So we are trying to upgrade from apache 2.2 to 2.4, and bring
mod_security up from an earlier version to the latest. We are running
on Windows, but we took a stock installation of everything, and it
works. However 960032 keeps nagging that the request method is not
valid. The specific error entry is
[Wed Jun 05 17:19:47.207015 2013] [:error] [pid 1972:tid 1232] [client
81.143.18.217] ModSecurity: Warning. Match of "within
%{tx.allowed_methods}" against "REQUEST_METHOD" required. [file
"D:/apps/apacheHttpd/Apache24/conf/mod_security_crs/activated_rules/modsecurity_crs_30_http_policy.conf"]
[line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by
policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"]
[maturity "9"] [accuracy "9"] [tag
"OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag
"OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
[hostname "athena.atomus.com"] [uri "/qns/gwtMember/loading.gif"]
[unique_id "Ua9lI8CoADIAAAe0NnoAAAA-"]
If we update the rule from
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}"
to
SecRule REQUEST_METHOD "!@within GET HEAD POST"
then it works correctly. My conclusion is that somehow the
tx.allowed_methods isn't been passed correctly. The relevant contents
of modsecurity_crs_10_config.conf file that sets this are
SecAction \
"id:'900012',\
phase:request,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/x-gwt-rpc|text/plain',
\
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/
.bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/
.csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/
.idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/
.pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/
.vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/'"
We updated the tx.allowed_request_content_type, but tx.allowed_methods
is as was.
Any ideas as to how to proceed debugging this?
Thanks
Chris
P.S. version numbers apache 2.4.4 win64, poenssl/1.01e windows web
server 2008 r2
[Wed Jun 05 17:19:41.005660 2013] [:notice] [pid 1972:tid 456]
ModSecurity for Apache/2.7.4 (http://www.modsecurity.org/) configured.
[Wed Jun 05 17:19:41.005660 2013] [:notice] [pid 1972:tid 456]
ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6"
[Wed Jun 05 17:19:41.005660 2013] [:notice] [pid 1972:tid 456]
ModSecurity: PCRE compiled version="8.32 "; loaded version="8.32
2012-11-30"
[Wed Jun 05 17:19:41.005660 2013] [:notice] [pid 1972:tid 456]
ModSecurity: LUA compiled version="Lua 5.1"
[Wed Jun 05 17:19:41.005660 2013] [:notice] [pid 1972:tid 456]
ModSecurity: LIBXML compiled version="2.9.1"
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
