Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ModSecurity Rule Triggered by autodiscover

Discussion in 'Security' started by lukekenny, Oct 14, 2018.

  1. lukekenny

    lukekenny Member

    Joined:
    Jan 24, 2018
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Running the latest cPanel with the OWASP3 rules enabled and tx.crs_exclusions_wordpress=1

    Some users have email boxes and use clients like Outlook that use autodiscover.

    It seems the following rules get triggered on the POST /autodiscover/autodiscover.xml that the client makes:

    941100 - XSS Attack Detected via libinjection
    941130 - XSS Filter - Category 3: Attribute Vector
    949110 - Inbound Anomaly Score Exceeded (Total Score: 10)

    What's the best way to prevent autodiscover from triggering these rules?

    I tried adding a DirectoryMatch for ^\/autodiscover\/ to turn ModSecurity off for that directory, but that doesn't seem to work.

    Obviously not keen on disabling 949110, and unsure if disabling 941100 and 941130 is a good or bad idea. Any advice appreciated!
     
  2. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    93
    Likes Received:
    51
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Just to be clear I don't use Autodiscover and won't troubleshoot it for you if it won't work after you get ModSecurity to allow these POST requests to pass.
    Here is an exclusion rule to allow these requests...
    Code:
    # Allow POST to Autodiscover
    SecRule REQUEST_METHOD "@streq POST" \
        "msg:'Autodetect rule is being hit',\
        id:19000000,\
        phase:2,\
        t:none,\
        nolog,\
        noauditlog,\
        pass,\
        chain"
        SecRule REQUEST_FILENAME "@endsWith /autodiscover/autodiscover.xml" \
            "t:none,\
            ctl:ruleRemoveById=941100 ,\
            ctl:ruleRemoveById=941130"
    Add this rule at...
    Home » Security Center » ModSecurity™ Tools » Add Custom Rule

    With the lines nolog and noauditlog this rule will be silent and hard to test.
    I suggest you change nolog to log so you can test it and see a log entry in the list at...
    Home » Security Center » ModSecurity™ Tools » Hits List
    every time the POST request is made.
    On my system I would expect Apache to reply with a Status Code of 404 (instead of 403 without the rule)
    On your system with autodiscover enabled Apache will probaly reply with a Status Code of 200 (instead of 403 without the rule)

    Once you establish that the rule is working as expected I suggest you change "log" back to to "nolog" so your Hits List is not full of messages created by this rule.
     
    cPanelLauren likes this.
  3. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Thanks @fuzzylogic for the great information and assistance! @lukekenny let us know if the information provided helps!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice