Shakitko, Ilia
2018-07-06 14:53:31 UTC
Hi ModSecurity CRS Mailing List members,
I am running into issue with CI for my GitLab. After enabling mod_security (crs-3.0.0), Iâve got few errors and latest one I am not able to resolve â it relates to the request content type (application/x-git-upload-pack-request) is not allowed by policy. I found two places where I can add exception to allow content types, but enabling this doesnât work -> please see the log below.
Files:
/usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf
and
/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-901-INITIALIZATION.conf
Result is still:
ModSecurity: Warning. Matched "Operator Rx' with parameter^application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/x-git-upload-pack-request'$' against variable TX:0' (Value:application/x-git-upload-pack-request' ) [file "/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "911"] [id "920420"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/x-git-upload-pack-request"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "23.100.14.202"] [uri "/ilia.shakitko/pass357.git/git-upload-pack"] [unique_id "153088618260.910992"] [ref "v0,4o0,37o0,37v232,37"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter5' against variable TX:ANOMALY_SCORE' (Value:5' ) [file "/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "23.100.14.202"] [uri "/ilia.shakitko/pass357.git/git-upload-pack"] [unique_id "153088618260.910992"] [ref ""]
What am I doing wrong? And how to win the challenge? Looks like the changes I mage should just workâŠ
Thank you in advance.
Met vriendelijke groet / With kind regards,
Ilia Shakitko
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________
www.accenture.com
I am running into issue with CI for my GitLab. After enabling mod_security (crs-3.0.0), Iâve got few errors and latest one I am not able to resolve â it relates to the request content type (application/x-git-upload-pack-request) is not allowed by policy. I found two places where I can add exception to allow content types, but enabling this doesnât work -> please see the log below.
Files:
/usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf
and
/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-901-INITIALIZATION.conf
Result is still:
ModSecurity: Warning. Matched "Operator Rx' with parameter^application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/x-git-upload-pack-request'$' against variable TX:0' (Value:application/x-git-upload-pack-request' ) [file "/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "911"] [id "920420"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/x-git-upload-pack-request"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "23.100.14.202"] [uri "/ilia.shakitko/pass357.git/git-upload-pack"] [unique_id "153088618260.910992"] [ref "v0,4o0,37o0,37v232,37"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter5' against variable TX:ANOMALY_SCORE' (Value:5' ) [file "/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "23.100.14.202"] [uri "/ilia.shakitko/pass357.git/git-upload-pack"] [unique_id "153088618260.910992"] [ref ""]
What am I doing wrong? And how to win the challenge? Looks like the changes I mage should just workâŠ
Thank you in advance.
Met vriendelijke groet / With kind regards,
Ilia Shakitko
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________
www.accenture.com