Vim Patior

Edit file

File name : REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf

Content :

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
#
# ------------------------------------------------------------------------

# These exclusions remedy false positives in a default Dokuwiki install.
# The exclusions are only active if crs_exclusions_dokuwiki=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# Note, if you want to relax the upload restrictions,
# see rule 900240. For Dokuwiki you can limit the exception
# to the ajax.php file:
#
# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" ...
#

SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
    "id:9004000,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    skipAfter:END-DOKUWIKI"

SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
    "id:9004001,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    skipAfter:END-DOKUWIKI"

#
# -=[ Dokuwiki Front-End ]=-
#
# Note on files specified:
# /doku.php: shows pages, saves, edits, admin
# /lib/exe/ajax.php: autosave, uploads
#
# Allow pages to be edited, and ajax to save drafts.
#
# ARGS 'wikitext', 'suffix', and 'prefix' must allow the same things,
# as the page (in part or whole) is passed via 'suffix/prefix' at times.
#  attack-protocol (921110-921160/920230): Allows odd characters on the page.
#  CRS: (still need attack-protocol specified.)
#  attack-injection-php (930000-933999): Allows code on page.
#  attack-sqli (940000-942999): Allows SQL expressions on page.
#
# Others:
#  930100-930110;REQUEST_BODY: if there's  a /../ in the text.
#
# ARGS:summary (the text in the 'summary' box on page edits.):
#  Allowing 930120-930130 lets user save summaries with
#  system file names. This should not be needed in normal
#  use. But leaving a note here of how to allow in rule below:
#    ctl:ruleRemoveTargetById=930120;ARGS:summary
#    ctl:ruleRemoveTargetById=930130;ARGS:summary
#
# Also, can't specify:
#   SecRule ARGS:do "@streq edit" \
#   SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
# because at times the do=edit can get dropped, so if we use
# above the edit will get blocked when the page is saved.

# Hint: those using .htaccess rewrites can remove/replace
# this first 'SecRule...' line with 'SecAction \' (unsupported).

SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
    "id:9004100,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule REQUEST_METHOD "@streq POST" \
        "t:none,\
        chain"
        SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
            "t:none,\
            ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:wikitext,\
            ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:suffix,\
            ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:prefix,\
            ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY"

# Allow it to upload files. But check for cookies just to make sure.

SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \
    "id:9004110,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    noauditlog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule REQUEST_METHOD "@streq POST" \
        "t:none,\
        chain"
        SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
            "t:none,\
            setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'"

# Show the index, even if things like "postgresql" or other things show up.

SecRule REQUEST_FILENAME "@endsWith /doku.php" \
    "id:9004130,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    noauditlog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule ARGS:do "@streq index" \
        "t:none,\
        chain"
        SecRule &ARGS:do "@eq 1" \
            "t:none,\
            ctl:ruleRemoveById=951240,\
            ctl:ruleRemoveById=953110"

#
# [ Login form ]
#

# Turn off checks for password.

SecRule REQUEST_FILENAME "@endsWith /doku.php" \
    "id:9004200,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    noauditlog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule ARGS:do "@streq login" \
        "t:none,\
        chain"
        SecRule &ARGS:do "@eq 1" \
            "t:none,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:p"

#
# [ Admin Area ]
#
# Skip this section for performance unless do=admin is in request

SecRule ARGS:do "!@streq admin" \
    "id:9004300,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    skipAfter:END-DOKUWIKI-ADMIN"

SecRule ARGS:do "!@streq admin" \
    "id:9004310,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    skipAfter:END-DOKUWIKI-ADMIN"

# [ Reset password ]
#
# Turn off checks for pass1, pass1-text, pass2

SecRule REQUEST_FILENAME "@endsWith /doku.php" \
    "id:9004320,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    noauditlog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule ARGS:do "@streq login" \
        "t:none,\
        chain"
        SecRule &ARGS:do "@eq 1" \
            "t:none,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"

# [ Save config ]
#
# Allow the config to be saved:
# 942200:  If the user adds "..." to tagline: ARGS:config[tagline]
# 942430:  if ARGS:config[hidepages] has pages looking like sql statements
# 942430,942440:  "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature]

SecRule REQUEST_FILENAME "@endsWith /doku.php" \
    "id:9004370,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    noauditlog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule ARGS:page "@streq config" \
        "t:none,\
        chain"
        SecRule &ARGS:page "@eq 1" \
            "t:none,\
            chain"
            SecRule REQUEST_METHOD "@streq POST" \
                "t:none,\
                chain"
                SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
                    "t:none,\
                    ctl:ruleRemoveTargetById=920230;ARGS:config[dformat],\
                    ctl:ruleRemoveTargetById=942200;ARGS:config[tagline],\
                    ctl:ruleRemoveTargetById=942430;ARGS:config[hidepages],\
                    ctl:ruleRemoveTargetById=942430-942440;ARGS:config[signature]"

# When the config loads after a save, it gets blocked because
#   it has 'readdir' and lines that look like sql
# 942430,942440:  "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature]
# 951240,953110:  When the page reloads, it triggers
#   postgres and php code disclosure rules.

SecRule REQUEST_FILENAME "@endsWith /doku.php" \
    "id:9004380,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    noauditlog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule ARGS:page "@streq config" \
        "t:none,\
        chain"
        SecRule &ARGS:page "@eq 1" \
            "t:none,\
            chain"
            SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
                "t:none,\
                ctl:ruleRemoveById=951240,\
                ctl:ruleRemoveById=953110"

# End [ Admin Area ]

SecMarker "END-DOKUWIKI-ADMIN"

SecMarker "END-DOKUWIKI"