[
https://www.modsecurity.org/tracker/browse/CORERULES-77?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ryan Barnett resolved CORERULES-77.
-----------------------------------
Resolution: Fixed
Provided an exception example for SVN traffic.
> Modsecurity creates fall positives when used with SVN-over-HTTP
> ---------------------------------------------------------------
>
> Key: CORERULES-77
> URL: https://www.modsecurity.org/tracker/browse/CORERULES-77
> Project: Core Rules
> Issue Type: Bug
> Security Level: Normal
> Components: False positive
> Environment: Fedora 16 (updated) on x86_64 hardware.
> Reporter: Philip Prindeville
> Assignee: Ryan Barnett
>
> Seeing the following:
> --99fa9461-A--
> [05/Sep/2011:11:23:29 --0600] TmUFkcCoAQoAABnnJF8AAAAD ::1 52681 ::1 80
> --99fa9461-B--
> PROPFIND /svn/astlinux/trunk/package/linux-atm HTTP/1.1
> User-Agent: SVN/1.6.17 (r1128011) neon/0.29.5
> Connection: TE
> TE: trailers
> Host: localhost
> Content-Type: text/xml
> Accept-Encoding: gzip, gzip
> Depth: 0
> DAV: http://subversion.tigris.org/xmlns/dav/svn/depth,
> http://subversion.tigris.org/xmlns/dav/svn/mergeinfo,
> http://subversion.tigris.org/xmlns/dav/svn/log-revprops
> Content-Length: 300
> --99fa9461-C--
> <?xml version="1.0" encoding="utf-8"?><propfind
> xmlns="DAV:"><prop><version-controlled-configuration
> xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path
> xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid
> xmlns="http://subversion.tigris.org/xmlns/dav/"/></prop></propfind>
> --99fa9461-F--
> HTTP/1.1 207 Multi-Status
> Content-Length: 730
> Connection: close
> Content-Type: text/xml; charset="utf-8"
> --99fa9461-H--
> Message: Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "46"] [id "960015"] [rev "2.0.5"] [msg "Request Missing an Accept
> Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD"
> required. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"]
> [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data
> "PROPFIND"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag
> "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag
> "PCI/12.1"]
> Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
> [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=,
> XSS=): Method is not allowed by policy"]
> Apache-Handler: dav-handler
> Stopwatch: 1315243409177653 15221 (1631* 4042 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core
> ruleset/2.0.5.
> Server: Apache/2.2.19 (Fedora)
> --99fa9461-Z--
> --99fa9461-A--
> [05/Sep/2011:11:23:29 --0600] TmUFkcCoAQoAABnlI-4AAAAB ::1 52683 ::1 80
> --99fa9461-B--
> MKACTIVITY /svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c
> HTTP/1.1
> User-Agent: SVN/1.6.17 (r1128011) neon/0.29.5
> Connection: TE
> TE: trailers
> Host: localhost
> Accept-Encoding: gzip, gzip
> DAV: http://subversion.tigris.org/xmlns/dav/svn/depth,
> http://subversion.tigris.org/xmlns/dav/svn/mergeinfo,
> http://subversion.tigris.org/xmlns/dav/svn/log-revprops
> Content-Length: 0
> Authorization: Digest username="philipp", realm="Subversion repository",
> nonce="+5sy+DSsBAA=d9c09363220f392546430d28d12b6348d29b7276",
> uri="/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c",
> response="e2528cc38f97a310abcb6a0559bf7ac4", algorithm="MD5",
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000001, qop="auth"
> --99fa9461-C--
> --99fa9461-F--
> HTTP/1.1 201 Created
> Authentication-Info: rspauth="deb189790e5971076389e53d958cb158",
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000001, qop=auth
> Cache-Control: no-cache
> Location:
> http://localhost/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c
> Content-Length: 308
> Connection: close
> Content-Type: text/html; charset=ISO-8859-1
> --99fa9461-H--
> Message: Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "46"] [id "960015"] [rev "2.0.5"] [msg "Request Missing an Accept
> Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD"
> required. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"]
> [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data
> "MKACTIVITY"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag
> "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag
> "PCI/12.1"]
> Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
> [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=,
> XSS=): Method is not allowed by policy"]
> Apache-Handler: dav-handler
> Stopwatch: 1315243409275410 102579 (26119* 28723 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core
> ruleset/2.0.5.
