[Owasp-modsecurity-core-rule-set] [JIRA] Resolved: (CORERULES-77) Modsecurity creates fall positives when used with SVN-over-HTTP

Fri, 08 Jun 2012 12:35:09 -0700 

     [ 
https://www.modsecurity.org/tracker/browse/CORERULES-77?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ryan Barnett resolved CORERULES-77.
-----------------------------------

    Resolution: Fixed

Provided an exception example for SVN traffic.

> Modsecurity creates fall positives when used with SVN-over-HTTP
> ---------------------------------------------------------------
>
>                 Key: CORERULES-77
>                 URL: https://www.modsecurity.org/tracker/browse/CORERULES-77
>             Project: Core Rules
>          Issue Type: Bug
>      Security Level: Normal
>          Components: False positive
>         Environment: Fedora 16 (updated) on x86_64 hardware.
>            Reporter: Philip Prindeville
>            Assignee: Ryan Barnett
>
> Seeing the following:
> --99fa9461-A--
> [05/Sep/2011:11:23:29 --0600] TmUFkcCoAQoAABnnJF8AAAAD ::1 52681 ::1 80
> --99fa9461-B--
> PROPFIND /svn/astlinux/trunk/package/linux-atm HTTP/1.1
> User-Agent: SVN/1.6.17 (r1128011) neon/0.29.5
> Connection: TE
> TE: trailers
> Host: localhost
> Content-Type: text/xml
> Accept-Encoding: gzip, gzip
> Depth: 0
> DAV: http://subversion.tigris.org/xmlns/dav/svn/depth, 
> http://subversion.tigris.org/xmlns/dav/svn/mergeinfo, 
> http://subversion.tigris.org/xmlns/dav/svn/log-revprops
> Content-Length: 300
> --99fa9461-C--
> <?xml version="1.0" encoding="utf-8"?><propfind 
> xmlns="DAV:"><prop><version-controlled-configuration 
> xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path 
> xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid 
> xmlns="http://subversion.tigris.org/xmlns/dav/"/></prop></propfind>
> --99fa9461-F--
> HTTP/1.1 207 Multi-Status
> Content-Length: 730
> Connection: close
> Content-Type: text/xml; charset="utf-8"
> --99fa9461-H--
> Message: Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>  [line "46"] [id "960015"] [rev "2.0.5"] [msg "Request Missing an Accept 
> Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag 
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" 
> required. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] 
> [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data 
> "PROPFIND"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag 
> "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag 
> "PCI/12.1"]
> Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] 
> [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, 
> XSS=): Method is not allowed by policy"]
> Apache-Handler: dav-handler
> Stopwatch: 1315243409177653 15221 (1631* 4042 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core 
> ruleset/2.0.5.
> Server: Apache/2.2.19 (Fedora)
> --99fa9461-Z--
> --99fa9461-A--
> [05/Sep/2011:11:23:29 --0600] TmUFkcCoAQoAABnlI-4AAAAB ::1 52683 ::1 80
> --99fa9461-B--
> MKACTIVITY /svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c 
> HTTP/1.1
> User-Agent: SVN/1.6.17 (r1128011) neon/0.29.5
> Connection: TE
> TE: trailers
> Host: localhost
> Accept-Encoding: gzip, gzip
> DAV: http://subversion.tigris.org/xmlns/dav/svn/depth, 
> http://subversion.tigris.org/xmlns/dav/svn/mergeinfo, 
> http://subversion.tigris.org/xmlns/dav/svn/log-revprops
> Content-Length: 0
> Authorization: Digest username="philipp", realm="Subversion repository", 
> nonce="+5sy+DSsBAA=d9c09363220f392546430d28d12b6348d29b7276", 
> uri="/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c", 
> response="e2528cc38f97a310abcb6a0559bf7ac4", algorithm="MD5", 
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000001, qop="auth"
> --99fa9461-C--
> --99fa9461-F--
> HTTP/1.1 201 Created
> Authentication-Info: rspauth="deb189790e5971076389e53d958cb158", 
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000001, qop=auth
> Cache-Control: no-cache
> Location: 
> http://localhost/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c
> Content-Length: 308
> Connection: close
> Content-Type: text/html; charset=ISO-8859-1
> --99fa9461-H--
> Message: Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>  [line "46"] [id "960015"] [rev "2.0.5"] [msg "Request Missing an Accept 
> Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag 
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" 
> required. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] 
> [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data 
> "MKACTIVITY"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag 
> "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag 
> "PCI/12.1"]
> Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] 
> [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, 
> XSS=): Method is not allowed by policy"]
> Apache-Handler: dav-handler
> Stopwatch: 1315243409275410 102579 (26119* 28723 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core 
> ruleset/2.0.5.
> Server: Apache/2.2.19 (Fedora)
> --99fa9461-Z--
> --99fa9461-A--
