Arthur Dent <misc.li...@...> writes: > > METHOD: POST URI: /Microsoft-Server-ActiveSync > 1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, > XSS=): Request content type is not allowed by policy >
This is a false positive. Search the "id=" for this rule at your ruleset and disable the rule with the following command in your apache config. SecRuleRemoveById 950004 (950004 ist example ID) > > METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync > Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. > ActiceSync uses also the method "OPTIONS" but normaly this is unwanted at webserver. So the default ruleset of mod_security only allows "GET", "POST" or "HEAD" as Request Method. You can rewrite the rule in the default ruleset - the fast but dirty way - # Rule to block non-standard methods (See Modsec book p50) SecRule REQUEST_METHOD "!^(GET|POST|HEAD|OPTIONS)$" "deny,status:405" Best regards and good luck Tim _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
