ModSecurity Rule Triggered by autodiscover

lukekenny

• October 14, 2018 05:11

Running the latest cPanel with the OWASP3 rules enabled and tx.crs_exclusions_wordpress=1 Some users have email boxes and use clients like Outlook that use autodiscover. It seems the following rules get triggered on the POST /autodiscover/autodiscover.xml that the client makes: 941100 - XSS Attack Detected via libinjection 941130 - XSS Filter - Category 3: Attribute Vector 949110 - Inbound Anomaly Score Exceeded (Total Score: 10) What's the best way to prevent autodiscover from triggering these rules? I tried adding a DirectoryMatch for ^\/autodiscover\/ to turn ModSecurity off for that directory, but that doesn't seem to work. Obviously not keen on disabling 949110, and unsure if disabling 941100 and 941130 is a good or bad idea. Any advice appreciated!

• 

  fuzzylogic

  • October 18, 2018 01:27

  Just to be clear I don't use Autodiscover and won't troubleshoot it for you if it won't work after you get ModSecurity to allow these POST requests to pass. Here is an exclusion rule to allow these requests... # Allow POST to Autodiscover SecRule REQUEST_METHOD "@streq POST" \ "msg:'Autodetect rule is being hit',\ id:19000000,\ phase:2,\ t:none,\ nolog,\ noauditlog,\ pass,\ chain" SecRule REQUEST_FILENAME "@endsWith /autodiscover/autodiscover.xml" \ "t:none,\ ctl:ruleRemoveById=941100 ,\ ctl:ruleRemoveById=941130"
  Add this rule at... Home " Security Center " ModSecurity" Tools " Add Custom Rule With the lines nolog and noauditlog this rule will be silent and hard to test. I suggest you change nolog to log so you can test it and see a log entry in the list at... Home " Security Center " ModSecurity" Tools " Hits List every time the POST request is made. On my system I would expect Apache to reply with a Status Code of 404 (instead of 403 without the rule) On your system with autodiscover enabled Apache will probaly reply with a Status Code of 200 (instead of 403 without the rule) Once you establish that the rule is working as expected I suggest you change "log" back to to "nolog" so your Hits List is not full of messages created by this rule.

  1
• 

  cPanelLauren

  • October 19, 2018 18:35

  Thanks @fuzzylogic for the great information and assistance! @lukekenny let us know if the information provided helps!

  0
• 

  AndyB78

  • November 08, 2019 08:23

  Thank you @fuzzylogic! I've just used the rule above for rule 243420 from Comodo (LiteSpeed) and it seems to work. I had to modify the request filename and to double it for GET request (as we do get blocked acces for GET as well) but other than that it seems to be fine (it triggers).

  0

Please sign in to leave a comment.