This has already been fixed in the OWASP CRS by updating the allowed
content-types in the 10 setup conf file -
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/modsecurity_
crs_10_setup.conf.example

#
# Set the following policy settings here and they will be propagated to the
30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
SecAction \
  "id:'900012', \
  phase:1, \
  t:none, \
  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
  
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|mu
ltipart/form-data|text/xml|application/xml|application/x-amf|application/jso
n', \
  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/
.bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/
.dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/
.licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/
.resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/
.xsx/', \
  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/', \
  nolog, \
  pass"

This TX data is then used later in the 30 HTTP Policy file -
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/m
odsecurity_crs_30_http_policy.conf ­ using regular expression macro
expansion -

SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:1,chain,t:none,block,msg:'Request content type is not allowed by
policy',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',id:'960010',
tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_
TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{
matched_var}'" 
        SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
                SecRule TX:0 "!^%{tx.allowed_request_content_type}$"
"t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:t
x.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS
/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

-Ryan


From:  sujan <sujan....@gmail.com>
Date:  Monday, July 8, 2013 3:00 PM
To:  <owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject:  Re: [Owasp-modsecurity-core-rule-set] Regarding CORERULES-30

> Resending, since the first email was sent before I subscribed to the list.
> 
> Thanks.
> 
> 
> On Mon, Jul 8, 2013 at 2:58 PM, sujan <sujan....@gmail.com> wrote:
>> Hello,
>> 
>> I was searching for a solution for the issue I am facing and came across this
>> CORERULES-30 <https://www.modsecurity.org/tracker/browse/CORERULES-30> (same
>> issue I am facing)
>> on https://www.modsecurity.org/tracker/browse/CORERULES-30
>> 
>> I see the below comment by Ryan, but I am not sure where to add that and how.
>> 
>> Can someone please answer my question?
>> 
>> 
>> Ryan Barnett 
>> <https://www.modsecurity.org/tracker/secure/ViewProfile.jspa?name=rbarnett>
>> added a comment - 25/Jan/10 6:34 AM
>> Added the "application/xml" Content-Type to allowed list.Wil be fixed in next
>> CRS rev.
>> 
>> 
>> 
>> 
>> Thanks.
> 
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to