View previous topic :: View next topic |
Author |
Message |
Vieri l33t
Joined: 18 Dec 2005 Posts: 877
|
Posted: Wed Dec 29, 2021 9:09 am Post subject: ModSecurity custom policy not applied |
|
|
Hi,
I am getting critical errors such as this one:
Code: | ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|application/x-www-form-urlencoded|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "www.domain.org"] [uri "/app/portal/index.php"] [unique_id "YcwiFSjkeiMh1r7_EnMmgQAAAAE"], referer: http://www.domain.org/app/portal/index.php |
However, here is how I configured modsecurity:
Code: | # tail -n 1 /usr/share/modsecurity-crs/crs-setup.conf
SecAction "id:900220, phase:1, nolog, pass, t:none, setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain|application/vnd.ms-sync.wbxml|message/rfc822'" |
So, application/x-www-form-urlencoded is within the list.
Why do you think I am still getting these errors (which of course imply that client browsing is blocked)?
Regards,
Vieri |
|
Back to top |
|
|
Vieri l33t
Joined: 18 Dec 2005 Posts: 877
|
Posted: Wed Dec 29, 2021 9:59 am Post subject: |
|
|
I don't know if this is the right way to fix this, but now I'm not getting any modsecurity errors and client access issues with this config:
Code: | SecAction "id:900220, phase:1, nolog, pass, t:none, setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain|application/vnd.ms-sync.wbxml|message/rfc822|'"
|
So I guess that the | must be both at the beginning and the end...
Not 100% sure though. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|