Re: [mod-security-users] Why do I get [msg "Request content type is not allowed by policy"] [data "
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Why do I get [msg "Request content type is not allowed by policy"] [data "application/x-www-form-urlencoded]
|
From: Mirabito, M. (M. (CDC/CCID/O. (CTR) <mc...@cd...> - 2010-02-26 17:17:49
|
Ryan,
Many thank that fixed our problem.
MAx
-----Original Message-----
From: Ryan Barnett [mailto:rya...@br...]
Sent: Friday, February 26, 2010 11:59
To: mod...@li...
Cc: Mirabito, Massimo (Max) (CDC/CCID/OD) (CTR); Wang, Silver
(CDC/CCID/OD) (CTR)
Subject: Re: [mod-security-users] Why do I get [msg "Request content
type is not allowed by policy"] [data
"application/x-www-form-urlencoded]
On Friday 26 February 2010 11:46:29 Mirabito, Massimo (Max)
(CDC/CCID/OD) (CTR) wrote:
> Hello to everyone,
>
> We are brand new to Mod_security so we are still struggling to say the
> least to get a better understating. We have been using Mod_Security
2.5.11
> with Apache 2.2.14 on Win 2003 and getting our applications to behave
> properly, but yesterday we decided to upgrade to Mod Security 2.5.12
with
> rule set 2.0.5. as we were struggling with another rule that did not
make
> too much sense to us.
>
> The upgrade resulted in the following issue but we do not understand
how
> we can address the issue, what we are seeing is that every page
request
> now logs to mod security [msg "Request content type is not allowed by
> policy"] [data "application/x-www-form-urlencoded]. Is this something
we
> can remedy because I am hesitant to comment out the rule using the
> SecRuleRemoveByID directive? I am not even sure if this a mod_security
> configuration or rule set issue
>
> Any help or suggestions are greatly appreciated.
>
There is a bug in that rule as it is missing a "chain" action on the 2nd
SecRule. The
rule should be this -
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:2,chain,t:none,pass,nolog,auditlog,msg:'Request content type is
not allowed
by
policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-2
0',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',
severity:'4',logdata:'%{matched_var}'"
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)"
"chain,capture"
SecRule TX:0 "!@within
%{tx.allowed_request_content_type}"
"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.
warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_scor
e},setvar:tx.
%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var
_name}=%{matched_var}"
This issue has already been reported in JIRA
(https://www.modsecurity.org/tracker/browse/CORERULES-37) and fixed in
CRS v2.0.6. You can
manually add the "chain" action to your rule to fix the issue now.
-Ryan
|