[Owasp-modsecurity-core-rule-set] Allowing z-push
misc.lists at blueyonder.co.uk
Sat Nov 13 10:10:18 EST 2010
I am not really a network guy. I have a small home server running Fedora
13. As well as hosting my small family web site it is also a mail server
running Procmail, Spamassassin, Dovecot and Squirrelmail.
I also have an iPhone.
I was thrilled, recently, to discover an application called z-push which
allows me to "push" emails from my server to my iPhone. It uses a php
script running php-imap on the server to spoof
Microsoft-Server-ActiveSync. It works brilliantly with Mod_security
disabled. ModSec however blocks it. I have tried creating a local rule
in modsecurity_localrules.conf but I couldn't get it quite right - plus
I was not sure what the safest way to allow this access would be without
opening up the server too much...
I get two types of report in the console:
METHOD: POST URI: /Microsoft-Server-ActiveSync
1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy
METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync
Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required.
The second of those, obviously, is actually blocked. It is blocked by a
rule which I put into my local rules having worked through Magnus
This is the rule in question:
# Rule to block non-standard methods (See Modsec book p50)
SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"
Please see below the detail for the denial. How can I craft a safe rule
to allow this through?
Thanks in advance....
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Authorization: Basic bWFyazppbEhhYWRIUA==
Accept-Encoding: gzip, deflate
HTTP/1.1 405 Method Not Allowed
Content-Type: text/html; charset=iso-8859-1
Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
Action: Intercepted (phase 2)
Stopwatch: 1289655765198610 1406 (534 728 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.16 (Fedora)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: This is a digitally signed message part
Url : https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20101113/0d37ff8b/attachment.bin
More information about the Owasp-modsecurity-core-rule-set