You need to add the z-push content-type (application/vnd.ms-sync.wbxml) to the allowed content-type list in the 10 config file.
-- Ryan Barnett On Nov 13, 2010, at 10:44 AM, Arthur Dent <[email protected]> wrote: > On Sat, 2010-11-13 at 15:10 +0000, Arthur Dent wrote: >> Hello all, >> >> I am not really a network guy. I have a small home server running Fedora >> 13. As well as hosting my small family web site it is also a mail server >> running Procmail, Spamassassin, Dovecot and Squirrelmail. >> >> I also have an iPhone. >> >> I was thrilled, recently, to discover an application called z-push which >> allows me to "push" emails from my server to my iPhone. It uses a php >> script running php-imap on the server to spoof >> Microsoft-Server-ActiveSync. It works brilliantly with Mod_security >> disabled. ModSec however blocks it. I have tried creating a local rule >> in modsecurity_localrules.conf but I couldn't get it quite right - plus >> I was not sure what the safest way to allow this access would be without >> opening up the server too much... >> >> I get two types of report in the console: >> >> >> METHOD: POST URI: /Microsoft-Server-ActiveSync >> 1) Request content type is not allowed by policy 2) Inbound Anomaly Score >> (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed >> by policy >> >> and >> >> METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync >> Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" >> against "REQUEST_METHOD" required. >> >> The second of those, obviously, is actually blocked. It is blocked by a >> rule which I put into my local rules having worked through Magnus >> Mischel's book. >> >> This is the rule in question: >> # Rule to block non-standard methods (See Modsec book p50) >> SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405" > > Replying to my own message... > > Looking closer, I have modified this rule to read: > SecRule REQUEST_METHOD "!^(GET|POST|HEAD|OPTIONS)$" "deny,status:405" > > Is that safe? > > It now results in this however: > --e00ab306-H-- > Message: Match of "within %{tx.allowed_request_content_type}" against > "TX:0" required. [file > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] > [line "63"] [id "960010"] [msg "Request content type is not allowed by > policy"] [data "application/vnd.ms-sync.wbxml"] [severity "WARNING"] [tag > "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] > [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] > Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. > [file > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] > [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, > XSS=): Request content type is not allowed by policy"] > Apache-Handler: php5-script > Stopwatch: 1289661517966736 246643 (536 11498 -) > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); > core ruleset/2.0.8. > Server: Apache/2.2.16 (Fedora) >> >> Please see below the detail for the denial. How can I craft a safe rule >> to allow this through? >> >> Thanks in advance.... >> >> Mark >> >> >> --fa24db00-B-- >> OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1 >> Host: mydomain.example.com >> Content-Length: 0 >> User-Agent: Apple-iPhone2C1/802.117 >> X-Ms-Policykey: 0 >> Authorization: Basic bWFyazppbEhhYWRIUA== >> Accept: */* >> Accept-Language: en-us >> Accept-Encoding: gzip, deflate >> Connection: keep-alive >> >> --fa24db00-F-- >> HTTP/1.1 405 Method Not Allowed >> Allow: TRACE >> Content-Length: 337 >> Connection: close >> Content-Type: text/html; charset=iso-8859-1 >> >> --fa24db00-H-- >> Message: Access denied with code 405 (phase 2). Match of "rx >> ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file >> "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"] >> Action: Intercepted (phase 2) >> Apache-Handler: php5-script >> Stopwatch: 1289655765198610 1406 (534 728 -) >> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core >> ruleset/2.0.8. >> Server: Apache/2.2.16 (Fedora) >> >> --fa24db00-Z-- >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
