Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-Type var fix ModSec v2 v3 900220 soap xml #1748

Closed
CRS-migration-bot opened this issue May 13, 2020 · 0 comments
Closed

Content-Type var fix ModSec v2 v3 900220 soap xml #1748

CRS-migration-bot opened this issue May 13, 2020 · 0 comments

Comments

@CRS-migration-bot
Copy link

Issue for tracking original pull request created by user franbuehler on date 2020-04-28 06:14:28.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#1748.

HEAD is: 1326250
BASE is: aa1ff69
This PR solves the following problem:

Problem description from slack channel:

Did you ever stumble over this FP on NGINX only?? It's not an nginx but a v3 problem. Thanks for clarifying this, Ervin.

curl -vH "Content-Type: application/soap+xml" -d **payload** localhost

2020/03/09 09:54:02 [info] 15590#15590: *1 ModSecurity: Warning. Matched "Operator Rx' with parameter ^application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss- (26 characters omitted)' against variable TX:0' (Value: application/soap+xml' ) [file "/.../rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "894"] [id "920420"] [rev ""] [msg "Request content type is not allowed by policy"] [data "application/soap+xml"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "127.0.0.1"] [uri "/"] [unique_id "158374764270.974560"] [ref "o0,20v82,20"], client: 127.0.0.1, server: localhost, request: "POST / HTTP/1.1", host: "localhost"

The variable in rule 901162 has to be ...|application/soap\+xml|... instead of application/soap+xml.For NGINX I have to escape the + sign.
For Apache this escape throws an error during Apache startup.This is a strange behaviour / difference of/between Apache/nginx.

Solution.
The solution to this problem is to use the @within operator instead of the @rx operator. This PR here makes all the changes to use the @within operator.

Thank you airween for your support and tests!

This PR will probably make a conflict with #1740. I think it would be good to merge this PR here first and then have a look at #1740 again.

This PR makes PR #1717 obsolete. I will close this PR. Thanks rsbrisci for your PR!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CRS-migration-bot