00822: Apache mod_security implies pmwiki XSS attack vulnerability

Summary: Apache mod_security implies pmwiki XSS attack vulnerability
Created: 2006-10-25 12:06
Status: Closed
Category: Comment
From: Kevin Bulgrien
Priority: 5
Version: 2.2.0-beta15
OS: Mandriva Corporate Server 4.0/apache-base-2.2.3-1mlcs4/apache-mod_php-5.1.6-1mlcs4


With apache-mod_security-1.9.4-1mlcs4, the web-server will not permit use of the preview button in an edit form. The error in the web server log is:

[Wed Oct 25 11:40:52 2006] [error] [client] mod_security: Access denied with code 500. Pattern match "<(.|\\\\n)+>" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "x.y.z"] [uri "/pmwiki/pmwiki.php/Main/AVRStudio4?action=edit"] [unique_id "WaWwqsCogAUAAE3GzZQAAAAA"]

This problem is known to occur with wiki code as old as pmwiki 2.1.beta33, but certainly exists in older versions that have not been tested.

Commenting out a line in a mod_security configuration is a workaround, but appears to potentially increase site-wide risk for vulnerability to cross-site scripting attacks.

$ os2cvs diff -u 82_mod_security.conf
Index: 82_mod_security.conf
RCS file: /path/to/cvs/repository/etc/httpd/modules.d/82_mod_security.conf,v
retrieving revision 1.1
diff -u -r1.1 82_mod_security.conf
--- 82_mod_security.conf        25 Oct 2006 17:01:13 -0000      1.1
+++ 82_mod_security.conf        25 Oct 2006 17:02:22 -0000
@@ -47,7 +47,7 @@
     SecFilter "<[[:space:]]*script"

     # Prevent XSS atacks (HTML/Javascript injection)
-    SecFilter "<(.|\n)+>"
+    # SecFilter "<(.|\n)+>"

     # Require Content-Length to be provided with
     # every POST request

A better workaround does not blindly remove the filter for all applications. The following is an example of how to remove the block for only pmwiki.

1) Modify the above change to add an ID:

  -    SecFilter "<(.|\n)+>"
  +    SecFilter "<(.|\n)+>" id:XSS_Check

2) In the webserver, add a location and turn off the rule only for that location:

  <IfModule mod_security.c>
   <Location /pmwiki/>
     SecFilterRemove XSS_Check