[RCD] [RCU] recurring problem at the level of authentication and total absence of log

chasd chasd at silveroaks.com
Wed Nov 25 17:30:21 CET 2009


Sorry I was too busy yesterday to respond to your post on RCU.
When I glanced at your post, I thought it might be mod_security  
causing the issue.

>> [file
>> "/etc/httpd/modsecurity.d/ 
>> modsecurity_crs_21_protocol_anomalies.conf"]
>> [line "41"] [id "960015"] [msg "Reque
>> st Missing an Accept Header"] [severity "CRITICAL"]
>> [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname  
>> "roundcube.renelacrout
>> e.fr"] [uri "/"] [unique_id "bdt3UVdiuugAAHbbVjAAAAAA"]
>> [Mon Nov 23 00:54:27 2009] [error] [client 81.56.161.95] ModSecurity:
>> Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD
>> " required.

There are several errors related to this.
Some Googling indicates a header needs to be added to the output.

A quick search indicates several files that would need to be modified :

[chasd at mail roundcube]$ find . -name '*.php' -exec grep -l "header 
('Content-Type:" {} \;
./program/js/tiny_mce/plugins/spellchecker/rpc.php
./program/include/rcube_html_page.php
./program/include/rcube_json_output.php
./bin/html2text.php
./bin/modcss.php

This page :
<http://framework.zend.com/issues/browse/ZF-3017>

indicates this line should be added to each of those files after the  
content type header :

header('Accept: text/xml');

As for the

>> Match of "rx ^OPTIONS$" against "REQUEST_METHOD"

that is a warning and shouldn't impact the functionality of RoundCube.
I did not find a fix for that warning, and I'm not familiar enough  
with mod_security to know exactly what it is complaining about.

>
My Google search indicates that other web apps that control their  
headers run into this issue with mod_security, notably Gallery2.


-- 
Charles Dostale
System Admin - Silver Oaks Communications
http://www.silveroaks.com/
824 17th Street, Moline  IL  61265

_______________________________________________
List info: http://lists.roundcube.net/dev/



More information about the Dev mailing list