00822: Apache mod_security implies pmwiki XSS attack vulnerability
Description:
With apache-mod_security-1.9.4-1mlcs4, the web-server will not permit use of the preview button in an edit form. The error in the web server log is:
[Wed Oct 25 11:40:52 2006] [error] [client 192.168.128.178] mod_security: Access denied with code 500. Pattern match "<(.|\\\\n)+>" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "x.y.z"] [uri "/pmwiki/pmwiki.php/Main/AVRStudio4?action=edit"] [unique_id "WaWwqsCogAUAAE3GzZQAAAAA"]
This problem is known to occur with wiki code as old as pmwiki 2.1.beta33, but certainly exists in older versions that have not been tested.
Commenting out a line in a mod_security configuration is a workaround, but appears to potentially increase site-wide risk for vulnerability to cross-site scripting attacks.
$ os2cvs diff -u 82_mod_security.conf Index: 82_mod_security.conf =================================================================== RCS file: /path/to/cvs/repository/etc/httpd/modules.d/82_mod_security.conf,v retrieving revision 1.1 diff -u -r1.1 82_mod_security.conf --- 82_mod_security.conf 25 Oct 2006 17:01:13 -0000 1.1 +++ 82_mod_security.conf 25 Oct 2006 17:02:22 -0000 @@ -47,7 +47,7 @@ SecFilter "<[[:space:]]*script" # Prevent XSS atacks (HTML/Javascript injection) - SecFilter "<(.|\n)+>" + # SecFilter "<(.|\n)+>" # Require Content-Length to be provided with # every POST request
A better workaround does not blindly remove the filter for all applications. The following is an example of how to remove the block for only pmwiki.
1) Modify the above change to add an ID:
- SecFilter "<(.|\n)+>" + SecFilter "<(.|\n)+>" id:XSS_Check
2) In the webserver, add a location and turn off the rule only for that location:
<IfModule mod_security.c> <Location /pmwiki/> SecFilterRemove XSS_Check </Location> </IfModule>