我遇到了不寻常的(对我来说)问题MediaWiki &ModSecurity在共享主机。在Apache的ModSecurity模块中,保存更改或浏览页面会引起告警。在多次这样的告警后,用户被防火墙模块切断与服务器的连接。
由于服务器不在我的控制之下我想了解根本原因(例如REGEX规则),也许修补MediaWiki。
通过结合我的原始访问日志条目和提供的错误日志,我发现几乎所有的情况都是由引用api.php引起的,例如:CLIENT IP - - [21/Jun/2014:15:08:18 -0400] "POST /api.php HTTP/1.1" 301 20 "http://adres here/index.php?title=La_vida_cotidiana&action=edit&redlink=1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
结果:
[Sat Jun 21 15:08:18 2014] [error] [client IP here] ModSecurity: Access denied with code 406 (phase 2). Pattern match "''''%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:text. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "25"] [id "1234123440"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "hostname here"] [uri "/api.php"] [unique_id "U6XYIsg-ZiYAAD3gn9YAAAAO"]
事实证明,还有其他情况(少数):
CLIENT IP - - [21/Jun/2014:14:47:51 -0400] "GET /wiki/P%C3%A1gina_principal HTTP/1.1" 200 9378 "http://address here/index.php?title=La_vida_cotidiana&action=edit&redlink=1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
[Sat Jun 21 14:47:51 2014] [error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Pattern match "''''%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:wpTextbox1. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "25"] [id "1234123440"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname ""] [uri "/index.php"] [unique_id "U6XS8sg-ZiYAAGE2n70AAAAl"]
:
- MediaWiki 1.21 (+ FlaggedRevs, Translate, Babel &;jQuery文本编辑器) PHP 5.4中,
- Apache 2.2与url重写
我们MediaWiki开发人员的立场一直是mod_security与MW不兼容。即使你解决了当前的问题,下一个mod_security也会被包含单引号的用户名吓到,例如——因为"检测到SQL注入攻击";等等......Mod_security不适合用户发布内容的网站