your webserver or application firewall audit logs to identify the problematic rule and disable it (or notify your provider to do so).
  
 Commonly problematic words are parts of SQL statements, mail or UNIX commands like: Commonly problematic words are parts of SQL statements, mail or UNIX commands like:
Line 11: Line 11:
   * select ... from   * select ... from
   * drop ...   * drop ...
 +  * having ...
   * to: ...   * to: ...
   * wget ...   * wget ...
 +  * /etc/ ...
  
 Sometimes the problem also occurs when certain parameters are passed in the URL, especially when they contain external URLs like when using external images that are loaded from DokuWiki's image cache system in ''lib/exe/fetch.php''. Sometimes the problem also occurs when certain parameters are passed in the URL, especially when they contain external URLs like when using external images that are loaded from DokuWiki's image cache system in ''lib/exe/fetch.php''.
- 
 ===== Less-secure resolutions ===== ===== Less-secure resolutions =====
-On apache, ''mod_security'' can be disabled at a user or hosted domain level.  The following two lines can be inserted in an ''.htaccess'' file that is saved in the ''[home_directory]/public_html'' directory: + 
-  SecFilterEngine Off +On Apache, ''mod_security'' can be disabled at a user or hosted domain level.  The following two lines can be inserted in an ''.htaccess'' file that is saved in the ''[home_directory]/public_html'' directory: 
-  SecFilterScanPOST Off+  <IfModule mod_security.c> 
 +    SecFilterEngine Off 
 +    SecFilterScanPOST Off 
 +  </IfModule> 
 +   
 +  <IfModule security2_module> 
 +    SecRuleEngine Off 
 +  </IfModule>
  
 --[[chris@thefreyers.net|Chris Freyer]] 7/23/09 --[[chris@thefreyers.net|Chris Freyer]] 7/23/09
Line 28: Line 36:
  
   // /etc/apache2/sites-enabled/my_host.tld.conf   // /etc/apache2/sites-enabled/my_host.tld.conf
-  // Rather than using .htaccess for the entire domain..+  // Rather than using .htaccess for the entire domain.
   <VirtualHost my_host.tld:443>   <VirtualHost my_host.tld:443>
    <Directory /var/www/my_host.tld/my_wiki_path>    <Directory /var/www/my_host.tld/my_wiki_path>
-    SecRuleEngine Off+    <IfModule security2_module> 
 +     SecRuleEngine Off 
 +    </IfModule>
    </Directory>    </Directory>
   </VirtualHost>   </VirtualHost>
  
 However, this means that for any undiscovered vulnerabilities in DokuWiki, mod_security will do nothing to prevent them from being exploited, which is not recommended security practice. For those who wish to maintain security of their installation, it is recommended to override the specific filters on for the **doku.php** file within mod_security's rules, so that it will allow for preview and editing of files, but remain enabled for the remainder of the site. However, this means that for any undiscovered vulnerabilities in DokuWiki, mod_security will do nothing to prevent them from being exploited, which is not recommended security practice. For those who wish to maintain security of their installation, it is recommended to override the specific filters on for the **doku.php** file within mod_security's rules, so that it will allow for preview and editing of files, but remain enabled for the remainder of the site.
- 
- 
  
 ===== Other Solution ===== ===== Other Solution =====
 +
 In some cases it is not allowed to disable the ''mod_security'' option in the ''.htacces'' file. You have to contact your provider and ask for disabling some rules. In my case: In some cases it is not allowed to disable the ''mod_security'' option in the ''.htacces'' file. You have to contact your provider and ask for disabling some rules. In my case:
   * Rule 340009: \\ ModSecurity: Access denied with code 403 (phase 2). %%Pattern match "(?:/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|tmp|kern|[br]oot|sys|windows|winnt)/|(?:\\/|\\\\)+inetpub|localstart\\.asp|boot\\.ini)" at ARGS:suffix. [file "/etc/apache2/modsec2/10_asl_rules.conf"] [line "215"] [id "340009"] [rev "26"] [msg "Atomicorp.com WAF Rules:Protected Path Access denied in URI/ARGS"] [data ""] [severity "CRITICAL"]%%    * Rule 340009: \\ ModSecurity: Access denied with code 403 (phase 2). %%Pattern match "(?:/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|tmp|kern|[br]oot|sys|windows|winnt)/|(?:\\/|\\\\)+inetpub|localstart\\.asp|boot\\.ini)" at ARGS:suffix. [file "/etc/apache2/modsec2/10_asl_rules.conf"] [line "215"] [id "340009"] [rev "26"] [msg "Atomicorp.com WAF Rules:Protected Path Access denied in URI/ARGS"] [data ""] [severity "CRITICAL"]%% 
  
   * Rule 300001: \\ ModSecurity: Access denied with code 403 (phase 2). %%Matched phrase "home.arcor.de" at REQUEST_BODY. [file "/etc/apache2/modsec2/30_asl_antispam.conf"] [line "38"] [id "300001"] [rev "8"] [msg "Atomicorp.com WAF Rules: Blacklist Spam Domain"] [data ""] [severity "CRITICAL"]%%    * Rule 300001: \\ ModSecurity: Access denied with code 403 (phase 2). %%Matched phrase "home.arcor.de" at REQUEST_BODY. [file "/etc/apache2/modsec2/30_asl_antispam.conf"] [line "38"] [id "300001"] [rev "8"] [msg "Atomicorp.com WAF Rules: Blacklist Spam Domain"] [data ""] [severity "CRITICAL"]%% 
 +
  
 ===== A rule in mod_security ===== ===== A rule in mod_security =====
 +
 Not having worked on my wiki site for some months, my attempts to edit and then save produced the problem described above.  Working with my site provider, I created a userid for the technician, who then diagnosed that the rule being triggered was "checking for 4 or more URLs in a single post" This rule was safely disabled.   Not having worked on my wiki site for some months, my attempts to edit and then save produced the problem described above.  Working with my site provider, I created a userid for the technician, who then diagnosed that the rule being triggered was "checking for 4 or more URLs in a single post" This rule was safely disabled.  
  
faq/mod_security.1498035179.txt.gz · Last modified: 2017-06-21 10:52 by 2.98.36.101
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Global DokuWiki Links