View file File name : REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf Content :# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.2 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # # ------------------------------------------------------------------------ # These exclusions remedy false positives in a default NextCloud install. # They will likely work with OwnCloud too, but you may have to modify them. # The exclusions are only active if crs_exclusions_nextcloud=1 is set. # See rule 900130 in crs-setup.conf.example for instructions. # # To relax upload restrictions for only the php files that need it, # you put something like this in crs-setup.conf: # # SecRule REQUEST_FILENAME "@rx /(?:remote.php|index.php)/" \ # "id:9003330,\ # phase:1,\ # t:none,\ # nolog,\ # pass,\ # tx.restricted_extensions='.bak/ .config/ .conf/'" # # Large uploads can be modified with SecRequestBodyLimit. Or they # can be more controlled by using the following: # # SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \ # "id:9003610,\ # phase:1,\ # t:none,\ # nolog,\ # ctl:requestBodyLimit=1073741824" # # --------------------- SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ "id:9003000,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ skipAfter:END-NEXTCLOUD" SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ "id:9003001,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ skipAfter:END-NEXTCLOUD" # # [ File Manager ] # # # The web interface uploads files, and interacts with the user. SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ "id:9003100,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveByTag=attack-injection-php,\ ctl:ruleRemoveById=941000-942999,\ ctl:ruleRemoveById=951000-951999,\ ctl:ruleRemoveById=953100-953130,\ ctl:ruleRemoveById=920420,\ ctl:ruleRemoveById=920440,\ ver:'OWASP_CRS/3.3.2'" # Skip PUT parsing for invalid encoding / protocol violations in binary files. SecRule REQUEST_METHOD "@streq PUT" \ "id:9003105,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ chain" SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ "t:none,\ ctl:ruleRemoveById=920000-920999,\ ctl:ruleRemoveById=932000-932999,\ ctl:ruleRemoveById=921150,\ ctl:ruleRemoveById=930110,\ ctl:ruleRemoveById=930120" # Allow the data type 'text/vcard' SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ "id:9003110,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" # Allow the data type 'application/octet-stream' SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \ "id:9003115,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ chain" SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \ "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'" # Allow data types like video/mp4 SecRule REQUEST_METHOD "@streq PUT" \ "id:9003116,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ chain" SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \ "ctl:ruleRemoveById=920340,\ ctl:ruleRemoveById=920420" # Allow characters like /../ in files. # Allow all kind of filetypes. # Allow source code. SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ "id:9003120,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=930100-930110,\ ctl:ruleRemoveById=951000-951999,\ ctl:ruleRemoveById=953100-953130,\ ctl:ruleRemoveById=920440,\ ver:'OWASP_CRS/3.3.2'" # Allow REPORT requests without Content-Type header (at least the iOS app does this) SecRule REQUEST_METHOD "@streq REPORT" \ "id:9003121,\ phase:2,\ pass,\ t:none,\ nolog,\ chain" SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ "t:none,\ ctl:ruleRemoveById=920340" # [ Searchengine ] # # NexCloud uses a search field for filename or content queries. SecRule REQUEST_FILENAME "@contains /index.php/core/search" \ "id:9003125,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\ ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\ ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\ ver:'OWASP_CRS/3.3.2'" # [ DAV ] # # NextCloud uses DAV methods with index.php and remote.php to do many things # The default ones in ModSecurity are: GET HEAD POST OPTIONS # # Looking through the code, and via testing, I found these: # # File manager: PUT DELETE MOVE PROPFIND PROPPATCH # Calendars: REPORT # Others in the code or js files: PATCH MKCOL MOVE TRACE # Others that I added just in case, and they seem related: # CHECKOUT COPY LOCK MERGE MKACTIVITY UNLOCK. SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \ "id:9003130,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'" # We need to allow DAV methods for sharing files, and removing shares # DELETE - when the share is removed # PUT - when setting a password / expiration time SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \ "id:9003140,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'" # [ Preview and Thumbnails ] SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \ "id:9003150,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=932150;ARGS:file,\ ver:'OWASP_CRS/3.3.2'" # Filepreview for trashbin SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.php" \ "id:9003155,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=932150;ARGS:file,\ ctl:ruleRemoveTargetById=942190;ARGS:file,\ ver:'OWASP_CRS/3.3.2'" SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \ "id:9003160,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\ ver:'OWASP_CRS/3.3.2'" # [ Ownnote ] SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \ "id:9003300,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=941150,\ ver:'OWASP_CRS/3.3.2'" # [ Text Editor ] # # This file can save anything, and it's name could be lots of things. SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \ "id:9003310,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filecontents,\ ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\ ctl:ruleRemoveTargetById=932150;ARGS:filename,\ ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\ ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\ ver:'OWASP_CRS/3.3.2'" # [ Address Book ] # # Allow the data type 'text/vcard' SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ "id:9003320,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" # Allow modifying contacts via the web interface SecRule REQUEST_METHOD "@streq PUT" \ "id:9003321,\ phase:1,\ pass,\ t:none,\ nolog,\ chain" SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ "t:none,\ ctl:ruleRemoveById=200002" # [ Calendar ] # # Allow the data type 'text/calendar' SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ "id:9003330,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'" # Allow modifying calendar events via the web interface SecRule REQUEST_METHOD "@streq PUT" \ "id:9003331,\ phase:1,\ pass,\ t:none,\ nolog,\ chain" SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ "t:none,\ ctl:ruleRemoveById=200002" # [ Notes ] # # We want to allow a lot of things as the user is # allowed to note on anything. SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \ "id:9003340,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveByTag=attack-injection-php,\ ver:'OWASP_CRS/3.3.2'" # [ Bookmarks ] # # Allow urls in data. SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \ "id:9003350,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=931130,\ ver:'OWASP_CRS/3.3.2'" # # [ Login forms ] # # This removes checks on the 'password' and related fields: # User login password. SecRule REQUEST_FILENAME "@contains /index.php/login" \ "id:9003400,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ ver:'OWASP_CRS/3.3.2'" # Reset password. SecRule REQUEST_FILENAME "@endsWith /index.php/login" \ "id:9003410,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.2',\ chain" SecRule ARGS:action "@streq resetpass" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" # Change Password and Setting up a new user/password SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \ "id:9003500,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ ver:'OWASP_CRS/3.3.2'" SecMarker "END-NEXTCLOUD-ADMIN" SecMarker "END-NEXTCLOUD"