[RCU] RC 0.6 ModSecurity 2.2.2 CRS optional rules (particularing modsecurity_crs_16_session_hijacking hits)

Mon, 24 Oct 2011 03:53:11 -0700 

Hi,

    I started playing with the modsecurity rules today.

I noticed that CRS modsecurity rule
modsecurity_crs_16_session_hijacking.conf will hit on Roundcube 0.6 on
my test server.  I have not used modsec on any other version of RC.

Enabling  the CRS 2.2.2 options rules breaks this RC set-up.
I'm not an expert on these rules, so it is quite likely that I
misinterpreted the results.

[24/Oct/2011:11:17:39 +0200]
[webmail.example.com/sid#7f9bb5d47e08][rid#7f9bc55babd0][/][1] Access
denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}"
against "TX:ip_hash" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed
- IP Address Mismatch."]

[24/Oct/2011:11:23:16 +0200]
[webmail.example.com/sid#7f06a783b698][rid#7f06b58a10e0][/][1] Access
denied with code 403 (phase 1). Match of "streq %{SESSION.UA_HASH}"
against "TX:ua_hash" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "38"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed
- User-Agent Mismatch."]

Some rules in these hit as well:
Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required.
[file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"]
[line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]

Message: Warning. Match of "rx (?i:\\;? ?httponly;?)" against
"TX:sessionid" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_55_application_defects.conf"]
[line "71"] [id "981184"] [msg "AppDefect: Missing HttpOnly Cookie Flag."]

The other CRS and ASR rules seem fine so far...

Its possible that this is a apache misconfiguration by me. 

Has anyone else used the modsecurity optional rule sets on Roundcube?



Best regards, S

-- 
        Email  simon AT klunky DOT co DOT uk   
        PGP is optional: 4BA78604
        I won't accept your confidentiality
        agreement, and your Emails are kept.
                       ~Ö¿Ö~

-- 
List info: http://lists.roundcube.net/users/
BT/8f4f07cd

Reply via email to