Hi,

    I started playing with the modsecurity rules today.

I noticed that CRS modsecurity rule
modsecurity_crs_16_session_hijacking.conf will hit on Roundcube 0.6 on
my test server.  I have not used modsec on any other version of RC.

Enabling  the CRS 2.2.2 options rules breaks this RC set-up.
I'm not an expert on these rules, so it is quite likely that I
misinterpreted the results.

[24/Oct/2011:11:17:39 +0200]
[webmail.example.com/sid#7f9bb5d47e08][rid#7f9bc55babd0][/][1] Access
denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}"
against "TX:ip_hash" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed
- IP Address Mismatch."]

[24/Oct/2011:11:23:16 +0200]
[webmail.example.com/sid#7f06a783b698][rid#7f06b58a10e0][/][1] Access
denied with code 403 (phase 1). Match of "streq %{SESSION.UA_HASH}"
against "TX:ua_hash" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "38"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed
- User-Agent Mismatch."]

Some rules in these hit as well:
Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required.
[file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"]
[line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]

Message: Warning. Match of "rx (?i:\\;? ?httponly;?)" against
"TX:sessionid" required. [file
"/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_55_application_defects.conf"]
[line "71"] [id "981184"] [msg "AppDefect: Missing HttpOnly Cookie Flag."]

The other CRS and ASR rules seem fine so far...

Its possible that this is a apache misconfiguration by me. 

Has anyone else used the modsecurity optional rule sets on Roundcube?



Best regards, S

--