【发布时间】:2023-01-18 15:00:17
【问题描述】:
- 运行 ModSecurity 2.93 和 OWASP ModSecurity 核心规则集 (CRS) 3.3.2.
- 启用了
REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf中包含的 Nextcloud 异常,它们正在正常加载。 - Nextcloud 已更新至最新的稳定版本,并通过了所有检查。
然而,ModSecurity 在许多重要方面破坏了它的功能。
关于桌面同步应用程序、移动同步应用程序和一般 WebDav 的活动,我得到了一些误报。
这完全是 ModSecurity 做的。 Nextcloud 报告没有错误,禁用 ModSecurity 解决了问题。
我试图解决这个问题失败了。特别是,将以下规则添加到 REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf 会完全破坏 Nextcloud 的功能,并且不会解决任何误报。不知道为什么:
SecRule REQUEST_URI "@beginsWith /remote.php/dav/files/admin/" \
"id:10000003,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=921110,\
ctl:ruleRemoveTargetById=980130,\
ctl:ruleRemoveTargetById=949110"
来自 ModSecurity 审计日志的示例:
Message: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|image/png|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client <ip>] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|image/png|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "<hostname>"] [uri "/index.php/apps/files/"] [unique_id "Y8Yq5sm-7UrRygrbZZNbsgAAABc"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client <ip>] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "<hostname>"] [uri "/index.php/apps/files/"] [unique_id "Y8Yq5sm-7UrRygrbZZNbsgAAABc"]
Android 同步应用程序中的消息通常是“不允许您上传到此文件夹”。通常,所有同步应用程序都会被 ModSecurity 提供的 403 错误所困扰。我不确定这不会只发生在某些文件类型或某些文件夹中,或者我认为,所有文件都会发生。
【问题讨论】:
标签: owasp nextcloud mod-security