Hi,
I started playing with the modsecurity rules today.
I noticed that CRS modsecurity rule modsecurity_crs_16_session_hijacking.conf will hit on Roundcube 0.6 on my test server. I have not used modsec on any other version of RC.
Enabling the CRS 2.2.2 options rules breaks this RC set-up. I'm not an expert on these rules, so it is quite likely that I misinterpreted the results.
[24/Oct/2011:11:17:39 +0200] [webmail.example.com/sid#7f9bb5d47e08][rid#7f9bc55babd0][/][1] Access denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed
[24/Oct/2011:11:23:16 +0200] [webmail.example.com/sid#7f06a783b698][rid#7f06b58a10e0][/][1] Access denied with code 403 (phase 1). Match of "streq %{SESSION.UA_HASH}" against "TX:ua_hash" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"] [line "38"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed
Some rules in these hit as well: Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]
Message: Warning. Match of "rx (?i:\;? ?httponly;?)" against "TX:sessionid" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_55_application_defects.conf"] [line "71"] [id "981184"] [msg "AppDefect: Missing HttpOnly Cookie Flag."]
The other CRS and ASR rules seem fine so far...
Its possible that this is a apache misconfiguration by me.
Has anyone else used the modsecurity optional rule sets on Roundcube?
Best regards, S