MediaWiki treats CLTF text as RCE

110 views Asked by At

Help. I have a weird problem on a MediaWiki 1.37.2 install. We (me & the musician) are trying to get a wiki going for Clan Lord Tune Format music (like midi but with a–g, "." for flat, "[…]" for chords so "[DFA.]" is a possible chord). However, when we try to edit or create a page with CLTF in it, sometimes MediaWiki throws an exception thinking it’s an RCE attack:

ModSecurity: Warning. Pattern match "(?:\$(?:\((?:\(.\)|.)\)|\{.\})|[<>]\(.\)) at ARGS:text at ARGS:text. [file "…/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "366"] [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data:

and

[severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]

at the end.

How do I disable or modify the security module to not throw the exception on this text and not flag it as an RCE attack so it can be saved in the wiki? Is there a setting or format of the text that will allow the CLTF formatted music?

Thanks in advance for any answers that fix this.

*EDIT: I found this: https://www.mediawiki.org/wiki/ModSecurity and it says to turn off the security module with an .htaccess file. Does this go in the MediaWiki directory or the web root?

**EDIT 2: we also found this: https://anto.online/guides/how-to-disable-modsecurity-rules-that-cause-403-errors/ and are not sure which one is the for the OWASP_CRS are the codes: "capec/1000/152/248/88" ?

full log (minus personally identifiable info removed with ellipsis: … ):

[Wed May 18 08:27:38.649383 2022] [:error] [pid 3490:tid 3408850568960] [client …] [client …] ModSecurity: Warning. Pattern match "(?:\\$(?:\\((?:\\(.\\)|.)\\)|\\{.\\})|[<>]\\(.\\))" at ARGS:wpTextbox1. [file "…/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "366"] [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data: >((@150[e]4ppp[b]2pp[e]2pp[e]2p[d]3ppp[e]2pp|1[e]2pp[e]2p!ppp)2)4([=egb]8[e]4ppp[b]2p[=egb]8p[e]2pp[e]2p[=df#b]8[d]3ppp[e]2p[=egb]8p|1[e]2pp[e]2p!ppp)2([=cea]8[a]4ppp[e]2p[=cea]8p[a]2pp[a]2p[=df#b]8[d]3ppp[f#]2p|1[=cea]8p[e]2pp[e]2p![=egb]8pppp)2(([=egb]8[e]4ppp[b]2p[=egb]8p[e]2pp[e]2p[=df#b]8[d]3ppp[e]2p|1[=egb]8p[e]2pp[e]2p![=egb]pppp)2)2([=egb]8[e]4ppp[b]2p[=egb]8p[e]2pp[e]2p[=df#b]8[d]3ppp[e]2p[=egb]8p|1[e]2pp[e]2p!ppp)2([=cea]8[a]4ppp[e]2p[=cea]8p[a]2pp[a]2p[=df#b]8[d]3ppp[f#]2p|1[=cea..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2" [hostname "…"] [uri "…bardsfield/index.php"] [unique_id "YoUQak6BVgxiylKa6BNQVgAAAAE"], referer: https://…/bardsfield/index.php?title=…&action=edit

2

There are 2 answers

1
M Noivad On BEST ANSWER

Okay. So, We got all the modSec rule IDs exempted that we needed (there we 6 security violations) to by our hosting ISP’s server admin. So ,this case is closed.

1
azurit On

Try this exclusion rule (put it into REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf):

SecRule REQUEST_FILENAME "@endsWith /index.php" \
    "id:80,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    chain"
    SecRule ARGS:action "@streq submit" \
        "t:none,\
        chain"
        SecRule &ARGS:action "@eq 1" \
            "t:none,\
            ctl:ruleRemoveTargetById=930120;ARGS:wpTextbox1,\
            ctl:ruleRemoveTargetById=932100;ARGS:wpTextbox1,\
            ctl:ruleRemoveTargetById=932130;ARGS:wpTextbox1,\
            ctl:ruleRemoveTargetById=941100;ARGS:wpTextbox1,\
            ctl:ruleRemoveTargetById=941160;ARGS:wpTextbox1"