Re: [mod-security-users] Request content type is not allowed by policy Pattern match "^([^; \s]+)"
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2010-03-23 03:13:59
|
Weedy wrote: > For the life of me I haven't been able to figure out what is wrong > with this request. Everything I have found relating to this rule is > someone using a Content-Type not contained in > tx.allowed_request_content_type; as you will see multipart/form-data > is allowed by default and I can't see anything wrong with the request > itself. > > Thank you in advance. > > --ecacc00d-A-- > [21/Mar/2010:23:31:30 --0400] S6bkjn8AAAEAADwtBrsAAAFX 1.1.1.1 2600 > 212.117.183.104 80 > --ecacc00d-B-- > POST /wakaba.pl HTTP/1.1 > Host: bah.net > Connection: keep-alive > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) > AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 > Referer: http://bah.net/rp/res/94023_abbr.html > Content-Length: 1159 > Cache-Control: max-age=0 > Origin: http://bah.net > Content-Type: multipart/form-data; > boundary=----WebKitFormBoundaryO95RDcsUqi7YUukk > Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > Accept-Encoding: gzip,deflate,sdch > Accept-Language: en-US,en;q=0.8 > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 > Cookie: email=noko; password=bahhh; name=bahhhhhhhh; wakastyle=Futaba; > wakabastyle=Futaba > <snip> > --ecacc00d-H-- > Message: Pattern match "^([^;\s]+)" at REQUEST_HEADERS:Content-Type. > [file "/etc/apache2/modules.d/mod_security/modsecurity_crs_30_http_policy.conf"] > [line "63"] [id "960010"] [msg "Request content type is not allowed by > policy"] [data "multipart/form-data; > boundary=----WebKitFormBoundaryO95RDcsUqi7YUukk"] [severity "WARNING"] > [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] > Apache-Handler: fcgid-script > Stopwatch: 1269228686640491 3620089 (138882* 146825 3619174) > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); > core ruleset/2.0.5. > Server: Apache > > --ecacc00d-K-- > SecAction "phase:1,auditlog,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" > SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.paranoid_mode=0" paranoid mode is not set. > SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20" > SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15" > SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.critical_anomaly_score=20,setvar:tx.error_anomaly_score=15,setvar:tx.warning_anomaly_score=10,setvar:tx.notice_anomaly_score=5" > SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.max_num_args=255" > SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:'tx.allowed_methods=GET > HEAD POST OPTIONS',setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded > multipart/form-data text/xml > application/xml',setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 > HTTP/1.1',setvar:'tx.restricted_extensions=.asa .asax .ascx .axd > .backup .bak .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj > .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key > .licx .lnk .log .mdb .old .pass .pdb .pol .printer .pwd .resources > .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd > .xsx',setvar:'tx.restricted_headers=Proxy-Connection Lock-Token > Content-Range Translate via if'" > SecRule "REQUEST_METHOD" "@rx ^POST$" > "phase:2,chain,rev:2.0.5,t:none,pass,nolog,auditlog,msg:'POST request > must have a Content-Length > header',id:960012,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:4,tag:http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5" > SecRule "&TX:MAX_NUM_ARGS" "@eq 1" > "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Too many arguments in > request',id:960335,severity:4,rev:2.0.5" > SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" > "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Request content type is > not allowed by policy',id:960010,tag:POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:4,logdata:%{matched_var}" > SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "capture" It captures above, but then doesn't do anything with TX:1 > SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" > "phase:2,chain,capture,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,auditlog,msg:'URL > file extension is restricted by > policy',severity:2,id:960035,tag:POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,logdata:%{TX.0}" > SecRule "REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile > modsecurity_40_generic_attacks.data" > "phase:2,rev:2.0.5,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" > SecRule "TX:PARANOID_MODE" "!@eq 1" > "phase:2,t:none,nolog,skipAfter:END_SESSION_FIXATION" > SecRule "TX:PARANOID_MODE" "!@eq 1" > "phase:2,t:none,nolog,skipAfter:END_FILE_INJECTION" > SecRule "TX:PARANOID_MODE" "!@eq 1" > "phase:2,t:none,nolog,skipAfter:END_COMMAND_ACCESS" > SecRule "TX:PARANOID_MODE" "!@eq 1" > "phase:2,t:none,nolog,skipAfter:END_COMMAND_INJECTION" > SecRule "&TX:/SQL_INJECTION/" "@eq 0" > "phase:2,rev:2.0.5,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" > SecRule "TX:PARANOID_MODE" "!@eq 1" > "phase:2,t:none,nolog,skipAfter:END_XSS_CHECK" > All the paranoid mode rules were skipped. Looks like that rule is capturing, but maybe does not have the nolog, so it is being logged. SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\s]+)" "capture" Later on nothing is checking tx.allowed_request_content_type as you have setvar:tx.paranoid_mode=0. It is a bug in CRS and fixed in 2.0.6 (missing "chain"). -B -- Brian Rectanus Breach Security |