mod_security denies w3c validation service

ddaas · 08-02-2012, 04:05 AM

Hello,
On one of my servers I'am using mod_security with the standard rules.

It blocks w3c validation service: http://validator.w3.org/

In the logs I get:

Quote:

[Thu Aug 02 11:59:11 2012] [error] [client 128.30.52.70] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsec/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "46"] [id "960015"] [rev "2.1.1"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "www.myhost-here.com"] [uri "/cam-2012/"] [unique_id "UBpBX38AAQEAAGVrAWAAAAAA"]

In modsecurity_crs_10_config.conf before the inclusion of the modsecurity_crs_21_protocol_anomalies.conf I tried the following rule with no success: SecRule HTTP_User-Agent "W3C-checklink" allow,ctl:ruleEngine=Off

How can I allow w3c validator?

Thanks

unSpawn · 08-02-2012, 06:11 AM

Quote:

Originally Posted by ddaas

I tried the following rule with no success

Wouldn't that allow anyone with the "W3C-checklink" UA set ('curl -A "W3C-checklink"') to bypass your WAF? (Kind of odd BTW seeing the request missing an Accept header, esp. from a validation service, unless it's part of the testing.) How about a line "SecRule REMOTE_ADDR "^128\.30\.52\.70$" "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=960015""?* That would at least limit removal to only krusty.w3.org and markup1.w3.org and only this particular rule. Not that I'm a WAF guru though.