Topic on Project:Support desk

XSS detected in normal wikitext table?

4
Summary by Knomanii

"Extra Web Security" = ModSecurity = Many False Positives for Mediawiki

Knomanii (talkcontribs)

So I was editing my Main Page when my server starting giving me "Internal Server Error" pages anytime I hit either "submit" or "preview page." Then my server blacklisted my IP address and I had to contact my web host to regain access to my site.

Here's what it said in my error logs:

[Thu Sep 03 00:56:09.540779 2020] [:error] [pid 13641] [client MY_IP] [client ME] ModSecurity: Warning. detected XSS using libinjection. [file "/host/apache2/template/etc/mod_sec3_CRS/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:text: {| class=\\x22oneColTb nomobile\\x22 style=\\x22width:100%; padding:0rem 1rem 1rem 1rem; font-size:1.1rem;\\x22\\x0a|-\\x0a| colspan=2 style=\\x22font-size:1.4rem; font-weight:bold; text-align:center;\\x22 | <h1 style=\\x22margin-top:.4em !important\\x22>Welcome to Test Wiki</h1>\\x0a|-\\x0a| valign=middle style=\\x22padding-right:1em;\\x22 |\\x0a\\x0aThis Test Wiki exists for the easy sharing of information, policies, and documents among staff and board m..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSens [hostname "mysite.com"] [uri "/w/api.php"] [unique_id "alongstringofcharacters"], referer: https://mysite.com/w/index.php?title=Main_page&action=submit   

I don't get it. That looks like a regular old wiki table to me. Why is my server identifying it as an XSS attack and triggering "Internal Server Error" whenever I try to edit it?

My server had at least 100 error messages similar the one above — all of which look like scary XSS attacks until I look into at their contents and see normal wikitext. Here's another scary looking one:

[Thu Sep 03 00:56:42.103058 2020] [:error] [pid 12245] [client MY_IP] [client ME] ModSecurity: Warning. Pattern match "(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ..." at ARGS:text. [file "/host/apache2/template/etc/mod_sec3_CRS/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "229"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \\x22oneColTb nomobile\\x22 style=\\x22width:100%; padding:0rem 1rem 1rem 1rem; font-size:1.1rem;\\x22\\x0a|-\\x0a| colspan=2 style=\\x22font-size:1.4rem; font-weight:bold; text-align:center;\\x22 | <h1 style=\\x22margin-top:.4em !important\\x22>Welcome to Test Wiki</h1>\\x0a|-\\x0a| valign=middle style=\\x22padding-right:1em;\\x22 |\\x0a\\x0aThis Test Wiki exists for the easy sharing of information, policies, and documents among staff and board members.\\x0a\\x0aExplore pages for [[:Categories..."] [severity "CRITICAL"] [ver "OWASP_CRS [hostname "mysite.com"] [uri "/w/api.php"] [unique_id "alongstringofcharacters"], referer: https://mysite.com/w/index.php?title=Main_Page&action=edit   

Any idea why?

Taavi (talkcontribs)

That's not a MediaWiki feature and probably caused by your host's webserver configuration.

Ciencia Al Poder (talkcontribs)

As you can see in the logs, this is caused by ModSecurity. Ask your host to disable that.

Knomanii (talkcontribs)

Got it, thanks. I vaguely remembering ticking "Extra Web Security" in my host's web options recently, so ModSecurity must be the result.


I'd love to disable it just for the Mediawiki folder, but unfortunately my web host says "Disabling and modifying of mod_security rules via .htaccess is not supported at this time."


So, I'll go ahead and disable it. Anyhoo, thanks for all the info.