In some cases, file uploads and the use of syntax such as parser functions may trigger false positives.
Other issues can happen if you attempt to save an edit that contains more than X external links. Some hosts use rules to trap spambots that try to insert 3 or more external links on a page.
When an edit triggers a mod_security rule, the behavior is usually a 403 Forbidden error, or a redirect to the main page.
I am creating this page to start a discussion about the use of the Apache module 'ModSecurity' with MediaWiki. Sorry for the rough nature of this page, but I figure something is better than nothing (to get the ball rolling so to speak).
We were getting some strange behavior from our MediaWiki install (running on Apache) after a recent update of ModSecurity. After checking the server logs, we found errors like this...
[Tue May 06 00:12:00 2008] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 501 (phase 2).
Pattern match "(?:(?:[\\\\;\\\\|\\\\`]\\\\W*?\\\\bcc|\\\\bwget)\\\\b|\\\\/cc(?:[\\\\'\\"\\\\|\\\\;\\\\`\\\\-\\\\s]|$))"
at ARGS:wpTextbox1. [id "950907"] [msg "System Command Injection. Matched signature <|cc>"] [severity "CRITICAL"]
[hostname "oururl.org"] [uri "/index.php?title=ourPageTitle&action=submit"] [unique_id "J0mzfsCoAHoAAGfHsfsAAAAw"]
The problem was being triggered by code like the following ... [[Category:Some such category|CC]] or, to our surprise, [[Category:Some such category|GCC]]
Following the advice found on LinuxQuestions.org  we added the following rule to our '/etc/httpd/modsecurity.d/modsecurity_localrules.conf' file (which is Apache-'Include'-ed by '/etc/httpd/conf.d/mod_security.conf'):
## Fixes a problem for certain content of wiki pages.
But is it safe to just lob in such rules in an ad-hock way? Can anyone suggest a set of ModSecurity patches for use with MediaWiki? Or is MediaWiki just a gaping security whole (at least as far as ModSecurity is concerned)?
What categories should this page be in?
Thanks for your patience. --18.104.22.168 5 May 2008
It should be possible to disable by putting
inside the virtual host or a .htaccess 
[Comment by Platonides, 10 November 2011]