Hi,
I started playing with the modsecurity rules today.
I noticed that CRS modsecurity rule
modsecurity_crs_16_session_hijacking.conf will hit on Roundcube 0.6 on
my test server. I have not used modsec on any other version of RC.
Enabling the CRS 2.2.2 options rules breaks this RC set-up.
I'm not an expert on these rules, so it is quite likely that I
misinterpreted the results.
[24/Oct/2011:11:17:39 +0200]
[webmail.example.com/sid#7f9bb5d47e08][rid#7f9bc55babd0][/][1] Access
denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}"
against "TX:ip_hash" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed
- IP Address Mismatch."]
[24/Oct/2011:11:23:16 +0200]
[webmail.example.com/sid#7f06a783b698][rid#7f06b58a10e0][/][1] Access
denied with code 403 (phase 1). Match of "streq %{SESSION.UA_HASH}"
against "TX:ua_hash" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "38"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed
- User-Agent Mismatch."]
Some rules in these hit as well:
Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required.
[file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"]
[line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]
Message: Warning. Match of "rx (?i:\\;? ?httponly;?)" against
"TX:sessionid" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_55_application_defects.conf"]
[line "71"] [id "981184"] [msg "AppDefect: Missing HttpOnly Cookie Flag."]
The other CRS and ASR rules seem fine so far...
Its possible that this is a apache misconfiguration by me.
Has anyone else used the modsecurity optional rule sets on Roundcube?
Best regards, S