fix: .well-known/webdav fp

[YeapGuy]

Adds a rule similar to 9508602 & 9508603 to prevent blocking discovering WebDAV on /.well-known:

ModSecurity: Warning. Matched "Operator `Within' with parameter `GET HEAD POST OPTIONS PUT' against variable `REQUEST_METHOD' (Value: `PROPFIND' ) [file "/usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "28"] [id "911100"] [rev ""] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "172.19.0.7"] [uri "/.well-known/webdav/xxx/"] [unique_id "171119327475.703982"] [ref "v0,8"]

[EsadCetiner]

@YeapGuy Can you add your name to the contributors file, it's sorted alphabetically by last name. And if you can write a test for the new rule then that would be great!

[YeapGuy]

Rules 9508602 & 9508603 (which are very similar) don't have any tests, so I thought this rule doesn't need one either. (Honestly, I planned on copying and modifying the existing tests, because I don't feel capable to write a good test on my own 😅). Should I try to write one anyway?

[EsadCetiner]

@YeapGuy Tests aren't a hard requirement for plugins at the moment, but it's good to write tests so we can catch regressions if we have to make changes for whatever reason. If you feel like you can't write a test then that's fine, but I'm happy to help if you want to. The new rule you introduced is pretty simple so it shouldn't be a problem if you can't write one.

[YeapGuy]

Got it. I'm not afraid to try writing a test, but I'd have to set up a development environment to test it, and I don't want to spend time with that just because of this one PR (or maybe a couple more if I come across more FPs...).

[EsadCetiner]

@YeapGuy Thank you for your contribution