Allowing HTTP methods PATCH and DELETE in modsecurity
Q1: It appears that the default modsec in cPanel does not allow PATCH or DELETE (only GET HEAD POST OPTIONS, per rule 901160). Is this the case, and if so, why?
# Default HTTP policy: allowed_methods (rule 900200)
SecRule &;TX:allowed_methods "@eq 0" \
"id:901160,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
Q2: 901160 references 900200, but the active 900200 is not as expected. It doesn't seem to relate to 901160. (Nor is 900200 the same as the one in /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/crs-setup.conf. There is also 900201 which is almost identical but doesn't exist in crs-setup.conf and neither is 901160. It looks like 900200 was replaced by 901160, and a new 900200 and 900201 were added.) Why is this, or what am I missing about how the OWASP ruleset is incorporated into cPanel?
Active 900200 and 900201:
SecRule &;TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002000,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS"
SecRule &;TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002001,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS"
900200 in crs-setup.conf:
#SecAction \
# "id:900200,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
Q3: What is the cPanel blessed method for enabling PATCH and DELETE (modify rules, use crs-setup.conf, other)? Is there any downside to enabling these methods (other than adding new attack vectors) server-wide, or should adding these be limited to only the user accounts or apps that need them?
-Pete
-
Hey there! I reached out to the Apache team about this issue, and they advised that it would be best to reach out to OWASP directly for details about how those internal operations work. We just incorporate the OWASP rules into our RPM system, without modifications. 0 -
Yes, the rules get installed from the ea-modsec2-rules-owasp-crs-3.3.4-1.1.3.cpanel.x86_64 package which is not dependent on the OS or cPanel version. I would not expect there to be any action between tools like Softaculous and OWASP. 0
Please sign in to leave a comment.
Comments
3 comments