Re: [mod-security-users] WebDAV troubles
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2008-08-28 22:51:10
|
Brian Rectanus wrote: > Gerald Holl wrote: > > Ryan Barnett wrote: > > >> -----Original Message----- > > >> From: mod...@li... [mailto:mod- > > >> sec...@li...] On Behalf Of Gerald > Holl > > >> Sent: Thursday, August 28, 2008 1:32 PM > > >> To: mod...@li... > > >> Subject: Re: [mod-security-users] WebDAV troubles > > >> > > >> Ryan Barnett wrote: > > >>> [Ryan Barnett] This rule is not working because it is not a rule > > > that is > > >>> causing the denial but rather a directive setting. What you can do > > > is > > >>> use the ctl action to turn off request body access for that > > > particular > > >>> URL location. Try this - > > >>> > > >>> SecRule REQUEST_URI "^/path/" \ > > >>> > > > > "phase:1,t:none,t:urlDecodeUni,t:normalisePathWin,t:lowercase,nolog,pass > > >>> ,ctl:requestBodyAccess=Off" > > >> Ryan, > > >> > > >> this rule doesn't work for me. > > >> I tried to disable rule 960032 by using SecRuleRmoveById 960032 > and it > > >> doesn't work neither. > > > [Ryan Barnett] Where are you calling up the ModSecurity rules > files? If > > > you use SecRuleRemoveById, it must be specified AFTER the rule it is > > > disabling. > > > > First, I'm including the core rules conf file. > > Second, I'm disabling rule 960032 for the desired directory. > > This scheme works for all directories except for the one with WebDAV > > enabled. Pretty strange. 960032 errors are still logged. > > > > >> Here is the snippet of the apache conf file: > > >> <Directory /var/www/path/to/protect> > > >> <IfModule mod_security2.c> > > >> SecRuleRemoveById 960032 > > >> SecRule REQUEST_URI "^/path/to/protect" > > >> > > > > "phase:1,t:none,t:urlDecodeUni,t:normalisePathWin,t:lowercase,nolog,pass > > > ,c > > >> tl:requestBodyAccess=Off" > > > [Ryan Barnett] You can not place a ModSecurity phase:1 rule inside an > > > Apache scope location (such as Directory) as these rules are not > > > evaluated until phase:2. Move this rule outside of the Directory > > > context. > > > > Although it's outside the request body limit is still enabled. I placed > > it in a VirtualHost directive and in the root of the apache config file. > > No idea what's wrong there. > > I believe this is an issue that I have already fixed for 2.5.7. > > See the archives for a patch to 2.5.6: > > http://sourceforge.net/mailarchive/message.php?msg_id=48A0AFB1.5060000%40breach.com See also: https://www.modsecurity.org/tracker/browse/MODSEC-4 -B -- Brian Rectanus Breach Security |