Using OWASP ModSecurity Core Rule Set ver.3.0.2 on cPanel v66.0.23; CentOS 7.3, Mailman 2.1.23:
ModSecurity with the OWASP rules (which come with cPanel nowadays) doesn't like Mailman's list options url for some email addresses. Specifically a URL in the form http://lists.xxx.xxx/mailman/options/listname/localpart--at--domain.com is blocked with a 403 error. Only '.com" addresses are affected, as far as I can tell, and the reason is rule 920440: SecRule REQUEST_BASENAME "\.(.*)$" "chain, capture, phase:request, t:none,t:urlDecodeUni,t:lowercase, block, msg:'URL file extension is restricted by policy', severity:'CRITICAL', rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'9', id:920440, logdata:'%{TX.0}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS/POLICY/EXT_RESTRICTED', tag:'WASCTC/WASC-15', tag:'OWASP_TOP_10/A7', tag:'PCI/6.5.10',logdata:'%{TX.0}', setvar:tx.extension=.%{tx.1}/" SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none, setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id }-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}" tx.restricted_extensions, defined elsewhere, lists a lot of file extensions, .com being among them: 'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/' So basically ModSecurity sees .com at the end of the URL and thinks a risky file is being requested and blocks the request. With some help from the OWASP list I wrote a new rule that works around this problem. It is entered in the "ModSecurity Tools" section of cPanel's WHM. I don't know if there's a way to do it if you don't have access to WHM. I couldn't find one. SecRule REQUEST_URI "^\/mailman\/options\/.*" "id:900240,phase:1,nolog,pass,t:none,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" That substitutes a new list of restricted extensions for requests to a page containing the "/mailman/options/" string. Now: http://lists.xxx.xxx/mailman/options/listname/localpart--at--domain.com is admitted http://lists.xxx.xxx/mailman/Xoptions/listname/localpart--at--domain.com is blocked I'm posting this mostly for the sake of anyone else who runs into this problem. If there's a simple fix on the Mailman side, though, so much the better. Maybe substitute another character for the dot? ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
