On 24/10/11 12:53, Simon Loewenthal wrote:
Hi,

    I started playing with the modsecurity rules today.

I noticed that CRS modsecurity rule
modsecurity_crs_16_session_hijacking.conf will hit on Roundcube 0.6 on
my test server.  I have not used modsec on any other version of RC.

Enabling  the CRS 2.2.2 options rules breaks this RC set-up.
I'm not an expert on these rules, so it is quite likely that I
misinterpreted the results.

[24/Oct/2011:11:17:39 +0200]
[webmail.example.com/sid#7f9bb5d47e08][rid#7f9bc55babd0][/][1] Access
denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}"
against "TX:ip_hash" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed
- IP Address Mismatch."]

[24/Oct/2011:11:23:16 +0200]
[webmail.example.com/sid#7f06a783b698][rid#7f06b58a10e0][/][1] Access
denied with code 403 (phase 1). Match of "streq %{SESSION.UA_HASH}"
against "TX:ua_hash" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "38"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed
- User-Agent Mismatch."]

Some rules in these hit as well:
Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required.
[file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"]
[line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]

Message: Warning. Match of "rx (?i:\\;? ?httponly;?)" against
"TX:sessionid" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_55_application_defects.conf"]
[line "71"] [id "981184"] [msg "AppDefect: Missing HttpOnly Cookie Flag."]

The other CRS and ASR rules seem fine so far...

Its possible that this is a apache misconfiguration by me. 

Has anyone else used the modsecurity optional rule sets on Roundcube?



Best regards, S

I stripped out these rule IDs and RC pretty much works...

SecRuleRemoveById 981054 981054 981056 981057 981058 981059 981060 981061 981062 981063 981064 981219 981220 981221 981222 981223 981224 981179 981181 981182 981182 981183 981184 981185 981186

When saving a new Contact, the message
"An error occurred while saving", is displayed.
It trips up on this rule 981143


--e38a3129-A--
[24/Oct/2011:13:16:51 +0200] TqVJI1jGXw0AABqACNgAAAAD 62.58.11.11 26940 88.198.95.13 443
--e38a3129-B--
POST /?_orig_source=0 HTTP/1.1
Host: webmail.example.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://webmail.example.com/?_orig_source=0
Cookie: spamprefsviewsplitter=195; prefsviewsplitter=195; addressviewsplitterd=200; addressviewsplitter=250; composesplitterv=175; mailviewsplitter=205; mailviewsplitterv=165; roundcube_sessid=ceh30pteuab8mslu3c2gjqmqv4; roundcube_sessauth=S381183011cb58a226ef9722d551e85bc6027be41
Content-Type: application/x-www-form-urlencoded
Content-Length: 451

--e38a3129-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.8-1~dotdeb.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

--e38a3129-H--
Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]
Apache-Handler: application/x-httpd-php
Stopwatch: 1319455011801599 117636 (- - -)
Stopwatch2: 1319455011801599 117636; combined=6353, p1=485, p2=5723, p3=24, p4=112, p5=9, sr=40, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.6.2 (http://www.modsecurity.org/); core ruleset/2.2.2.
Server: Apache/2.2.16 (Debian)

--e38a3129-Z--

Mon Oct 24 13:19:22 2011] [error] [client 62.58.11.11] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "webmail.example.com"] [uri "/"] [unique_id "TqVJuVjGXw0AABp2BDIAAAAB

For some reason modsecurity won't disable this 981143 rule with the SecRuleRemoveById. Odd.
--