MrCybertux
commented
1 year ago possible dublicate with #2973
Closed MrCybertux closed 1 year ago
MrCybertux
commented
1 year ago possible dublicate with #2973
theseion
commented
1 year ago No, doesn't look related. Your issue is that application/pdf is not one of the allowed content types. You will have to set that in your configuration. See rule 901162 in REQUEST-901-INITIALIZATION.conf.
MrCybertux
commented
1 year ago I fixed the issue for me with this rule, but about the id part i am really unsure. @theseion maybe you can tell what the id value is all about and if this exclusion is weakening the security to much? If you or another experienced person says it is fine the issue could be closed.
SecRule REQUEST_URI "@beginsWith /remote.php/dav" \
"id:1000,\
phase:1,\
pass,\
nolog,\
ctl:ruleRemoveById=920420"
RedXanadu
commented
1 year ago @MrCybertux
You should consider updating to the latest version of CRS, which addresses some security vulnerabilities. You should also update your ModSecurity engine, too. More details here: https://github.com/coreruleset/coreruleset/releases/tag/v3.3.4
If your new rule works and you're happy with it then that's fine. It should cover you for the content type application/pdf and also any other content types that your users may need to upload.
The Nextcloud exclusion rules already address a very similar issue for file uploads of another content type, application/octet-stream:
# Allow the data type 'application/octet-stream'
SecRule REQUEST_METHOD "@pm PUT MOVE" \
"id:9508115,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
chain"
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'"If you wanted to restrict your rule exclusion to only add an allowance for the application/pdf content type then you could try using a rule like:
# Allow the data type 'application/pdf'
SecRule REQUEST_METHOD "@pm PUT MOVE" \
"id:1000,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/pdf|'"I'm going to close this issue, now, but feel free to reply again if you have any issues or further questions! Happy WAF-ing.
Description
Some Files fail to be Uploaded via WebDav All .pdf, .exe, .msi and maybe even more file types get blocked. TXT for example is working. We use the CRS with bunkerized nginx Docker container latest version.
Audit Logs / Triggered Rule Numbers
The rules that get trigger are 920420 and later the 949110
bunkerized_front_1 | 2022/11/22 12:39:40 [warn] 163#163: *564 a client request body is buffered to a temporary file /tmp/client_temp/0000000007, client: XXX.XXX.XXX.XXX, server: nextcloud.example.net, request: "PUT /remote.php/dav/files/FBFF2B69-38DF-4500-9BB1-C1B05055A221/Vorlagen/DHL-Paketmarke.pdf HTTP/1.1", host: "nextcloud.example.net"bunkerized_front_1 | 2022/11/22 12:39:49 [info] 163#163: *564 ModSecurity: Warning. Matched "Operator `Within' with parameter `|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| (174 characters omitted)' against variable `TX:content_type' (Value: `|application/pdf|' ) [file "/opt/bunkerized-nginx/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "937"] [id "920420"] [rev ""] [msg "Request content type is not allowed by policy"] [data "application/pdf"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "xxx.xxx.xxx.xxx"] [uri "/remote.php/dav/files/FBFF2B69-38DF-4500-9BB1-C1B05055A221/Vorlagen/DHL-Paketmarke.pdf"] [unique_id "166912078063.750267"] [ref "o0,15v180,15t:lowercase"], client: xxx.xxx.xxx.xxx, server: nextcloud.example.net, request: "PUT /remote.php/dav/files/FBFF2B69-38DF-4500-9BB1-C1B05055A221/Vorlagen/DHL-Paketmarke.pdf HTTP/1.1", host: "nextcloud.example.net"bunkerized_front_1 | 2022/11/22 12:39:49 [error] 163#163: *564 [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/opt/bunkerized-nginx/crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "xxx.xxx.xxx.xxx"] [uri "/remote.php/dav/files/FBFF2B69-38DF-4500-9BB1-C1B05055A221/Vorlagen/DHL-Paketmarke.pdf"] [unique_id "166912078063.750267"] [ref ""], client: XXX.XXX.XXX.XXX, server: nextcloud.example.net, request: "PUT /remote.php/dav/files/FBFF2B69-38DF-4500-9BB1-C1B05055A221/Vorlagen/DHL-Paketmarke.pdf HTTP/1.1", host: "nextcloud.example.net"My CRS Setup is:
Your Environment
Bunkerized NGINX 1.3.2
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.