Nextcloud Deck: reordering a list on a board hits rule 911100: Method is not allowed by policy #84
Description
Description
When I try to reorder a list on a board with multiple lists, by dragging a list from one side of the board to the other, I hit this rule, 911100, I think because of the PUT:
{
"transaction": {
"client_ip": "xxx.xxx.xxx.xxx",
"time_stamp": "Sat Jul 13 09:45:30 2024",
"server_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"client_port": 29992,
"host_ip": "xx.xx.x.xxx",
"host_port": 443,
"unique_id": "xxxxxxxxxxxxxxxxxxx",
"request": {
"method": "PUT",
"http_version": 2.0,
"uri": "/apps/deck/stacks/78/reorder",
"body": "{\"order\":0}",
"headers": {
"origin": "https://nextcloud.example.com",
"dnt": "1",
"requesttoken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"x-requested-with": "XMLHttpRequest, XMLHttpRequest",
"content-type": "application/json",
"accept-encoding": "gzip, deflate, br, zstd",
"cookie": "__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; xxxxxxxxxxxx=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; xxxxxxxxxxx=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"content-length": "11",
"accept-language": "en-US,en;q=0.5",
"te": "trailers",
"accept": "application/json, text/plain, */*",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0",
"sec-fetch-site": "same-origin",
"host": "nextcloud.example.com",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors"
}
},
"response": {
"http_code": 403,
"headers": {
"Server": "",
"Date": "Sat, 13 Jul 2024 07:45:30 GMT",
"Content-Length": "146",
"Content-Type": "text/html",
"Connection": "close",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains"
}
},
"producer": {
"modsecurity": "ModSecurity v3.0.12 (Linux)",
"connector": "ModSecurity-nginx v1.0.3",
"secrules_engine": "Enabled",
"components": [
"OWASP_CRS/4.4.0\""
]
},
"messages": [
{
"message": "Method is not allowed by policy",
"details": {
"match": "Matched \"Operator `Within' with parameter `GET HEAD POST OPTIONS' against variable `REQUEST_METHOD' (Value: `PUT')",
"reference": "v0,3",
"ruleId": "911100",
"file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf",
"lineNumber": "28",
"data": "PUT",
"severity": "2",
"ver": "OWASP_CRS/4.4.0",
"rev": "",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-generic",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272/220/274",
"PCI/12.1"
],
"maturity": "0",
"accuracy": "0"
}
},
{
"message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
"details": {
"match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' )",
"reference": "",
"ruleId": "949110",
"file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"lineNumber": "222",
"data": "",
"severity": "0",
"ver": "OWASP_CRS/4.4.0",
"rev": "",
"tags": [
"anomaly-evaluation",
"OWASP_CRS"
],
"maturity": "0",
"accuracy": "0"
}
}
]
}
}Maybe solution
I think fixing it might look something like this, but I'm not great at modsecurity rule exclusion stuff:
# allow reorder deck lists
SecRule REQUEST_URI "@rx ^/apps/deck/stacks/[0-9]+/reorder$" \
"id:9000000,\
phase:1,\
pass,\
t:none,\
nolog,\
setvar:'tx.allowed_methods=GET HEAD POST PUT'"
Env
CRS version: 4.4.0
ModSecurity version: ModSecurity v3.0.12 (Linux)
type of web server: ingress-nginx controller via k8s
Thanks for any help you can provide!