On Sat, Jun 16, 2012 at 12:21 AM, Ryan Barnett <rbarn...@trustwave.com> wrote:
> OWASP ModSecurity CRS v2.2.5 Available
>
> CHANGES:
>
> Improvements:
>
> Updated Content-Type check to fix possible evasion with @within (Identified
> by Qualys Vulnerability & Malware Research Labs (VMRL))
Firstly, does this change require a particular version of Modsecurity
to work correctly?
(I note the README says "The rules are compatible with ModSecurity 2.5").
After deploying this ruleset I am seeing messages like:
Message: Warning. Match of "rx ^%{tx.allowed_request_content_type}$"
against "TX:0" required. [file
"/etc/httpd/conf.d/modsecurity-crs_2.2.5/base_rules/modsecurity_crs_30_http_policy.conf"]
[line "64"] [id "960010"] [msg "Request content type is not allowed by
policy"] [data "application/x-www-form-urlencoded"] [severity
"WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"]
[tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
I am loading the config like:
Include conf.d/modsecurity-crs_2.2.5/*.conf
Include conf.d/modsecurity-crs_2.2.5/base_rules/*.conf
modsecurity-crs_2.2.5/modsecurity_crs_10_config.conf
contains
======
SecAction \
"id:'900012', \
phase:1, \
t:none, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
\
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/
.bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/
.csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/
.idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/
.pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/
.vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/', \
nolog, \
pass"
=======
and 960010 in
modsecurity-crs_2.2.5/base_rules/modsecurity_crs_30_http_policy.conf
looks like
=======
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:1,chain,t:none,block,msg:'Request content type is not allowed
by
policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}'"
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
SecRule TX:0 "!^%{tx.allowed_request_content_type}$"
"t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
=======
Secondly, is there something odd with the svn repo (or Sourceforge)?
This change doesn't seems to occur on the checkin with the changelog
message:
http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&revision=1937
but on another revision:
http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&revision=1922
with the message "- Added Arachni Scanner Integration Lua script/rules files"
Paul
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
