[Bug 21998] New: Unable to install; config/index.php gives 403 due to mod_security

Sat, 02 Jan 2010 16:56:08 -0800 

https://bugzilla.wikimedia.org/show_bug.cgi?id=21998

           Summary: Unable to install; config/index.php gives 403 due to
                    mod_security
           Product: MediaWiki
           Version: 1.15.1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: blocker
          Priority: Normal
         Component: Installation
        AssignedTo: [email protected]
        ReportedBy: [email protected]


When trying to install Mediawiki as usual I get a 403 after finishing
config/index.php

The server log shows: Message: Operator GT matched 1 at TX:arg_name_DBmwschema.
[file
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_40_generic_attacks.conf"]
[line "28"] [msg "Possible HTTP Parameter Pollution Attack: Multiple Parameters
with the same Name."]

Sitename=demo&
EmergencyContact=XXXXX&
LanguageCode=en&
License=none&
SysopName=admin&
SysopPass=XXXX&
SysopPass2=XXXX&
Shm=none&
MCServers=&
Email=email_enabled&
Emailuser=emailuser_enabled&
Enotif=enotif_allpages&
Eauthent=eauthent_enabled&
DBtype=mysql&
DBserver=localhost&
DBname=test&
DBuser=wiki&
DBpassword=XXXX&
DBpassword2=XXXX&
useroot=on&
RootUser=wiki&
RootPW=XXXX&
DBprefix=&
DBengine=InnoDB&
DBschema=mysql5-binary&
DBport=5432&
DBmwschema=mediawiki&
DBts2schema=public&
SQLiteDataDir=&
DBprefix2=&
DBport_db2=50000&
DBmwschema=mediawiki&
DBcataloged=cataloged

Tracking down further I notice "DBmwschema" mentioned twice in the url
parameters, so mod_security's message "Possible HTTP Parameter Pollution
Attack: Multiple Parameters with the same Name" seems correct indeed.

I guess that line 634 of config/index.php is redundant with line 621
        $conf->DBmwschema   = importPost( "DBmwschema",  "mediawiki" );
However, commenting out line 634 did not solve the problem.

Disabling mod_security (v 2.5.10-2.fc11) worked as a workaround.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to