Since you don't have a rule ID for your rule, you could add the following rule right before it. It will check the URL and request method and if it is for z-push it will then skip the existing rule that is blocking it.
> # Rule to allow z-push method > SecRule REQUEST_FILENAME "/Microsoft-Server-ActiveSync" > "chain,phase:1,t:none,pass,nolog,skip:1" > SecRule REQUEST_METHOD "^OPTIONS$" > # Rule to block non-standard methods (See Modsec book p50) > SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405" -- Ryan Barnett On Nov 13, 2010, at 10:11 AM, "Arthur Dent" <[email protected]> wrote: > Hello all, > > I am not really a network guy. I have a small home server running Fedora > 13. As well as hosting my small family web site it is also a mail server > running Procmail, Spamassassin, Dovecot and Squirrelmail. > > I also have an iPhone. > > I was thrilled, recently, to discover an application called z-push which > allows me to "push" emails from my server to my iPhone. It uses a php > script running php-imap on the server to spoof > Microsoft-Server-ActiveSync. It works brilliantly with Mod_security > disabled. ModSec however blocks it. I have tried creating a local rule > in modsecurity_localrules.conf but I couldn't get it quite right - plus > I was not sure what the safest way to allow this access would be without > opening up the server too much... > > I get two types of report in the console: > > > METHOD: POST URI: /Microsoft-Server-ActiveSync > 1) Request content type is not allowed by policy 2) Inbound Anomaly Score > (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed > by policy > > and > > METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync > Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" > against "REQUEST_METHOD" required. > > The second of those, obviously, is actually blocked. It is blocked by a > rule which I put into my local rules having worked through Magnus > Mischel's book. > > This is the rule in question: > # Rule to block non-standard methods (See Modsec book p50) > SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405" > > > Please see below the detail for the denial. How can I craft a safe rule > to allow this through? > > Thanks in advance.... > > Mark > > > --fa24db00-B-- > OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1 > Host: mydomain.example.com > Content-Length: 0 > User-Agent: Apple-iPhone2C1/802.117 > X-Ms-Policykey: 0 > Authorization: Basic bWFyazppbEhhYWRIUA== > Accept: */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > Connection: keep-alive > > --fa24db00-F-- > HTTP/1.1 405 Method Not Allowed > Allow: TRACE > Content-Length: 337 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --fa24db00-H-- > Message: Access denied with code 405 (phase 2). Match of "rx > ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file > "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"] > Action: Intercepted (phase 2) > Apache-Handler: php5-script > Stopwatch: 1289655765198610 1406 (534 728 -) > Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core > ruleset/2.0.8. > Server: Apache/2.2.16 (Fedora) > > --fa24db00-Z-- > <signature.asc> > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
