Hello all, I am not really a network guy. I have a small home server running Fedora 13. As well as hosting my small family web site it is also a mail server running Procmail, Spamassassin, Dovecot and Squirrelmail.
I also have an iPhone. I was thrilled, recently, to discover an application called z-push which allows me to "push" emails from my server to my iPhone. It uses a php script running php-imap on the server to spoof Microsoft-Server-ActiveSync. It works brilliantly with Mod_security disabled. ModSec however blocks it. I have tried creating a local rule in modsecurity_localrules.conf but I couldn't get it quite right - plus I was not sure what the safest way to allow this access would be without opening up the server too much... I get two types of report in the console: METHOD: POST URI: /Microsoft-Server-ActiveSync 1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy and METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. The second of those, obviously, is actually blocked. It is blocked by a rule which I put into my local rules having worked through Magnus Mischel's book. This is the rule in question: # Rule to block non-standard methods (See Modsec book p50) SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405" Please see below the detail for the denial. How can I craft a safe rule to allow this through? Thanks in advance.... Mark --fa24db00-B-- OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1 Host: mydomain.example.com Content-Length: 0 User-Agent: Apple-iPhone2C1/802.117 X-Ms-Policykey: 0 Authorization: Basic bWFyazppbEhhYWRIUA== Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: keep-alive --fa24db00-F-- HTTP/1.1 405 Method Not Allowed Allow: TRACE Content-Length: 337 Connection: close Content-Type: text/html; charset=iso-8859-1 --fa24db00-H-- Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"] Action: Intercepted (phase 2) Apache-Handler: php5-script Stopwatch: 1289655765198610 1406 (534 728 -) Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8. Server: Apache/2.2.16 (Fedora) --fa24db00-Z--
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
