search

coreruleset / nextcloud-rule-exclusions-plugin

Rule exclusion plugin for Nextcloud
Apache License 2.0
11 stars 7 forks source link

FP playing video file #71

Closed gbeliako closed 3 months ago

gbeliako commented 3 months ago

Hello: Trying to play a video file does not work, produces FP with the following log: Thanks,

---gE5zegJB---A--
[30/May/2024:20:20:14 +1000] 12.345 192.168.1.1 1 192.168.1.1 443
---gE5zegJB---B--
PROPFIND /public.php/webdav/movie.mkv HTTP/2.0
x-requested-with: XMLHttpRequest
authorization: Basic OUt6WkNhd2VyeGlRRWdLOg==
content-type: text/plain;charset=UTF-8
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.952 YaBrowser/24.4.1.952 (beta) Yowser/2.5 Safari/537.36
sec-fetch-site: same-origin
depth: 0
sec-ch-ua-mobile: ?0
origin: https://origin
requesttoken: requesttoken
sec-ch-ua-platform: "Linux"
accept: text/plain,application/xml
sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "YaBrowser";v="24"
content-length: 539
host: host
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br
cookie: cookie
accept-language: en;q=0.9,es;q=0.8

---gE5zegJB---D--

---gE5zegJB---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---gE5zegJB---F--
HTTP/2.0 403
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: noindex, nofollow
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Permitted-Cross-Domain-Policies: none
Connection: close
X-Content-Type-Options: nosniff
Content-Type: text/html
X-Download-Options: noopen
Content-Length: 548
Date: Thu, 30 May 2024 10:20:14 GMT
Server: nginx
X-XSS-Protection: 1; mode=block

---gE5zegJB---H--
ModSecurity: Warning. Matched "Operator `Within' with parameter `|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudev (16 characters omitted)' against variable `TX:content_type' (Value: `|text/plain|' ) [file "/usr/lib/nginx/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "993"] [id "920420"] [rev ""] [msg "Request content type is not allowed by policy"] [data "|text/plain|"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "host"] [uri "/public.php/webdav/movie.mkv"] [unique_id "12.345"] [ref "o0,10v552,24t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/lib/nginx/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "host"] [uri "/public.php/webdav/movie.mkv"] [unique_id "12.345"] [ref ""]

---gE5zegJB---I--

---gE5zegJB---J--

---gE5zegJB---Z--
EsadCetiner commented 3 months ago

@gbeliako Thanks for the report, unfortunately I'm unable to reproduce the false positive (I'm on Nextcloud 29).

Text/plain content type header is blocked since ModSecurity isn't able to parse the request body, do you know if the content being sent in the request body is XML, JSON or urlencoded?

Also, what version of Nextcloud are you on?

gbeliako commented 3 months ago

Im on NC 29. I don't know how to find that out, but i have:

gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

in my nginx nextcloud.conf file. Thanks for the help

EsadCetiner commented 3 months ago

@gbeliako I just remembered that there was a pull request for a similar issue can you give it a try?

I'll try and get it merged in the meantime

gbeliako commented 3 months ago

Yes, this works for me. Thanks for the help