Discussion:
Allowing z-push
(too old to reply)
Arthur Dent
2010-11-13 15:10:18 UTC
Permalink
Hello all,

I am not really a network guy. I have a small home server running Fedora
13. As well as hosting my small family web site it is also a mail server
running Procmail, Spamassassin, Dovecot and Squirrelmail.

I also have an iPhone.

I was thrilled, recently, to discover an application called z-push which
allows me to "push" emails from my server to my iPhone. It uses a php
script running php-imap on the server to spoof
Microsoft-Server-ActiveSync. It works brilliantly with Mod_security
disabled. ModSec however blocks it. I have tried creating a local rule
in modsecurity_localrules.conf but I couldn't get it quite right - plus
I was not sure what the safest way to allow this access would be without
opening up the server too much...

I get two types of report in the console:


METHOD: POST URI: /Microsoft-Server-ActiveSync
1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy

and

METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync
Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required.

The second of those, obviously, is actually blocked. It is blocked by a
rule which I put into my local rules having worked through Magnus
Mischel's book.

This is the rule in question:
# Rule to block non-standard methods (See Modsec book p50)
SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"


Please see below the detail for the denial. How can I craft a safe rule
to allow this through?

Thanks in advance....

Mark


--fa24db00-B--
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Host: mydomain.example.com
Content-Length: 0
User-Agent: Apple-iPhone2C1/802.117
X-Ms-Policykey: 0
Authorization: Basic bWFyazppbEhhYWRIUA==
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive

--fa24db00-F--
HTTP/1.1 405 Method Not Allowed
Allow: TRACE
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

--fa24db00-H--
Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1289655765198610 1406 (534 728 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.16 (Fedora)

--fa24db00-Z--
Arthur Dent
2010-11-13 15:44:37 UTC
Permalink
Post by Arthur Dent
Hello all,
I am not really a network guy. I have a small home server running Fedora
13. As well as hosting my small family web site it is also a mail server
running Procmail, Spamassassin, Dovecot and Squirrelmail.
I also have an iPhone.
I was thrilled, recently, to discover an application called z-push which
allows me to "push" emails from my server to my iPhone. It uses a php
script running php-imap on the server to spoof
Microsoft-Server-ActiveSync. It works brilliantly with Mod_security
disabled. ModSec however blocks it. I have tried creating a local rule
in modsecurity_localrules.conf but I couldn't get it quite right - plus
I was not sure what the safest way to allow this access would be without
opening up the server too much...
METHOD: POST URI: /Microsoft-Server-ActiveSync
1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy
and
METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync
Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required.
The second of those, obviously, is actually blocked. It is blocked by a
rule which I put into my local rules having worked through Magnus
Mischel's book.
# Rule to block non-standard methods (See Modsec book p50)
SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"
Replying to my own message...

Looking closer, I have modified this rule to read:
SecRule REQUEST_METHOD "!^(GET|POST|HEAD|OPTIONS)$" "deny,status:405"

Is that safe?

It now results in this however:
--e00ab306-H--
Message: Match of "within %{tx.allowed_request_content_type}" against "TX:0" required. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] [line "63"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/vnd.ms-sync.wbxml"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy"]
Apache-Handler: php5-script
Stopwatch: 1289661517966736 246643 (536 11498 -)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.16 (Fedora)
Post by Arthur Dent
Please see below the detail for the denial. How can I craft a safe rule
to allow this through?
Thanks in advance....
Mark
--fa24db00-B--
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Host: mydomain.example.com
Content-Length: 0
User-Agent: Apple-iPhone2C1/802.117
X-Ms-Policykey: 0
Authorization: Basic bWFyazppbEhhYWRIUA==
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
--fa24db00-F--
HTTP/1.1 405 Method Not Allowed
Allow: TRACE
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1
--fa24db00-H--
Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1289655765198610 1406 (534 728 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.16 (Fedora)
--fa24db00-Z--
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Rcbarnett
2010-11-13 15:58:20 UTC
Permalink
You need to add the z-push content-type (application/vnd.ms-sync.wbxml) to the allowed content-type list in the 10 config file.

--
Ryan Barnett
Post by Arthur Dent
Post by Arthur Dent
Hello all,
I am not really a network guy. I have a small home server running Fedora
13. As well as hosting my small family web site it is also a mail server
running Procmail, Spamassassin, Dovecot and Squirrelmail.
I also have an iPhone.
I was thrilled, recently, to discover an application called z-push which
allows me to "push" emails from my server to my iPhone. It uses a php
script running php-imap on the server to spoof
Microsoft-Server-ActiveSync. It works brilliantly with Mod_security
disabled. ModSec however blocks it. I have tried creating a local rule
in modsecurity_localrules.conf but I couldn't get it quite right - plus
I was not sure what the safest way to allow this access would be without
opening up the server too much...
METHOD: POST URI: /Microsoft-Server-ActiveSync
1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy
and
METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync
Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required.
The second of those, obviously, is actually blocked. It is blocked by a
rule which I put into my local rules having worked through Magnus
Mischel's book.
# Rule to block non-standard methods (See Modsec book p50)
SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"
Replying to my own message...
SecRule REQUEST_METHOD "!^(GET|POST|HEAD|OPTIONS)$" "deny,status:405"
Is that safe?
--e00ab306-H--
Message: Match of "within %{tx.allowed_request_content_type}" against "TX:0" required. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] [line "63"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/vnd.ms-sync.wbxml"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy"]
Apache-Handler: php5-script
Stopwatch: 1289661517966736 246643 (536 11498 -)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.16 (Fedora)
Post by Arthur Dent
Please see below the detail for the denial. How can I craft a safe rule
to allow this through?
Thanks in advance....
Mark
--fa24db00-B--
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Host: mydomain.example.com
Content-Length: 0
User-Agent: Apple-iPhone2C1/802.117
X-Ms-Policykey: 0
Authorization: Basic bWFyazppbEhhYWRIUA==
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
--fa24db00-F--
HTTP/1.1 405 Method Not Allowed
Allow: TRACE
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1
--fa24db00-H--
Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1289655765198610 1406 (534 728 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.16 (Fedora)
--fa24db00-Z--
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Arthur Dent
2010-11-13 16:51:29 UTC
Permalink
Post by Rcbarnett
You need to add the z-push content-type (application/vnd.ms-sync.wbxml) to the allowed content-type list in the 10 config file.
I think that's done it Ryan. Thank you...

