The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OWASP Rule 960035 Breaks Mailman

Discussion in 'E-mail Discussions' started by PCZero, Feb 17, 2015.

  1. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    33
    Trophy Points:
    28
    Location:
    Earth
    If you are running Mailman on any .com domain and you use the OWASP ModSec Rule Set you either need to disable rule 960035 or live with the fact that uses will not be able to access the list info page.

    1) Mailman uses a syntax to call the list info page for a mailing list that ends with the DomaiName.ext of the site that hosts the list.

    2) 960035 blocks all calls to files with (among others) a .com extension.

    3) Therefore if you setup a MM list on MyDomain.com, any calls to the list info page for that site will fail and be blocked if you have the OWASP Rule Set fully enabled.

    Whoever it is that maintains this rule set should modify that rule so that it does not cripple MM!
     
    #1 PCZero, Feb 17, 2015
    Last edited: Feb 17, 2015
    cPanelDon likes this.
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Hello PCZero,

    Thank you for reporting this. Right now we'll have to pass your information along to OWASP themselves, as they are the maintainers of the rules. We are working on a system which allows you to report these kinds of things directly to OWASP.

    Right now, as you suggested, I'd recommend either disabling the rule, or modifying it.
     
  3. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    33
    Trophy Points:
    28
    Location:
    Earth
    You are very welcome Kenneth. The fact you realize I was reporting an issue that may well impact many cPanel users and might need to be addressed by whomever the appropriate party is, is not lost on me. Actually I would love to modify the rule but my level of knowledge on how the rule sets work, the correct syntax, and how to basically say 'apply this rule unless it is a mailman URL' is less than desired. I am going to opt for disabling the rule until the matter gets addressed so I don't do anything that would make things worse! :) Pleas do keep us posted on the progress of this so that when it does get addressed we can re-enable the rule.

    Thanks!
     
  4. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    33
    Trophy Points:
    28
    Location:
    Earth
    Kenneth, will you be able to update this thread when the powers that be address the underlying issue? I would much prefer to have the rule in question enabled but need to have it disabled until it is modified since many of my hosting clients use MM.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The reporting functionality is now available:

    OWASP Reporting Functionality

    Thank you.
     
  6. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    33
    Trophy Points:
    28
    Location:
    Earth
    Thanks Kenneth. Has this issue been reported already and if so do you know if it has been resolved yet?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I believe one purpose of the reporting system is that anyone who experiences an issue with a rule should submit the report to OWASP so they can get a better idea of how many users are affected. Thus, you should still send the report even if another user already has.

    Thank you.
     
    cPanelDon likes this.
Loading...

Share This Page