[Owasp-modsecurity-core-rule-set] Allowing z-push

Ryan Barnett RBarnett at trustwave.com
Sat Nov 13 10:54:49 EST 2010


Since you don't have a rule ID for your rule, you could add the following rule right before it. It will check the URL and request method and if it is for z-push it will then skip the existing rule that is blocking it. 

> # Rule to allow z-push method
> SecRule REQUEST_FILENAME "/Microsoft-Server-ActiveSync" "chain,phase:1,t:none,pass,nolog,skip:1"

> SecRule REQUEST_METHOD "^OPTIONS$" 

> # Rule to block non-standard methods (See Modsec book p50)
> SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"

--
Ryan Barnett


On Nov 13, 2010, at 10:11 AM, "Arthur Dent" <misc.lists at blueyonder.co.uk> wrote:

> Hello all,
> 
> I am not really a network guy. I have a small home server running Fedora
> 13. As well as hosting my small family web site it is also a mail server
> running Procmail, Spamassassin, Dovecot and Squirrelmail. 
> 
> I also have an iPhone.
> 
> I was thrilled, recently, to discover an application called z-push which
> allows me to "push" emails from my server to my iPhone. It uses a php
> script running php-imap on the server to spoof
> Microsoft-Server-ActiveSync. It works brilliantly with Mod_security
> disabled. ModSec however blocks it. I have tried creating a local rule
> in modsecurity_localrules.conf but I couldn't get it quite right - plus
> I was not sure what the safest way to allow this access would be without
> opening up the server too much...
> 
> I get two types of report in the console:
> 
> 
> METHOD: POST   URI: /Microsoft-Server-ActiveSync 
> 1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy
> 
> and
> 
> METHOD: OPTIONS   URI: /Microsoft-Server-ActiveSync 
> Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required.
> 
> The second of those, obviously, is actually blocked. It is blocked by a
> rule which I put into my local rules having worked through Magnus
> Mischel's book.
> 
> This is the rule in question:
> # Rule to block non-standard methods (See Modsec book p50)
> SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"
> 
> 
> Please see below the detail for the denial. How can I craft a safe rule
> to allow this through?
> 
> Thanks in advance....
> 
> Mark
> 
> 
> --fa24db00-B--
> OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
> Host: mydomain.example.com
> Content-Length: 0
> User-Agent: Apple-iPhone2C1/802.117
> X-Ms-Policykey: 0
> Authorization: Basic bWFyazppbEhhYWRIUA==
> Accept: */*
> Accept-Language: en-us
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
> 
> --fa24db00-F--
> HTTP/1.1 405 Method Not Allowed
> Allow: TRACE
> Content-Length: 337
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> 
> --fa24db00-H--
> Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
> Action: Intercepted (phase 2)
> Apache-Handler: php5-script
> Stopwatch: 1289655765198610 1406 (534 728 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
> Server: Apache/2.2.16 (Fedora)
> 
> --fa24db00-Z--
> <signature.asc>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set



More information about the Owasp-modsecurity-core-rule-set mailing list