Re: [mod-security-users] Why do I get [msg "Request content type is not allowed by policy"] [data "
Brought to you by:
victorhora,
zimmerletw
From: Mirabito, M. (M. (CDC/CCID/O. (CTR) <mc...@cd...> - 2010-02-26 17:17:49
|
Ryan, Many thank that fixed our problem. MAx -----Original Message----- From: Ryan Barnett [mailto:rya...@br...] Sent: Friday, February 26, 2010 11:59 To: mod...@li... Cc: Mirabito, Massimo (Max) (CDC/CCID/OD) (CTR); Wang, Silver (CDC/CCID/OD) (CTR) Subject: Re: [mod-security-users] Why do I get [msg "Request content type is not allowed by policy"] [data "application/x-www-form-urlencoded] On Friday 26 February 2010 11:46:29 Mirabito, Massimo (Max) (CDC/CCID/OD) (CTR) wrote: > Hello to everyone, > > We are brand new to Mod_security so we are still struggling to say the > least to get a better understating. We have been using Mod_Security 2.5.11 > with Apache 2.2.14 on Win 2003 and getting our applications to behave > properly, but yesterday we decided to upgrade to Mod Security 2.5.12 with > rule set 2.0.5. as we were struggling with another rule that did not make > too much sense to us. > > The upgrade resulted in the following issue but we do not understand how > we can address the issue, what we are seeing is that every page request > now logs to mod security [msg "Request content type is not allowed by > policy"] [data "application/x-www-form-urlencoded]. Is this something we > can remedy because I am hesitant to comment out the rule using the > SecRuleRemoveByID directive? I am not even sure if this a mod_security > configuration or rule set issue > > Any help or suggestions are greatly appreciated. > There is a bug in that rule as it is missing a "chain" action on the 2nd SecRule. The rule should be this - SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-2 0',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1', severity:'4',logdata:'%{matched_var}'" SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture" SecRule TX:0 "!@within %{tx.allowed_request_content_type}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx. warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_scor e},setvar:tx. %{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var _name}=%{matched_var}" This issue has already been reported in JIRA (https://www.modsecurity.org/tracker/browse/CORERULES-37) and fixed in CRS v2.0.6. You can manually add the "chain" action to your rule to fix the issue now. -Ryan |