Last modified: 2011-04-30 01:20:47 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T23998, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 21998 - Unable to install; config/index.php gives 403 due to mod_security
Unable to install; config/index.php gives 403 due to mod_security
Status: CLOSED FIXED
Product: MediaWiki
Classification: Unclassified
Installer (Other open bugs)
1.15.x
Other Linux
: Normal blocker (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 20768
  Show dependency treegraph
 
Reported: 2010-01-03 00:55 UTC by Arent
Modified: 2011-04-30 01:20 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Arent 2010-01-03 00:55:59 UTC 
When trying to install Mediawiki as usual I get a 403 after finishing config/index.php

The server log shows: Message: Operator GT matched 1 at TX:arg_name_DBmwschema. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "28"] [msg "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name."]

Sitename=demo&
EmergencyContact=XXXXX&
LanguageCode=en&
License=none&
SysopName=admin&
SysopPass=XXXX&
SysopPass2=XXXX&
Shm=none&
MCServers=&
Email=email_enabled&
Emailuser=emailuser_enabled&
Enotif=enotif_allpages&
Eauthent=eauthent_enabled&
DBtype=mysql&
DBserver=localhost&
DBname=test&
DBuser=wiki&
DBpassword=XXXX&
DBpassword2=XXXX&
useroot=on&
RootUser=wiki&
RootPW=XXXX&
DBprefix=&
DBengine=InnoDB&
DBschema=mysql5-binary&
DBport=5432&
DBmwschema=mediawiki&
DBts2schema=public&
SQLiteDataDir=&
DBprefix2=&
DBport_db2=50000&
DBmwschema=mediawiki&
DBcataloged=cataloged

Tracking down further I notice "DBmwschema" mentioned twice in the url parameters, so mod_security's message "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name" seems correct indeed.

I guess that line 634 of config/index.php is redundant with line 621
	$conf->DBmwschema   = importPost( "DBmwschema",  "mediawiki" );
However, commenting out line 634 did not solve the problem.

Disabling mod_security (v 2.5.10-2.fc11) worked as a workaround.
Comment 1 Platonides 2010-01-03 18:05:14 UTC 
Was fixed on r57454 when fixing bug 21030
Comment 2 Arent 2010-01-03 20:48:18 UTC 
ok
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links