OWASP Rule 960035 Breaks Mailman
If you are running Mailman on any .com domain and you use the OWASP ModSec Rule Set you either need to disable rule 960035 or live with the fact that uses will not be able to access the list info page.
1) Mailman uses a syntax to call the list info page for a mailing list that ends with the DomaiName.ext of the site that hosts the list.
2) 960035 blocks all calls to files with (among others) a .com extension.
3) Therefore if you setup a MM list on MyDomain.com, any calls to the list info page for that site will fail and be blocked if you have the OWASP Rule Set fully enabled.
Whoever it is that maintains this rule set should modify that rule so that it does not cripple MM!
-
Hello PCZero, Thank you for reporting this. Right now we'll have to pass your information along to OWASP themselves, as they are the maintainers of the rules. We are working on a system which allows you to report these kinds of things directly to OWASP. Right now, as you suggested, I'd recommend either disabling the rule, or modifying it. 0 -
]Hello PCZero, Thank you for reporting this. Right now we'll have to pass your information along to OWASP themselves, as they are the maintainers of the rules. We are working on a system which allows you to report these kinds of things directly to OWASP. Right now, as you suggested, I'd recommend either disabling the rule, or modifying it.
You are very welcome Kenneth. The fact you realize I was reporting an issue that may well impact many cPanel users and might need to be addressed by whomever the appropriate party is, is not lost on me. Actually I would love to modify the rule but my level of knowledge on how the rule sets work, the correct syntax, and how to basically say 'apply this rule unless it is a mailman URL' is less than desired. I am going to opt for disabling the rule until the matter gets addressed so I don't do anything that would make things worse! :) Pleas do keep us posted on the progress of this so that when it does get addressed we can re-enable the rule. Thanks!0 -
Kenneth, will you be able to update this thread when the powers that be address the underlying issue? I would much prefer to have the rule in question enabled but need to have it disabled until it is modified since many of my hosting clients use MM. 0 -
]Kenneth, will you be able to update this thread when the powers that be address the underlying issue? I would much prefer to have the rule in question enabled but need to have it disabled until it is modified since many of my hosting clients use MM.
The reporting functionality is now available: OWASP Reporting Functionality Thank you.0 -
Thanks Kenneth. Has this issue been reported already and if so do you know if it has been resolved yet? 0 -
Thanks Kenneth. Has this issue been reported already and if so do you know if it has been resolved yet?
I believe one purpose of the reporting system is that anyone who experiences an issue with a rule should submit the report to OWASP so they can get a better idea of how many users are affected. Thus, you should still send the report even if another user already has. Thank you.0
Please sign in to leave a comment.
Comments
6 comments