Just to be certain (I don't fully understand this) my
modsecurity_crs_10_config.conf file now looks like this:


SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf/application/vnd.ms-sync.wbxml', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"

Is that right - or have I got the syntax wrong?

Cheers!

Mark
Ryan Barnett
2010-11-13 16:59:22 UTC
Permalink
I would put a space before your new entry for readability sake but this would still work.

--
Ryan Barnett
Post by Arthur Dent
Post by Rcbarnett
You need to add the z-push content-type (application/vnd.ms-sync.wbxml) to the allowed content-type list in the 10 config file.
I think that's done it Ryan. Thank you...
Just to be certain (I don't fully understand this) my
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf/application/vnd.ms-sync.wbxml', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"
Is that right - or have I got the syntax wrong?
Cheers!
Mark
<signature.asc>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Arthur Dent
2010-11-13 17:03:10 UTC
Permalink
Post by Ryan Barnett
I would put a space before your new entry for readability sake but this would still work.
Done!

Thanks again. Your help is much appreciated...

Mark
Ryan Barnett
2010-11-13 15:54:49 UTC
Permalink
Since you don't have a rule ID for your rule, you could add the following rule right before it. It will check the URL and request method and if it is for z-push it will then skip the existing rule that is blocking it.
# Rule to allow z-push method
SecRule REQUEST_FILENAME "/Microsoft-Server-ActiveSync" "chain,phase:1,t:none,pass,nolog,skip:1"
SecRule REQUEST_METHOD "^OPTIONS$"
# Rule to block non-standard methods (See Modsec book p50)
SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"
--
Ryan Barnett
Hello all,
I am not really a network guy. I have a small home server running Fedora
13. As well as hosting my small family web site it is also a mail server
running Procmail, Spamassassin, Dovecot and Squirrelmail.
I also have an iPhone.
I was thrilled, recently, to discover an application called z-push which
allows me to "push" emails from my server to my iPhone. It uses a php
script running php-imap on the server to spoof
Microsoft-Server-ActiveSync. It works brilliantly with Mod_security
disabled. ModSec however blocks it. I have tried creating a local rule
in modsecurity_localrules.conf but I couldn't get it quite right - plus
I was not sure what the safest way to allow this access would be without
opening up the server too much...
METHOD: POST URI: /Microsoft-Server-ActiveSync
1) Request content type is not allowed by policy 2) Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Request content type is not allowed by policy
and
METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync
Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required.
The second of those, obviously, is actually blocked. It is blocked by a
rule which I put into my local rules having worked through Magnus
Mischel's book.
# Rule to block non-standard methods (See Modsec book p50)
SecRule REQUEST_METHOD "!^(GET|POST|HEAD)$" "deny,status:405"
Please see below the detail for the denial. How can I craft a safe rule
to allow this through?
Thanks in advance....
Mark
--fa24db00-B--
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Host: mydomain.example.com
Content-Length: 0
User-Agent: Apple-iPhone2C1/802.117
X-Ms-Policykey: 0
Authorization: Basic bWFyazppbEhhYWRIUA==
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
--fa24db00-F--
HTTP/1.1 405 Method Not Allowed
Allow: TRACE
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1
--fa24db00-H--
Message: Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "20"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1289655765198610 1406 (534 728 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.16 (Fedora)
--fa24db00-Z--
<signature.asc>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Tim
2010-12-01 18:39:34 UTC
Permalink
Post by Arthur Dent
METHOD: POST URI: /Microsoft-Server-ActiveSync
1) Request content type is not allowed by policy 2) Inbound Anomaly Score
(Total Inbound Score: 10, SQLi=,
Post by Arthur Dent
XSS=): Request content type is not allowed by policy
This is a false positive. Search the "id=" for this rule at your ruleset and
disable the rule with the following command in your apache config.

SecRuleRemoveById 950004 (950004 ist example ID)
Post by Arthur Dent
METHOD: OPTIONS URI: /Microsoft-Server-ActiveSync
Access denied with code 405 (phase 2). Match of "rx ^(GET|POST|HEAD)$"
against "REQUEST_METHOD" required.
ActiceSync uses also the method "OPTIONS" but normaly this is unwanted at
webserver. So the default ruleset of mod_security only allows "GET", "POST" or
"HEAD" as Request Method.

You can rewrite the rule in the default ruleset - the fast but dirty way -

# Rule to block non-standard methods (See Modsec book p50)
SecRule REQUEST_METHOD "!^(GET|POST|HEAD|OPTIONS)$" "deny,status:405"


Best regards and good luck

Tim

Loading...