[Owasp-modsecurity-core-rule-set] Allowing z-push

Arthur Dent misc.lists at blueyonder.co.uk
Sat Nov 13 10:44:37 EST 2010


On Sat, 2010-11-13 at 15:10 +0000, Arthur Dent wrote:
> Hello all,
> 
> I am not really a network guy. I have a small home server running Fedora
> 13. As well as hosting my small family web site it is also a mail server
> running Procmail, Spamassassin, Dovecot and Squirrelmail. 
> 
> I also have an iPhone.
> 
> I was thrilled, recently, to discover an application called z-push which
> allows me to "push" emails from my server to my iPhone. It uses a php
> script running php-imap on the server to spoof
> Microsoft-Server-ActiveSync. It works brilliantly with Mod_security
> disabled. ModSec however blocks it. I have tried creating a local rule
> in modsecurity_localrules.conf but I couldn't get it quite right - plus
> I was not sure what the safest way to allow this access would be without
> opening up the server too much...
> 
> I get two types of report in the console:
> 
> 
> METHOD: POST   URI: /Microsoft-Server-ActiveSync 
> 1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy
> 
> and
> 
> METHOD: OPTIONS   URI: /Microsoft-Server-ActiveSync 
>  Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required.
> 
> The second of those, obviously, is actually blocked. It is blocked by a
> rule which I put into my local rules having worked through Magnus
> Mischel's book.
> 
> This is the rule in question:
> # Rule to block non-standard methods (See Modsec book p50)
> SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"

Replying to my own message...
        
Looking closer, I have modified this rule to read:
        SecRule REQUEST_METHOD "!^(GET|POST|HEAD|OPTIONS)$" "deny,status:405"
        
Is that safe?
        
It now results in this however:
        --e00ab306-H--
        Message: Match of "within %{tx.allowed_request_content_type}" against "TX:0" required. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] [line "63"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/vnd.ms-sync.wbxml"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
        Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy"]
        Apache-Handler: php5-script
        Stopwatch: 1289661517966736 246643 (536 11498 -)
        Response-Body-Transformed: Dechunked
        Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
        Server: Apache/2.2.16 (Fedora)
> 
> Please see below the detail for the denial. How can I craft a safe rule
> to allow this through?
> 
> Thanks in advance....
> 
> Mark
> 
> 
> --fa24db00-B--
> OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
> Host: mydomain.example.com
> Content-Length: 0
> User-Agent: Apple-iPhone2C1/802.117
> X-Ms-Policykey: 0
> Authorization: Basic bWFyazppbEhhYWRIUA==
> Accept: */*
> Accept-Language: en-us
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
> 
> --fa24db00-F--
> HTTP/1.1 405 Method Not Allowed
> Allow: TRACE
> Content-Length: 337
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> 
> --fa24db00-H--
> Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
> Action: Intercepted (phase 2)
> Apache-Handler: php5-script
> Stopwatch: 1289655765198610 1406 (534 728 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
> Server: Apache/2.2.16 (Fedora)
> 
> --fa24db00-Z--
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20101113/609d0db8/attachment.bin 


More information about the Owasp-modsecurity-core-rule-set mailing list