search

coreruleset / nextcloud-rule-exclusions-plugin

Rule exclusion plugin for Nextcloud
Apache License 2.0
10 stars 7 forks source link

Nextcloud: calDAV: false positive #63

Closed YeapGuy closed 3 months ago

YeapGuy commented 5 months ago

Description

An iPhone trying to PUT to Nextcloud's calDAV service will be blocked by CRS.

Logs

[error] 97548#97548: *156197 [client xxx] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "xxx"] [uri "/remote.php/caldav/calendars/xxx/xxx/xxx.ics"] [unique_id "171045623486.423063"] [ref ""], client: xxx, server: xxx, request: "PUT /remote.php/caldav/calendars/xxx/xxx/xxx.ics HTTP/1.1", host: "xxx"

Your Environment

Confirmation

[ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

EsadCetiner commented 5 months ago

@YeapGuy Have you tried using the Nextcloud rule exclusions plugin? The plugin should cover most false positives that you encounter with Nextcloud.

YeapGuy commented 5 months ago

Yes, I am using that

YeapGuy commented 5 months ago

Oh, I just realised... it has its own repository 😄 Should I report there instead?

EsadCetiner commented 5 months ago

I can transfer the issue if you want, then I'll take a look at the issue in a few hours.

EsadCetiner commented 5 months ago

@YeapGuy I just noticed that the log you've provided is incomplete, it only shows the anomoly scoring rule and not the rules that led to an anomoly score of 5. ModSecurity on Nginx doesn't log the rules that led to an anomoly score of 5 by default to the error log. you'll have to either enable info level error logging in nginx or search your modsecurity audit log (usually /var/log/modsec_audit.log) using this ID 171045623486.423063.

EsadCetiner commented 5 months ago

@YeapGuy could you give this PR a try https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/pull/66? I didn't encounter the specific false positive you reported, so I can't guarantee that issue is fixed unless you provide me with more detailed logging or more detailed steps to reproduce.

YeapGuy commented 5 months ago

I don't use an iPhone myself, so I can't verify it myself, but so far, it seems to work. Thank you! If it doesn't work, I'll search for the relevant modsec audit log entry as well, of course.

YeapGuy commented 5 months ago

Found it. It's due to content-type. Calendar invitations use text/calendar (rfc)

EsadCetiner commented 5 months ago

@YeapGuy Thanks, I've pushed another commit.