Q1: It appears that the default modsec in cPanel does not allow PATCH or DELETE (only GET HEAD POST OPTIONS, per rule 901160). Is this the case, and if so, why?
# Default HTTP policy: allowed_methods (rule 900200)
SecRule &;TX:allowed_methods "@eq 0" \
"id:901160,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
Q2: 901160 references 900200, but the active 900200 is not as expected. It doesn't seem to relate to 901160. (Nor is 900200 the same as the one in /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/crs-setup.conf. There is also 900201 which is almost identical but doesn't exist in crs-setup.conf and neither is 901160. It looks like 900200 was replaced by 901160, and a new 900200 and 900201 were added.) Why is this, or what am I missing about how the OWASP ruleset is incorporated into cPanel?
Active 900200 and 900201:
SecRule &;TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002000,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS"
SecRule &;TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002001,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS"
900200 in crs-setup.conf:
#SecAction \
# "id:900200,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
Q3: What is the cPanel blessed method for enabling PATCH and DELETE (modify rules, use crs-setup.conf, other)? Is there any downside to enabling these methods (other than adding new attack vectors) server-wide, or should adding these be limited to only the user accounts or apps that need them?
-Pete
# Default HTTP policy: allowed_methods (rule 900200)
SecRule &;TX:allowed_methods "@eq 0" \
"id:901160,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
Q2: 901160 references 900200, but the active 900200 is not as expected. It doesn't seem to relate to 901160. (Nor is 900200 the same as the one in /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/crs-setup.conf. There is also 900201 which is almost identical but doesn't exist in crs-setup.conf and neither is 901160. It looks like 900200 was replaced by 901160, and a new 900200 and 900201 were added.) Why is this, or what am I missing about how the OWASP ruleset is incorporated into cPanel?
Active 900200 and 900201:
SecRule &;TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002000,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS"
SecRule &;TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002001,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS"
900200 in crs-setup.conf:
#SecAction \
# "id:900200,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
Q3: What is the cPanel blessed method for enabling PATCH and DELETE (modify rules, use crs-setup.conf, other)? Is there any downside to enabling these methods (other than adding new attack vectors) server-wide, or should adding these be limited to only the user accounts or apps that need them?
-Pete
what I'm asking cPanel is: Do you allow plugins like Softaculous the access to make changes to OWASP rules? I'm aware that Softaculous has access to the file system under the account user's rights, but this seems outside of that.