Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

ModSecurity custom policy not applied
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 877
PostPosted: Wed Dec 29, 2021 9:09 am    Post subject: ModSecurity custom policy not applied Reply with quote
Hi,

I am getting critical errors such as this one:

Code:
ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|application/x-www-form-urlencoded|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "www.domain.org"] [uri "/app/portal/index.php"] [unique_id "YcwiFSjkeiMh1r7_EnMmgQAAAAE"], referer: http://www.domain.org/app/portal/index.php


However, here is how I configured modsecurity:

Code:
# tail -n 1 /usr/share/modsecurity-crs/crs-setup.conf
SecAction "id:900220, phase:1, nolog, pass, t:none, setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain|application/vnd.ms-sync.wbxml|message/rfc822'"


So, application/x-www-form-urlencoded is within the list.

Why do you think I am still getting these errors (which of course imply that client browsing is blocked)?

Regards,

Vieri
Back to top
View user's profile Send private message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 877
PostPosted: Wed Dec 29, 2021 9:59 am    Post subject: Reply with quote
I don't know if this is the right way to fix this, but now I'm not getting any modsecurity errors and client access issues with this config:

Code:
SecAction "id:900220, phase:1, nolog, pass, t:none, setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain|application/vnd.ms-sync.wbxml|message/rfc822|'"


So I guess that the | must be both at the beginning and the end...

Not 100% sure though.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy