Re: SVN over HTTP and mod_security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/09/2011 3:42 PM, Philip Prindeville wrote:

Hi Phillip,

> I had configured and installed subversion (SVN) to run over HTTP as the transport, but when I tried to use it I got:
>
> [Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): Method is not allowed by policy"] [hostname "localhost"] [uri "/svn/astlinux/trunk/package/linux-atm"] [unique_id "TmUFkcCoAQoAABnnJF8AAAAD"]
> [Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): Method is not allowed by policy"] [hostname "localhost"] [uri "/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id "TmUFkcCoAQoAABnlI-4AAAAB"]
> [Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): Method is not allowed by policy"] [hostname "localhost"] [uri "/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id "TmUFkcCoAQoAABnkI6QAAAAA"]
>
> when doing commits, etc. I was thinking it would be nice if mod_security out-of-the-box supported SVN...
>
> I'm looking at the supposed offending rule:
>
> SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
>      "chain,phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
>          SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}" "skipAfter:END_CORRELATION"
>
> and thinking "Wha.....t?"

Ouch.

Have you brought it up on the mod-security-users or Core Ruleset lists? 
They'd probably have more insight on this than I would (I'm more of a 
git person myself nowadays)

http://lists.sourceforge.net/lists/listinfo/mod-security-users
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set 
(better for this issue I'd say)

> If the .conf files out-of-the-box can't support SVN by default, how about at least having a post-install script that modifies the rules to accommodate SVN?
>
> Or what about SVN installing its own rules if it detects mod_security is installed and enabled?

I've only ever seen cross-package triggers once (a Samba package in 
earlier Fedoras) and it looks like a potential disaster area and best 
avoided.

> But less abstractly: does anyone know what's required to make SVN-over-HTTP work with mod_security?

Truth be told I've wimped out and run it in DetectionOnly mode with the 
more painful apps - Drupal / Wordpress and DAV-reliant apps (like SVN or 
iCal stuff) have traditionally been fairly hellish otherwise.

> Thanks,
>
> -Philip

Cheers,
Michael.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux