[Owasp-modsecurity-core-rule-set] Allowing z-push

Arthur Dent misc.lists at blueyonder.co.uk
Sat Nov 13 10:10:18 EST 2010

Hello all,

I am not really a network guy. I have a small home server running Fedora
13. As well as hosting my small family web site it is also a mail server
running Procmail, Spamassassin, Dovecot and Squirrelmail. 

I also have an iPhone.

I was thrilled, recently, to discover an application called z-push which
allows me to "push" emails from my server to my iPhone. It uses a php
script running php-imap on the server to spoof
Microsoft-Server-ActiveSync. It works brilliantly with Mod_security
disabled. ModSec however blocks it. I have tried creating a local rule
in modsecurity_localrules.conf but I couldn't get it quite right - plus
I was not sure what the safest way to allow this access would be without
opening up the server too much...

I get two types of report in the console:

METHOD: POST   URI: /Microsoft-Server-ActiveSync 
1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy


METHOD: OPTIONS   URI: /Microsoft-Server-ActiveSync 
 Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required.

The second of those, obviously, is actually blocked. It is blocked by a
rule which I put into my local rules having worked through Magnus
Mischel's book.

This is the rule in question:
# Rule to block non-standard methods (See Modsec book p50)
SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"

Please see below the detail for the denial. How can I craft a safe rule
to allow this through?

Thanks in advance....


OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Host: mydomain.example.com
Content-Length: 0
User-Agent: Apple-iPhone2C1/802.117
X-Ms-Policykey: 0
Authorization: Basic bWFyazppbEhhYWRIUA==
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 405 Method Not Allowed
Allow: TRACE
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1289655765198610 1406 (534 728 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.16 (Fedora)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20101113/0d37ff8b/attachment.bin 

More information about the Owasp-modsecurity-core-rule-set mailing list