[Owasp-modsecurity-core-rule-set] Allowing z-push

Rcbarnett rcbarnett at gmail.com
Sat Nov 13 10:58:20 EST 2010


You need to add the z-push content-type (application/vnd.ms-sync.wbxml) to the allowed content-type list in the 10 config file. 

--
Ryan Barnett


On Nov 13, 2010, at 10:44 AM, Arthur Dent <misc.lists at blueyonder.co.uk> wrote:

> On Sat, 2010-11-13 at 15:10 +0000, Arthur Dent wrote:
>> Hello all,
>> 
>> I am not really a network guy. I have a small home server running Fedora
>> 13. As well as hosting my small family web site it is also a mail server
>> running Procmail, Spamassassin, Dovecot and Squirrelmail. 
>> 
>> I also have an iPhone.
>> 
>> I was thrilled, recently, to discover an application called z-push which
>> allows me to "push" emails from my server to my iPhone. It uses a php
>> script running php-imap on the server to spoof
>> Microsoft-Server-ActiveSync. It works brilliantly with Mod_security
>> disabled. ModSec however blocks it. I have tried creating a local rule
>> in modsecurity_localrules.conf but I couldn't get it quite right - plus
>> I was not sure what the safest way to allow this access would be without
>> opening up the server too much...
>> 
>> I get two types of report in the console:
>> 
>> 
>> METHOD: POST   URI: /Microsoft-Server-ActiveSync 
>> 1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy
>> 
>> and
>> 
>> METHOD: OPTIONS   URI: /Microsoft-Server-ActiveSync 
>> Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required.
>> 
>> The second of those, obviously, is actually blocked. It is blocked by a
>> rule which I put into my local rules having worked through Magnus
>> Mischel's book.
>> 
>> This is the rule in question:
>> # Rule to block non-standard methods (See Modsec book p50)
>> SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"
> 
> Replying to my own message...
> 
> Looking closer, I have modified this rule to read:
>        SecRule REQUEST_METHOD "!^(GET|POST|HEAD|OPTIONS)$" "deny,status:405"
> 
> Is that safe?
> 
> It now results in this however:
>        --e00ab306-H--
>        Message: Match of "within %{tx.allowed_request_content_type}" against "TX:0" required. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] [line "63"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/vnd.ms-sync.wbxml"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
>        Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy"]
>        Apache-Handler: php5-script
>        Stopwatch: 1289661517966736 246643 (536 11498 -)
>        Response-Body-Transformed: Dechunked
>        Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
>        Server: Apache/2.2.16 (Fedora)
>> 
>> Please see below the detail for the denial. How can I craft a safe rule
>> to allow this through?
>> 
>> Thanks in advance....
>> 
>> Mark
>> 
>> 
>> --fa24db00-B--
>> OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
>> Host: mydomain.example.com
>> Content-Length: 0
>> User-Agent: Apple-iPhone2C1/802.117
>> X-Ms-Policykey: 0
>> Authorization: Basic bWFyazppbEhhYWRIUA==
>> Accept: */*
>> Accept-Language: en-us
>> Accept-Encoding: gzip, deflate
>> Connection: keep-alive
>> 
>> --fa24db00-F--
>> HTTP/1.1 405 Method Not Allowed
>> Allow: TRACE
>> Content-Length: 337
>> Connection: close
>> Content-Type: text/html; charset=iso-8859-1
>> 
>> --fa24db00-H--
>> Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
>> Action: Intercepted (phase 2)
>> Apache-Handler: php5-script
>> Stopwatch: 1289655765198610 1406 (534 728 -)
>> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
>> Server: Apache/2.2.16 (Fedora)
>> 
>> --fa24db00-Z--
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


More information about the Owasp-modsecurity-core-rule-set mailing list