[pmwiki-users] Failure, if uses WGET on a wiki-page?
jo at durchholz.org
Tue Mar 14 02:48:04 CST 2006
Daniel Hofer schrieb:
>> Could mod_security be enabled on your server? To quote Pm,
> yes, it seems to be loaded, I find it in "loaded modules".
> Is there a problem if I don't load this module?
mod_security is self-termed as an "application firewall for web
servers". In practical terms, this means that it scans incoming requests
for "known problematic content" and filters them. If your box is
vulnerable to one of the attacks that are prevented by mod_security, you
have opened a security hole.
In my personal (and not very humble) opinion, mod_security is solving
the wrong problem. It's a "deny known bad requests" policy, which will
never catch all attack routes (an "allown known good requests" policy is
the way to go).
Also, it runs the risk of rejecting perfectly valid requests (as you
have just found out). To make things worse, since it's a "reject known
attacks" approach, the filter rules have to be constantly upgraded, and
you'd have to recheck the entire site to see what's broken by
To set up a good mod_security filter, you need to carefully analyse what
strings will hit a security hole, and write a regular expression that
covers exactly that hole (but doesn't cover valid requests). It's
usually easier to simply correct the software that has the hole (and
such a security patch is useful even for those who don't have mod_security).
IOW mod_security is a solution if and only if you have software that you
cannot patch, and can't switch to patchable software.
In your case, IIS isn't patchable, so mod_security may be necessary. In
that case, it may be using the wrong filter set; as far as my knowledge
goes, wget isn't usually available on Windows boxen, so filtering that
particular term isn't doing any good. Try to find an IIS-specific
configuration for mod_security. (I'd still recommend switching to a web
server with a better track record security-wise; Apache and lighttpd
come to mind. I haven't used lighttpd, but web pages seem to deal more
with "how to do nifty things" rather than with "it doesn't work and I
don't know why", the latter being all too common for Apache. Besides,
lighttpd takes considerably less resources; installing lighttpd is on my
ever-growing list of Things I Want To Do When I Have The Time.)
More information about the pmwiki-users