On Sat, 2010-11-13 at 15:10 +0000, Arthur Dent wrote: > Hello all, > > I am not really a network guy. I have a small home server running Fedora > 13. As well as hosting my small family web site it is also a mail server > running Procmail, Spamassassin, Dovecot and Squirrelmail. > > I also have an iPhone. > > I was thrilled, recently, to discover an application called z-push which > allows me to "push" emails from my server to my iPhone. It uses a php > script running php-imap on the server to spoof > Microsoft-Server-ActiveSync. It works brilliantly with Mod_security > disabled. ModSec however blocks it. I have tried creating a local rule > in modsecurity_localrules.conf but I couldn't get it quite right - plus > I was not sure what the safest way to allow this access would be without > opening up the server too much... > > I get two types of report in the console: > > > METHOD: POST URI: /Microsoft-Server-ActiveSync > 1) Request content type is not allowed by policy 2) Inbound Anomaly Score > (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed > by policy > > and > > METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync > Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" > against "REQUEST_METHOD" required. > > The second of those, obviously, is actually blocked. It is blocked by a > rule which I put into my local rules having worked through Magnus > Mischel's book. > > This is the rule in question: > # Rule to block non-standard methods (See Modsec book p50) > SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"
Replying to my own message...
Looking closer, I have modified this rule to read:
SecRule REQUEST_METHOD "!^(GET|POST|HEAD|OPTIONS)$" "deny,status:405"
Is that safe?
It now results in this however:
--e00ab306-H--
Message: Match of "within %{tx.allowed_request_content_type}" against
"TX:0" required. [file
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"]
[line "63"] [id "960010"] [msg "Request content type is not allowed by policy"]
[data "application/vnd.ms-sync.wbxml"] [severity "WARNING"] [tag
"POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score.
[file
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
[line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=):
Request content type is not allowed by policy"]
Apache-Handler: php5-script
Stopwatch: 1289661517966736 246643 (536 11498 -)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/);
core ruleset/2.0.8.
Server: Apache/2.2.16 (Fedora)
>
> Please see below the detail for the denial. How can I craft a safe rule
> to allow this through?
>
> Thanks in advance....
>
> Mark
>
>
> --fa24db00-B--
> OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
> Host: mydomain.example.com
> Content-Length: 0
> User-Agent: Apple-iPhone2C1/802.117
> X-Ms-Policykey: 0
> Authorization: Basic bWFyazppbEhhYWRIUA==
> Accept: */*
> Accept-Language: en-us
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
>
> --fa24db00-F--
> HTTP/1.1 405 Method Not Allowed
> Allow: TRACE
> Content-Length: 337
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> --fa24db00-H--
> Message: Access denied with code 405 (phase 2). Match of "rx
> ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file
> "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
> Action: Intercepted (phase 2)
> Apache-Handler: php5-script
> Stopwatch: 1289655765198610 1406 (534 728 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core
> ruleset/2.0.8.
> Server: Apache/2.2.16 (Fedora)
>
> --fa24db00-Z--
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> [email protected]
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
