Hello CRS Users,
I have installed CRS Version 2.2.5 in my server. I am using Modsecurity
2.5.12 from Debian/squeeze. I have iRedMail installed in my server.
When I click the login button from the iRedAdmin webpage (
www.mydomain.org/iredadmin), I am getting a Forbidden webpage with the
following details:
Forbidden
> You don't have permission to access /iredadmin/login on this server.
> Apache Server at www.mydomain.org Port 443
>
I checked the modsecurity_audit.log and it shows the following. I found
that if I remove the following 3 rules in
base_rules/modsecurity_crs_30_http_policy.conf, the problem will be solved.
But how can I allow (whitelist) the iredadmin webpage alone, without
completely removing the following rules ? I feel that this will be a better
fix. Thanks.
# cat base_rules/modsecurity_crs_30_http_policy.conf
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:1,chain,t:none,block,msg:'Request conten\
t type is not allowed by
policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'\
OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}'"
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
SecRule TX:0 "!^%{tx.allowed_request_content_type}$"
"t:none,ctl:forceRequestBodyVariable\
=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_sco\
re=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id
}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=\
%{matched_var}"
# cat modsecurity_audit.log
--99e3kk88-A--
[05/Jun/2013:05:48:13 +0000] Ua7546EIEUORRHEB14AAAAA 193.234.545.213 38211
177.133.23.32 443
--99e3kk88-B--
POST /iredadmin/login HTTP/1.1
Host: www.mydomain.org
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101
Firefox/10.0.2 Iceweasel/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: https://www.mydomain.org/iredadmin
Cookie: iRedAdmin=649aeu44fgyf567aoeu3454idhf77b4ef32710f
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
--99e3kk88-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 235
Keep-Alive: timeout=15, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--99e3kk88-H--
Message: Access denied with code 403 (phase 1). Match of "rx
^%{tx.allowed_request_content_type}$" against "TX:0" required. [file
"/etc/apache2/crs/activated_rules/modsecurity_crs_30_http_policy.conf"]
[line "64"] [id "960010"] [msg "Request content type is not allowed by
policy"] [data "application/x-www-form-urlencoded"] [severity "WARNING"]
[tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
Action: Intercepted (phase 1)
Stopwatch: 1370476453521229 1278 (- - -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/);
OWASP_CRS/2.2.5.
Server: Apache
--99e3kk88-Z--
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