> [05/Sep/2011:11:23:29 --0600] TmUFkcCoAQoAABnmJFgAAAAC ::1 52684 ::1 80
> --99fa9461-B--
> CHECKOUT /svn/astlinux/!svn/vcc/default HTTP/1.1
> User-Agent: SVN/1.6.17 (r1128011) neon/0.29.5
> Connection: TE
> TE: trailers
> Host: localhost
> DAV: http://subversion.tigris.org/xmlns/dav/svn/depth, 
> http://subversion.tigris.org/xmlns/dav/svn/mergeinfo, 
> http://subversion.tigris.org/xmlns/dav/svn/log-revprops
> Content-Length: 208
> Accept-Encoding: gzip
> Authorization: Digest username="philipp", realm="Subversion repository", 
> nonce="+5sy+DSsBAA=d9c09363220f392546430d28d12b6348d29b7276", 
> uri="/svn/astlinux/!svn/vcc/default", 
> response="2e41665162866967cf328e068a7b6bf0", algorithm="MD5", 
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000002, qop="auth"
> --99fa9461-C--
> <?xml version="1.0" encoding="utf-8"?><D:checkout 
> xmlns:D="DAV:"><D:activity-set><D:href>/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c</D:href></D:activity-set><D:apply-to-version/></D:checkout>
> --99fa9461-F--
> HTTP/1.1 403 Forbidden
> Content-Length: 306
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> --99fa9461-H--
> Message: Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>  [line "46"] [id "960015"] [rev "2.0.5"] [msg "Request Missing an Accept 
> Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag 
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. 
> [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>  [line "83"] [id "960904"] [rev "2.0.5"] [msg "Request Containing Content, 
> but Missing Content-Type header"] [severity "NOTICE"]
> Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" 
> required. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] 
> [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data 
> "CHECKOUT"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag 
> "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag 
> "PCI/12.1"]
> Message: Access denied with code 403 (phase 2). [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"] 
> [line "25"] [msg "Anomaly Score Exceeded (score 20): Method is not allowed by 
> policy"]
> Action: Intercepted (phase 2)
> Stopwatch: 1315243409378229 4605 (1720* 4100 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core 
> ruleset/2.0.5.
> Server: Apache/2.2.19 (Fedora)
> --99fa9461-Z--
> --99fa9461-A--
> [05/Sep/2011:11:23:29 --0600] TmUFkcCoAQoAABnkI6QAAAAA ::1 52685 ::1 80
> --99fa9461-B--
> DELETE /svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c HTTP/1.1
> User-Agent: SVN/1.6.17 (r1128011) neon/0.29.5
> Connection: TE
> TE: trailers
> Host: localhost
> Accept-Encoding: gzip, gzip
> DAV: http://subversion.tigris.org/xmlns/dav/svn/depth, 
> http://subversion.tigris.org/xmlns/dav/svn/mergeinfo, 
> http://subversion.tigris.org/xmlns/dav/svn/log-revprops
> Content-Length: 0
> Authorization: Digest username="philipp", realm="Subversion repository", 
> nonce="+5sy+DSsBAA=d9c09363220f392546430d28d12b6348d29b7276", 
> uri="/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c", 
> response="0b2831fb296127fc8e156f7be91ce5bc", algorithm="MD5", 
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000003, qop="auth"
> --99fa9461-C--
> --99fa9461-F--
> HTTP/1.1 204 No Content
> Authentication-Info: rspauth="0f23d425afe38d8fe4fd5e030e5184d3", 
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000003, qop=auth
> Content-Length: 0
> Connection: close
> Content-Type: text/plain; charset=UTF-8
> --99fa9461-H--
> Message: Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>  [line "46"] [id "960015"] [rev "2.0.5"] [msg "Request Missing an Accept 
> Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag 
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" 
> required. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] 
> [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data 
> "DELETE"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag 
> "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag 
> "PCI/12.1"]
> Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file 
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] 
> [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, 
> XSS=): Method is not allowed by policy"]
> Apache-Handler: dav-handler
> Stopwatch: 1315243409383180 6291 (1711* 4241 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core 
> ruleset/2.0.5.
> Server: Apache/2.2.19 (Fedora)
> --99fa9461-Z--
> A partial fix was suggested as:
> <Location /svn>
>    ...
>    <IfModule mod_security2.c>
>       # SecRuleRemoveByTag "TX:INBOUND_ANOMALY_SCORE"
>       SecRule REQUEST_METHOD "^(PROPFIND|PROPPATH$)" allow
>       SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
>       SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
>       SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
>       SecRule REQUEST_METHOD "^(MKCOL)$" allow
>    </IfModule>
>    ...
> </Location>
> as a workaround, but this still results in some false positives.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to