> Server: Apache/2.2.19 (Fedora)
> --99fa9461-Z--
> --99fa9461-A--
> [05/Sep/2011:11:23:29 --0600] TmUFkcCoAQoAABnmJFgAAAAC ::1 52684 ::1 80
> --99fa9461-B--
> CHECKOUT /svn/astlinux/!svn/vcc/default HTTP/1.1
> User-Agent: SVN/1.6.17 (r1128011) neon/0.29.5
> Connection: TE
> TE: trailers
> Host: localhost
> DAV: http://subversion.tigris.org/xmlns/dav/svn/depth,
> http://subversion.tigris.org/xmlns/dav/svn/mergeinfo,
> http://subversion.tigris.org/xmlns/dav/svn/log-revprops
> Content-Length: 208
> Accept-Encoding: gzip
> Authorization: Digest username="philipp", realm="Subversion repository",
> nonce="+5sy+DSsBAA=d9c09363220f392546430d28d12b6348d29b7276",
> uri="/svn/astlinux/!svn/vcc/default",
> response="2e41665162866967cf328e068a7b6bf0", algorithm="MD5",
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000002, qop="auth"
> --99fa9461-C--
> <?xml version="1.0" encoding="utf-8"?><D:checkout
> xmlns:D="DAV:"><D:activity-set><D:href>/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c</D:href></D:activity-set><D:apply-to-version/></D:checkout>
> --99fa9461-F--
> HTTP/1.1 403 Forbidden
> Content-Length: 306
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> --99fa9461-H--
> Message: Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "46"] [id "960015"] [rev "2.0.5"] [msg "Request Missing an Accept
> Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required.
> [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "83"] [id "960904"] [rev "2.0.5"] [msg "Request Containing Content,
> but Missing Content-Type header"] [severity "NOTICE"]
> Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD"
> required. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"]
> [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data
> "CHECKOUT"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag
> "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag
> "PCI/12.1"]
> Message: Access denied with code 403 (phase 2). [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"]
> [line "25"] [msg "Anomaly Score Exceeded (score 20): Method is not allowed by
> policy"]
> Action: Intercepted (phase 2)
> Stopwatch: 1315243409378229 4605 (1720* 4100 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core
> ruleset/2.0.5.
> Server: Apache/2.2.19 (Fedora)
> --99fa9461-Z--
> --99fa9461-A--
> [05/Sep/2011:11:23:29 --0600] TmUFkcCoAQoAABnkI6QAAAAA ::1 52685 ::1 80
> --99fa9461-B--
> DELETE /svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c HTTP/1.1
> User-Agent: SVN/1.6.17 (r1128011) neon/0.29.5
> Connection: TE
> TE: trailers
> Host: localhost
> Accept-Encoding: gzip, gzip
> DAV: http://subversion.tigris.org/xmlns/dav/svn/depth,
> http://subversion.tigris.org/xmlns/dav/svn/mergeinfo,
> http://subversion.tigris.org/xmlns/dav/svn/log-revprops
> Content-Length: 0
> Authorization: Digest username="philipp", realm="Subversion repository",
> nonce="+5sy+DSsBAA=d9c09363220f392546430d28d12b6348d29b7276",
> uri="/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c",
> response="0b2831fb296127fc8e156f7be91ce5bc", algorithm="MD5",
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000003, qop="auth"
> --99fa9461-C--
> --99fa9461-F--
> HTTP/1.1 204 No Content
> Authentication-Info: rspauth="0f23d425afe38d8fe4fd5e030e5184d3",
> cnonce="1b8d984a50488ce67a674ab9a90612fc", nc=00000003, qop=auth
> Content-Length: 0
> Connection: close
> Content-Type: text/plain; charset=UTF-8
> --99fa9461-H--
> Message: Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "46"] [id "960015"] [rev "2.0.5"] [msg "Request Missing an Accept
> Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD"
> required. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"]
> [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data
> "DELETE"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag
> "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag
> "PCI/12.1"]
> Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
> [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=,
> XSS=): Method is not allowed by policy"]
> Apache-Handler: dav-handler
> Stopwatch: 1315243409383180 6291 (1711* 4241 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core
> ruleset/2.0.5.
> Server: Apache/2.2.19 (Fedora)
> --99fa9461-Z--
> A partial fix was suggested as:
> <Location /svn>
> ...
> <IfModule mod_security2.c>
> # SecRuleRemoveByTag "TX:INBOUND_ANOMALY_SCORE"
> SecRule REQUEST_METHOD "^(PROPFIND|PROPPATH$)" allow
> SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
> SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
> SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
> SecRule REQUEST_METHOD "^(MKCOL)$" allow
> </IfModule>
> ...
> </Location>
> as a workaround, but this still results in some false positives.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
