Thread: [mod-security-users] dav_svn forbidden fix
Brought to you by:
victorhora,
zimmerletw
From: Jeremy B. <jb...@xt...> - 2013-02-19 20:27:11
|
Hi All, I had a client experiencing issues with the dav_svn / tortoise svn and I was unable to get around the modsecurity rules with locationmatch in the directives. I ended up using the following as a custom rule based on something I found while googling and it appears to have worked like a charm after slight modifications. I am not sure if a fix like this should be sent to the list, but I figured why not, it hopefully will be helpful for others googling. For anyone else experiencing forbidden issues with modsecurity and dav_svn the following placed in modsecurity_crs_15_custom_rules.conf seems to have fixed the issues : # Modsecurity 2.7.2 # Core ModSecurity Rule Set ver.2.2.7 # Allow SVN through SecRule REQUEST_METHOD "@within PROPFIND PROPPATH PROPPATCH REPORT OPTIONS MKACTIVITY CHECKOUT PUT DELETE MERGE MKCOL" "chain,phase:1,id:111114,t:none,nolog,pass" SecRule REQUEST_HEADERS:User-Agent "@beginsWith SVN" "ctl:'ruleRemoveById=960010,960015,960032,960904'" ~Jeremy -- -- Jeremy Brock XtremeServices.Net Xtreme Services, LLC |
From: Ryan B. <RBa...@tr...> - 2013-02-19 20:39:50
|
On 2/19/13 3:26 PM, "Jeremy Brock" <jb...@xt...> wrote: >Hi All, > > I had a client experiencing issues with the dav_svn / tortoise svn >and I was unable to get around the modsecurity rules with locationmatch >in the directives. I ended up using the following as a custom rule >based on something I found while googling and it appears to have worked >like a charm after slight modifications. > > I am not sure if a fix like this should be sent to the list, but I >figured why not, it hopefully will be helpful for others googling. First of all, thank you for sending this to the list. I have a feeling that most people internally add exceptions to handle issues rather than sharing with the group. This, in turn, make is impossible for us to know what changes we could make to have the rule be more accurate. > > For anyone else experiencing forbidden issues with modsecurity and >dav_svn the following placed in modsecurity_crs_15_custom_rules.conf >seems to have fixed the issues : What were the errors you were getting? Were they from the OWASP ModSecurity CRS? Was it this rule? # allow request methods # # TODO Most applications only use GET, HEAD, and POST request # methods. If that is not the case with your environment, you are advised # to edit the line or uncomment it. # SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:1,t:none,block,msg:'Method is not allowed by policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.7' ,maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALL OWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1', tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar: tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CR S/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" If so, then you can easly adjust your local "allowed HTTP request methods" by editing - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/modsecurity _crs_10_setup.conf.example Change the following setvar for tx.allowed_methods to include those needed for SVN. # # Set the following policy settings here and they will be propagated to the 30 rules # file (modsecurity_crs_30_http_policy.conf) by using macro expansion. # If you run into false positves, you can adjust the settings here. # SecAction \ "id:'900012', \ phase:1, \ t:none, \ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|m ultipart/form-data|text/xml|application/xml|application/x-amf|application/j son', \ setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \ setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \ nolog, \ pass" You can also adjust the tx.allowd_request_content_type regex as well. -Ryan > ># Modsecurity 2.7.2 ># Core ModSecurity Rule Set ver.2.2.7 ># Allow SVN through >SecRule REQUEST_METHOD "@within PROPFIND PROPPATH PROPPATCH REPORT >OPTIONS MKACTIVITY CHECKOUT PUT DELETE MERGE MKCOL" >"chain,phase:1,id:111114,t:none,nolog,pass" > SecRule REQUEST_HEADERS:User-Agent "@beginsWith SVN" >"ctl:'ruleRemoveById=960010,960015,960032,960904'" >~Jeremy > >-- >-- > >Jeremy Brock > >XtremeServices.Net >Xtreme Services, LLC > > >-------------------------------------------------------------------------- >---- >Everyone hates slow websites. So do we. >Make your web apps faster with AppDynamics >Download AppDynamics Lite for free today: >http://p.sf.net/sfu/appdyn_d2d_feb >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >http://www.modsecurity.org/projects/commercial/rules/ >http://www.modsecurity.org/projects/commercial/support/ > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Jeremy B. <jb...@xt...> - 2013-02-19 20:55:01
