[Mailman-Users] ModSecurity false positive on list options pages

Russell Clemings rclemings at gmail.com
Tue Oct 10 14:54:38 EDT 2017

Using OWASP ModSecurity Core Rule Set ver.3.0.2 on cPanel v66.0.23; CentOS
7.3, Mailman 2.1.23:

ModSecurity with the OWASP rules (which come with cPanel nowadays) doesn't
like Mailman's list options url for some email addresses.

Specifically a URL in the form
http://lists.xxx.xxx/mailman/options/listname/localpart--at--domain.com is
blocked with a 403 error. Only '.com" addresses are affected, as far as I
can tell, and the reason is rule 920440:

SecRule REQUEST_BASENAME "\.(.*)$" "chain, capture, phase:request,
t:none,t:urlDecodeUni,t:lowercase, block, msg:'URL file extension is
restricted by policy', severity:'CRITICAL', rev:'2', ver:'OWASP_CRS/3.0.0',
maturity:'9', accuracy:'9', id:920440, logdata:'%{TX.0}',
tag:'application-multi', tag:'language-multi', tag:'platform-multi',
tag:'attack-protocol', tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',
tag:'WASCTC/WASC-15', tag:'OWASP_TOP_10/A7',
tag:'PCI/6.5.10',logdata:'%{TX.0}', setvar:tx.extension=.%{tx.1}/"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none,
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id

tx.restricted_extensions, defined elsewhere, lists a lot of file
extensions, .com being among them:

'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/
.cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/
.db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/
.licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/
.resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/
.xsd/ .xsx/'

So basically ModSecurity sees .com at the end of the URL and thinks a risky
file is being requested and blocks the request.

With some help from the OWASP list I wrote a new rule that works around
this problem. It is entered in the "ModSecurity Tools" section of cPanel's
WHM. I don't know if there's a way to do it if you don't have access to
WHM. I couldn't find one.

SecRule REQUEST_URI "^\/mailman\/options\/.*"
.asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .config/
.conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/
.idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/
.pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/
.vsdisco/ .webinfo/ .xsd/ .xsx/'"

That substitutes a new list of restricted extensions for requests to a page
containing the "/mailman/options/" string.

http://lists.xxx.xxx/mailman/options/listname/localpart--at--domain.com is
http://lists.xxx.xxx/mailman/Xoptions/listname/localpart--at--domain.com is

I'm posting this mostly for the sake of anyone else who runs into this
problem. If there's a simple fix on the Mailman side, though, so much the
better. Maybe substitute another character for the dot?

More information about the Mailman-Users mailing list