[Owasp-modsecurity-core-rule-set] Allowing z-push
Tim
forum at timk.de
Wed Dec 1 13:39:34 EST 2010
Arthur Dent <misc.lists at ...> writes:
>
> METHOD: POST URI: /Microsoft-Server-ActiveSync
> 1) Request content type is not allowed by policy 2) Inbound Anomaly Score
(Total Inbound Score: 10, SQLi=,
> XSS=): Request content type is not allowed by policy
>
This is a false positive. Search the "id=" for this rule at your ruleset and
disable the rule with the following command in your apache config.
SecRuleRemoveById 950004 (950004 ist example ID)
>
> METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync
> Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$"
against "REQUEST_METHOD" required.
>
ActiceSync uses also the method "OPTIONS" but normaly this is unwanted at
webserver. So the default ruleset of mod_security only allows "GET", "POST" or
"HEAD" as Request Method.
You can rewrite the rule in the default ruleset - the fast but dirty way -
# Rule to block non-standard methods (See Modsec book p50)
SecRule REQUEST_METHOD "!^(GET|POST|HEAD|OPTIONS)$" "deny,status:405"
Best regards and good luck
Tim
More information about the Owasp-modsecurity-core-rule-set
mailing list