|
Hello Ryan, You are correct : I had the following methods blocked : OPTIONS, CHECKOUT, PROPPATCH, PUT Thank you for pointing me to the proper place to make the changes : modsecurity_crs_10_setup.conf ! Is it possible to only allow these extra Methods with respect to a directory location such as /svn using the modsecurity_crs_10_setup.conf ? ~Jeremy -- Jeremy Brock XtremeServices.Net Xtreme Services, LLC On 2/19/2013 12:39 PM, Ryan Barnett wrote: > On 2/19/13 3:26 PM, "Jeremy Brock" <jb...@xt...> wrote: > >> Hi All, >> >> I had a client experiencing issues with the dav_svn / tortoise svn >> and I was unable to get around the modsecurity rules with locationmatch >> in the directives. I ended up using the following as a custom rule >> based on something I found while googling and it appears to have worked >> like a charm after slight modifications. >> >> I am not sure if a fix like this should be sent to the list, but I >> figured why not, it hopefully will be helpful for others googling. > First of all, thank you for sending this to the list. I have a feeling > that most people internally add exceptions to handle issues rather than > sharing with the group. This, in turn, make is impossible for us to know > what changes we could make to have the rule be more accurate. > >> For anyone else experiencing forbidden issues with modsecurity and >> dav_svn the following placed in modsecurity_crs_15_custom_rules.conf >> seems to have fixed the issues : > What were the errors you were getting? Were they from the OWASP > ModSecurity CRS? Was it this rule? > > # allow request methods > # > # TODO Most applications only use GET, HEAD, and POST request > # methods. If that is not the case with your environment, you are > advised > # to edit the line or uncomment it. > # > SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" > "phase:1,t:none,block,msg:'Method is not allowed by > policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.7' > ,maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALL > OWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1', > tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar: > tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CR > S/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" > > > > If so, then you can easly adjust your local "allowed HTTP request methods" > by editing - > https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/modsecurity > _crs_10_setup.conf.example > > > Change the following setvar for tx.allowed_methods to include those needed > for SVN. > > # > # Set the following policy settings here and they will be propagated to > the 30 rules > # file (modsecurity_crs_30_http_policy.conf) by using macro expansion. > # If you run into false positves, you can adjust the settings here. > # > SecAction \ > "id:'900012', \ > phase:1, \ > t:none, \ > setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ > > setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|m > ultipart/form-data|text/xml|application/xml|application/x-amf|application/j > son', \ > setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ > setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ > .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ > .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ > .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ > .webinfo/ .xsd/ .xsx/', \ > setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ > /Content-Range/ /Translate/ /via/ /if/', \ > nolog, \ > pass" > > > > You can also adjust the tx.allowd_request_content_type regex as well. > > -Ryan > >> # Modsecurity 2.7.2 >> # Core ModSecurity Rule Set ver.2.2.7 >> # Allow SVN through >> SecRule REQUEST_METHOD "@within PROPFIND PROPPATH PROPPATCH REPORT >> OPTIONS MKACTIVITY CHECKOUT PUT DELETE MERGE MKCOL" >> "chain,phase:1,id:111114,t:none,nolog,pass" >> SecRule REQUEST_HEADERS:User-Agent "@beginsWith SVN" >> "ctl:'ruleRemoveById=960010,960015,960032,960904'" >> ~Jeremy >> >> -- >> -- >> >> Jeremy Brock >> >> XtremeServices.Net >> Xtreme Services, LLC >> >> >> -------------------------------------------------------------------------- >> ---- >> Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics >> Download AppDynamics Lite for free today: >> http://p.sf.net/sfu/appdyn_d2d_feb >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > ________________________________ > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > |