modsecurity

[conectas]

Hallo,

Konfig:
fedora 6 / Apache/2.2.4 / PHP 5.1.6 (cli)
nach Update von 1.6.12 -> 2.0.1

Problem: admin Bereich -> Konfiguration

Allgemeine Konfiguration
Method Not Implemented
POST to /admin/index.php not supported.

Artikel-Konfiguration und Spamschutz-Konfiguration dito
(wenn man jetzt übrigens auf Konfig. speichern geht hat man für immer verloren)

das Problem habe ich soweit auch schon geortet mod_security um exakt zu sein lädt der httpd unter

/etc/httpd/conf.d/mod_security.conf

Include modsecurity.d/modsecurity_crs_10_config.conf

wenn ich die raus REMe ist alles okay nun bin ich in mod_sec nicht wirklich fit.. aber einfach rumdoktern, ich pose mal meine conf evtl. fällt ja jemanden was ein/auf

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2097152
SecServerSignature "Apache/2.2.0 (Fedora)"
SecUploadDir /tmp
SecUploadKeepFiles Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^[45]"
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
SecAuditLogParts "ABIFHZ"
# Specifies which character to use as separator for
# application/x-www-form-urlencoded content.
# Defaults to "&". Applications are sometimes (very rarely) written to use
# a semicolon (";").
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 3
SecDataDir /tmp
SecTmpDir /tmp

um die "Fett" Zeile gehts wohl wenn man die Fehlermeldung dazu sieht
sorry jetzt kommt es dick..

[Fri Jun 15 17:29:36 2007] [error] [client 87.160.185.103] ModSecurity: Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"] [hostname "faqhowto.conectas.net"] [uri "/admin/index.php?action=ajax&ajax=config_list&conf=main"] [unique_id "g8yvtn8AAAEAAC5FOHMAAAAE"]
[Fri Jun 15 17:29:36 2007] [error] [client 87.160.185.103] ModSecurity: Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"] [hostname "faqhowto.conectas.net"] [uri "/admin/index.php?action=ajax&ajax=config_list&conf=records"] [unique_id "g8z-jH8AAAEAAC5ENwEAAAAD"]
[Fri Jun 15 17:29:36 2007] [error] [client 87.160.185.103] ModSecurity: Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"] [hostname "faqhowto.conectas.net"] [uri "/admin/index.php?action=ajax&ajax=config_list&conf=spam"] [unique_id "g859LH8AAAEAAC5GOlAAAAAF"]

hoffe auf eine Idee
CU
conectas

[Thorsten]

Hi,

dann stell doch einfach mod_security korrekt ein.

bye
Thorsten

[conectas]

Hallo,

> dann stell doch einfach mod_security korrekt ein

na das hilft jetzt nicht wirklich weiter.. Was ist korrekt?
Das ist die RH bzw. FC6 default conf. im allgemeinen ist die richtig. Was jetzt auch nicht weiterhilft..
nee im ernst, ich habe auch schon rumgegooglelt - da das Thema recht komplex ist, gibt es ein Telefonbuch zurück.. ohne Plan und Ansatz heißt das tiefes Einarbeiten in eine (neue) Materie um nachher 2 Zeichen zu ändern. (reine Zeitfrage)

da dieses Problem jeden RH oder FC User Betrifft.. Frage ins Forum.

Was ist korrekt?

CU
Stefan (conectas)

[matteo]

Hi,

SecArgumentSeparator "&"

um die "Fett" Zeile gehts wohl wenn man die Fehlermeldung dazu sieht
sorry jetzt kommt es dick..

[Fri Jun 15 17:29:36 2007] [error] [client 87.160.185.103] ModSecurity: Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"] [hostname "faqhowto.conectas.net"] [uri "/admin/index.php?action=ajax&ajax=config_list&conf=main"] [unique_id "g8yvtn8AAAEAAC5FOHMAAAAE"]
[Fri Jun 15 17:29:36 2007] [error] [client 87.160.185.103] ModSecurity: Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"] [hostname "faqhowto.conectas.net"] [uri "/admin/index.php?action=ajax&ajax=config_list&conf=records"] [unique_id "g8z-jH8AAAEAAC5ENwEAAAAD"]
[Fri Jun 15 17:29:36 2007] [error] [client 87.160.185.103] ModSecurity: Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"] [hostname "faqhowto.conectas.net"] [uri "/admin/index.php?action=ajax&ajax=config_list&conf=spam"] [unique_id "g859LH8AAAEAAC5GOlAAAAAF"]

the issue is not related to any malformed encoding, but it is a warning claiming to an uncorrect Content-Type header in our AJAX response when viewing the PMF configuration page, where no HTTP POST is used and the body returned is plain HTML.
I'll look at that rule to identify if it could be a false positive or an issue in the PMF code when setting both the mime type and the charset of the response.
For clarity sake, the mod_security RPM package is in EXTRAS and not in BASE. Because of the ruleset is always under review (see mod_security list) have you already try the new RPM package, mod_security-2.1.1-1?

Ciao,
Matteo

PS: sorry but I cannot write in German, I'm unfortunately in need of the Google translation service.

[conectas]

Hey,

sorry but I cannot write in English
(babelfish.altavista)

Update:
Paket: mod_security
Version: 2.1.1-1.fc6
Architektur: x86_64 Installiert 20/Jun./2007 20:56

does not become better, the problem always still exists

Log from 20.06.2007 21:00

[Wed Jun 20 21:01:22 2007] [error] [client 84.190.14.52] ModSecurity: Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"] [hostname "faqhowto.conectas.net"] [uri "/admin/index.php?action=ajax&ajax=config_list&conf=main"] [unique_id "DlSqjX8AAAEAAGhMcPUAAAAB"]
[Wed Jun 20 21:01:22 2007] [error] [client 84.190.14.52] ModSecurity: Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"] [hostname "faqhowto.conectas.net"] [uri "/admin/index.php?action=ajax&ajax=config_list&conf=records"] [unique_id "DlTfP38AAAEAAGhNclcAAAAC"]
[Wed Jun 20 21:01:22 2007] [error] [client 84.190.14.52] ModSecurity: Access denied with code 501 (phase 1). Match of "rx (?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content encoding is not allowed by policy"] [severity "WARNING"] [hostname "faqhowto.conectas.net"] [uri "/admin/index.php?action=ajax&ajax=config_list&conf=spam"] [unique_id "DlZe038AAAEAAGhOdB8AAAAD"]

Hmmm

CU
conectas

[matteo]

Hi,

sorry but I cannot write in English
(babelfish.altavista)



Update:
Paket: mod_security
Version: 2.1.1-1.fc6
Architektur: x86_64 Installiert 20/Jun./2007 20:56

does not become better, the problem always still exists

thanks for testing the new RPM: I'll setup a FC6 server in a VMware environment and investigate both the rule and the code.
I'll keep you updated through this thread.

Thanks for your testing and bringing the issue to our attention,
Matteo

[matteo]

Hi,
I'm looking at the rule 960010 in the modsecurity_crs_30_http_policy.conf of the last ruleset modsecurity-core-rules_2.1-1.4.tar.gz, dowloaded from the mod_security website, which is:

Code: Select all

# Restrict which content-types we accept.
#
# TODO Most applications support only two types for request bodies
#      because that is all browsers know how to produce. If you are using
#      automated tools to talk to the application you may be using other
#      content types and would want to change the list of supported types.
#
#      Note though that ModSecurity parses only three content types:
#      application/x-www-form-urlencoded, multipart/form-data request and 
#      text/xml. The protection provided for any other type is inferior.
#
# TODO There are many applications that are not using multipart/form-data
#      types (typically only used for file uploads). This content type
#      can be disabled if not used.  
#
# NOTE We allow any content type to be specified with GET or HEAD
#      because some tools incorrectly supply content type information
#      even when the body is not present. There is a rule further in
#      the file to prevent GET and HEAD requests to have bodies to we're
#      safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
#      applications running on the PocketPC and AvantGo platforms use
#      non-standard content types:
#
#      M-Business iAnywhere      application/x-mal-client-data
#      UltraLite iAnywhere       application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
    "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',,id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)?$|multipart/form-data;)|text/xml)"

that is to say, different from that of your log. Could you kindly update the ruleset, restart Apache and then try again?
I guess it could be also a false positive against the prototype library, used as the JS framework for our AJAX interactions. If this will be the case, I'll contact the ruleset's authors to submit a patch to the rule #960010.

Thanks in advance,
Matteo

[matteo]

Hi,
I can confirm that the issue is linked to the Prototype libray, precisely to the Ajax.Updater object which is used in [PATH_TO_PMF_INSTALL]/admin/configuration.php: by default that object make an HTTP POST request using application/x-www-form-urlencoded as Content-Type and UTF-8 as Encoding.
Let me know the result of your test, to save me the time to build a FC6 server : I guess the last ruleset fixes it 'cause now they've added a match for the charset declaration.

To mitigate the issue on the rule #960010 you can change the JS function getConfigList() to read:

Code: Select all

...
function getConfigList()
{
    var ajax = new Ajax.Updater('configMain', 'index.php?action=ajax&ajax=config_list&conf=main', {method: 'get'});
    var ajax = new Ajax.Updater('configRecords', 'index.php?action=ajax&ajax=config_list&conf=records', {method: 'get'});
    var ajax = new Ajax.Updater('configSpam', 'index.php?action=ajax&ajax=config_list&conf=spam', {method: 'get'});
}
...

which forces the use of HTTP GET and the rule #960010 will be not triggered.

I'll decided how to proceed (a. rule fix, b. PMF fix, c. both) after your tests.

Ciao,
Matteo

[matteo]

Hi all,

I'll decided how to proceed (a. rule fix, b. PMF fix, c. both) after your tests.

FYI I've already decided:

1. I've found the official reference WHEN the rule was fixed: read it here;
2. the enh for getConfigList() has been commited into CVS even if the issue was due to the broken rule.

Ciao,
Matteo