Hi forum,
Relatively new to mod-security but I've got it running on a Ubuntu
14.04, Apache 2.4.7 reverse proxy, mainly serving Exchange 2003 Outlook
Web Access (OWA).
Everything is working fine except for Active-Sync. The specific error I
receive is:
[Thu Jun 11 22:22:40.491232 2015] [:error] [pid 28480:tid
139919860156160] [client 22.79.19.67] ModSecurity: Access denied with
code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$"
against "TX:0" required. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf"]
[line "64"] [id "960010"] [rev "2"] [msg "Request content type is not
allowed by policy"] [data "application/vnd.ms-sync.wbxml"] [severity
"CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag
"OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
[hostname "myserver.com.au"] [uri "/Microsoft-Server-ActiveSync"]
[unique_id "VXl9kH8AAQEAAG9A8nQAAABB"]
The virtual host file for ActiveSync contains:
<Location /Microsoft-Server-ActiveSync>
# SecRuleRemoveById 960010
SecRuleEngine Off
ProxyPass https://eemail/Microsoft-Server-ActiveSync
ProxyPassReverse https://eemail/Microsoft-Server-ActiveSync
</Location>
Both "SecRuleRemoveById 960010" and "SecRuleEngine Off" for
/Microsoft-Server-ActiveSync fail to prevent the error and allow ActiveSync.
From this post
https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2010-November/000546.html
I am able to permit ActiveSync by adding the
"application/vnd.ms-sync.wbxml" content type to line 279 of the
/usr/share/modsecurity-crs/activated_rules/modescurity_crs_10_setup.conf
file like so:
SecAction \
"id:'900012', \
phase:1, \
t:none, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|_*application/vnd.ms-sync.wbxml*_',
\
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/
.bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/
.csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ . htw/ .ida/ .idc/ .idq/
.inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/
.printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/
.vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/', \
nolog, \
pass"/
/
However, if I upgrade the core rules (which I'm intending to automate
with a script) I'll have to remember to re-append the content type to
the file. So my question is where and how can I include the new content
type (eg to /etc/mod-security/mod-security.conf or the virtual host
config) so that it won't be over-written if a new version of the core
rules is installed in /usr/share/modsecurity-crs?
Any help or alternative suggestions for allowing ActiveSync will be much
appreciated.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
