[pmwiki-users] Bug in PmWiki?
Mike
mike at widowitz.com
Wed Jan 18 09:37:42 CST 2006
Amazing - I checked back with my provider, and they in fact had turned
on a protection against PHP script security leaks which did exactly what
you suspected. Took them 30 seconds to turn it off for me - works now.
Thanks - I would never have figured out it could be something like that...
Happy with my wiki again --
Mike
Patrick R. Michaud wrote on 1/17/2006 19:33:
> On Tue, Jan 17, 2006 at 05:38:36PM +0100, Mike wrote:
>
>>Done.
>>
>>Thanks so much for your support help and work. As I said, I'll do the
>>recipe out-commenting as soon as I can...
>
>
> I'm wondering if it's your Apache mod_security module that is
> causing the problem, as opposed to anything within PmWiki.
> It looks to me as though mod_security (or something) is blocking
> any request that contains "file(" in an argument string somewhere.
>
> Here's a demonstration -- note that the following url works:
>
> http://wiki.use-your-brains.com/pub/skins/brain.png
>
> We can add a parameter to the end (any name) and it still works:
>
> http://wiki.use-your-brains.com/pub/skins/brain.png?foo=xyz
>
> But if the parameter contains the string "file(" anywhere in it,
> request is blocked:
>
> http://wiki.use-your-brains.com/pub/skins/brain.png?foo=xyzfile%28xyz
>
> Since each of the above requests isn't using PmWiki at all to
> process them, it must be something in the webserver blocking
> the request. I suspect mod_security is doing it.
>
> And note that this problem isn't specific to PmWiki; any application
> running on this server would block posts containing "file(".
>
> I know very little about how mod_security works, but you might
> see if you can disable it for PmWiki with a directive like
>
> SecFilterEngine Off
>
> in a httpd.conf or .htaccess file or something like that.
>
> Hope this helps!
>
> Pm
>
>
More information about the pmwiki-users
mailing list