[Owasp-modsecurity-core-rule-set] [External] Re: Can't process with allowing "application/x-git-upload-pack-request" in CRS

Shakitko, Ilia ilia.shakitko at accenture.com
Mon Jul 9 07:27:28 UTC 2018


Hi Chaim,

Thank you for a fast response. Apologies, it is indeed a piece of meaningful info is missing.

nginx_version: 1.13.12-1~xenial
owasp_rules_version: 3.0.0


In addition to the behavior I described, next scenario happened (and made it work, but not clear why):

1) changed the file /usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf

2) on line 340 added extra “|foo” to the expression and it works (doesn’t block the rule anymore) – like it was not respecting last argument

setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/x-git-upload-pack-request|foo'"



Met vriendelijke groet / With kind regards,

Ilia Shakitko

From: Chaim Sanders <chaim at chaimsanders.com>
Date: Friday, 6 July 2018 at 23:03
To: Ilia Shakitko <ilia.shakitko at accenture.com>
Cc: "owasp-modsecurity-core-rule-set at lists.owasp.org" <owasp-modsecurity-core-rule-set at lists.owasp.org>
Subject: [External] Re: [Owasp-modsecurity-core-rule-set] Can't process with allowing "application/x-git-upload-pack-request" in CRS

For completeness can we have the version of CRS and the version of modsec you're running?
On Fri, Jul 6, 2018, 3:56 PM Shakitko, Ilia <ilia.shakitko at accenture.com<mailto:ilia.shakitko at accenture.com>> wrote:
Hi ModSecurity CRS Mailing List members,

I am running into issue with CI for my GitLab. After enabling mod_security (crs-3.0.0), I’ve got few errors and latest one I am not able to resolve – it relates to the request content type (application/x-git-upload-pack-request) is not allowed by policy. I found two places where I can add exception to allow content types, but enabling this doesn’t work -> please see the log below.

Files:
/usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf
and
/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-901-INITIALIZATION.conf

Result is still:

ModSecurity: Warning. Matched "Operator Rx' with parameter^application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/x-git-upload-pack-request'$' against variable TX:0' (Value:application/x-git-upload-pack-request' ) [file "/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "911"] [id "920420"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/x-git-upload-pack-request"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "23.100.14.202"] [uri "/ilia.shakitko/pass357.git/git-upload-pack"] [unique_id "153088618260.910992"] [ref "v0,4o0,37o0,37v232,37"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter5' against variable TX:ANOMALY_SCORE' (Value:5' ) [file "/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "23.100.14.202"] [uri "/ilia.shakitko/pass357.git/git-upload-pack"] [unique_id "153088618260.910992"] [ref ""]

What am I doing wrong? And how to win the challenge? Looks like the changes I mage should just work…

Thank you in advance.

Met vriendelijke groet / With kind regards,

Ilia Shakitko



________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com<http://www.accenture.com>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.owasp.org_mailman_listinfo_owasp-2Dmodsecurity-2Dcore-2Drule-2Dset&d=DwMFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=UCdLp1c4Q-Kjo3K5dDMh3ygmrQNo9bcLk043WaViLrQ&m=FysENspUGktgV55tZNvzRJTbYQPa-aLxy9jvU927gZ0&s=VotBjyFm9KcZTVrEgB4VaDTJV8vymASfCVwFGxBMJ1M&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20180709/2b3b3cf8/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list