Re: [mod-security-users] crs ruleset and trace method?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] crs ruleset and trace method?
|
From: Christian F. <chr...@ne...> - 2018-03-21 09:53:23
|
Hey Eero, The TRACE method is somewhat special. At least in Apache. The request skips phase 2 and thus the CRS rule covering tx.allowed_methods. There are discussions to move this block of rules to phase 1 though. https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 You may want to chime in there. Ahoj, Christian On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote: > Hi, > > Just noticed that crs ruleset is not blocking trace method, even > setvar:'tx.allowed_methods=GET POST'" > > Is this a bug? > > Eero > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
