00822: Apache mod_security implies pmwiki XSS attack vulnerability
With apache-mod_security-1.9.4-1mlcs4, the web-server will not permit use of the preview button in an edit form. The error in the web server log is:
[Wed Oct 25 11:40:52 2006] [error] [client 192.168.128.178] mod_security: Access denied with code 500. Pattern match "<(.|\\\\n)+>" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "x.y.z"] [uri "/pmwiki/pmwiki.php/Main/AVRStudio4?action=edit"] [unique_id "WaWwqsCogAUAAE3GzZQAAAAA"]
This problem is known to occur with wiki code as old as pmwiki 2.1.beta33, but certainly exists in older versions that have not been tested.
Commenting out a line in a mod_security configuration is a workaround, but appears to potentially increase site-wide risk for vulnerability to cross-site scripting attacks.
A better workaround does not blindly remove the filter for all applications. The following is an example of how to remove the block for only pmwiki.
1) Modify the above change to add an ID:
- SecFilter "<(.|\n)+>" + SecFilter "<(.|\n)+>" id:XSS_Check
2) In the webserver, add a location and turn off the rule only for that location:
<IfModule mod_security.c> <Location /pmwiki/> SecFilterRemove XSS_Check </Location> </IfModule>