[pmwiki-users] Failure, if uses WGET on a wiki-page?

Joachim Durchholz jo at durchholz.org
Tue Mar 14 02:48:04 CST 2006 

Daniel Hofer schrieb:
>> Could mod_security be enabled on your server?  To quote Pm,
> 
> yes, it seems to be loaded, I find it in "loaded modules".
> Is there a problem if I don't load this module?

That depends.

mod_security is self-termed as an "application firewall for web 
servers". In practical terms, this means that it scans incoming requests 
for "known problematic content" and filters them. If your box is 
vulnerable to one of the attacks that are prevented by mod_security, you 
have opened a security hole.

In my personal (and not very humble) opinion, mod_security is solving 
the wrong problem. It's a "deny known bad requests" policy, which will 
never catch all attack routes (an "allown known good requests" policy is 
the way to go).
Also, it runs the risk of rejecting perfectly valid requests (as you 
have just found out). To make things worse, since it's a "reject known 
attacks" approach, the filter rules have to be constantly upgraded, and 
you'd have to recheck the entire site to see what's broken by 
mod_security now.
To set up a good mod_security filter, you need to carefully analyse what 
strings will hit a security hole, and write a regular expression that 
covers exactly that hole (but doesn't cover valid requests). It's 
usually easier to simply correct the software that has the hole (and 
such a security patch is useful even for those who don't have mod_security).

IOW mod_security is a solution if and only if you have software that you 
cannot patch, and can't switch to patchable software.
In your case, IIS isn't patchable, so mod_security may be necessary. In 
that case, it may be using the wrong filter set; as far as my knowledge 
goes, wget isn't usually available on Windows boxen, so filtering that 
particular term isn't doing any good. Try to find an IIS-specific 
configuration for mod_security. (I'd still recommend switching to a web 
server with a better track record security-wise; Apache and lighttpd 
come to mind. I haven't used lighttpd, but web pages seem to deal more 
with "how to do nifty things" rather than with "it doesn't work and I 
don't know why", the latter being all too common for Apache. Besides, 
lighttpd takes considerably less resources; installing lighttpd is on my 
ever-growing list of Things I Want To Do When I Have The Time.)

Regards,
Jo

More information about the pmwiki-users mailing list