Re: [mod-security-users] WebDAV troubles

[Gerald H. <ge...@ho...>]

Ryan Barnett wrote:
>> -----Original Message-----
>> From: mod...@li... [mailto:mod-
>> sec...@li...] On Behalf Of Gerald Holl
>> Sent: Thursday, August 28, 2008 1:32 PM
>> To: mod...@li...
>> Subject: Re: [mod-security-users] WebDAV troubles
>>
>> Ryan Barnett wrote:
>>> [Ryan Barnett] This rule is not working because it is not a rule
> that is
>>> causing the denial but rather a directive setting.  What you can do
> is
>>> use the ctl action to turn off request body access for that
> particular
>>> URL location.  Try this -
>>>
>>> SecRule REQUEST_URI "^/path/" \
>>>
> "phase:1,t:none,t:urlDecodeUni,t:normalisePathWin,t:lowercase,nolog,pass
>>> ,ctl:requestBodyAccess=Off"
>> Ryan,
>>
>> this rule doesn't work for me.
>> I tried to disable rule 960032 by using SecRuleRmoveById 960032 and it
>> doesn't work neither. 
> [Ryan Barnett] Where are you calling up the ModSecurity rules files?  If
> you use SecRuleRemoveById, it must be specified AFTER the rule it is
> disabling.

First, I'm including the core rules conf file.
Second, I'm disabling rule 960032 for the desired directory.
This scheme works for all directories except for the one with WebDAV
enabled. Pretty strange. 960032 errors are still logged.

>> Here is the snippet of the apache conf file:
>>   <Directory /var/www/path/to/protect>
>>     <IfModule mod_security2.c>
>>       SecRuleRemoveById 960032
>>       SecRule REQUEST_URI "^/path/to/protect"
>>
> "phase:1,t:none,t:urlDecodeUni,t:normalisePathWin,t:lowercase,nolog,pass
> ,c
>> tl:requestBodyAccess=Off"
> [Ryan Barnett] You can not place a ModSecurity phase:1 rule inside an
> Apache scope location (such as Directory) as these rules are not
> evaluated until phase:2.  Move this rule outside of the Directory
> context.

Although it's outside the request body limit is still enabled. I placed
it in a VirtualHost directive and in the root of the apache config file.
No idea what's wrong there.


Gerald