On 7/09/2011 3:42 PM, Philip Prindeville wrote:
Hi Phillip,
I had configured and installed subversion (SVN) to run over HTTP as
the transport, but when I tried to use it I got:
[Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched
20 at TX:inbound_anomaly_score. [file
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line
"31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=):
Method is not allowed by policy"] [hostname "localhost"] [uri
"/svn/astlinux/trunk/package/linux-atm"] [unique_id
"TmUFkcCoAQoAABnnJF8AAAAD"]
[Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched
20 at TX:inbound_anomaly_score. [file
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line
"31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=):
Method is not allowed by policy"] [hostname "localhost"] [uri
"/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id
"TmUFkcCoAQoAABnlI-4AAAAB"]
[Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched
20 at TX:inbound_anomaly_score. [file
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line
"31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=):
Method is not allowed by policy"] [hostname "localhost"] [uri
"/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id
"TmUFkcCoAQoAABnkI6QAAAAA"]
when doing commits, etc. I was thinking it would be nice if mod_security out-of-the-box
supported SVN...
I'm looking at the supposed offending rule:
SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
"chain,phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score (Total
Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}):
%{tx.inbound_tx_msg}'"
SecRule TX:INBOUND_ANOMALY_SCORE "@lt
%{tx.inbound_anomaly_score_level}" "skipAfter:END_CORRELATION"
and thinking "Wha.....t?"
Ouch.
Have you brought it up on the mod-security-users or Core Ruleset lists?
They'd probably have more insight on this than I would (I'm more of a
git person myself nowadays)
http://lists.sourceforge.net/lists/listinfo/mod-security-users
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
(better for this issue I'd say)
If the .conf files out-of-the-box can't support SVN by default,
how about at least having a post-install script that modifies the rules to accommodate
SVN?
Or what about SVN installing its own rules if it detects mod_security is installed and
enabled?
I've only ever seen cross-package triggers once (a Samba package in
earlier Fedoras) and it looks like a potential disaster area and best
avoided.
But less abstractly: does anyone know what's required to make
SVN-over-HTTP work with mod_security?
Truth be told I've wimped out and run it in DetectionOnly mode with the
more painful apps - Drupal / Wordpress and DAV-reliant apps (like SVN or
iCal stuff) have traditionally been fairly hellish otherwise.
Thanks,
-Philip
Cheers,
Michael.