mod-security and paypal IPN is blocked by core rules 960009 #123
Comments
|
User rcbarnett-zz commented on date 2013-10-17 20:40:06: Original reporter: strikehawkecomm |
|
User rcbarnett-zz commented on date 2013-10-17 20:40:06: rcbarnett: Please provide an audit log entry so that we can review both the alerts and the full request data. |
|
User rcbarnett-zz commented on date 2013-10-17 20:40:07: strikehawkecomm: PayPal IPN Blocked |
|
User rcbarnett-zz commented on date 2013-10-17 20:40:07: strikehawkecomm: In osCommerce, Zen-Cart, CRE Loaded, ipn.php receives the IPN notification to alter the db record as paid and show the tns id and payment amount that should match the order amount. I sanitized any reference to the domain or order amounts from the IPN post data from paypal |
|
User rcbarnett-zz commented on date 2013-10-17 20:40:07: strikehawkecomm: Attached the audit |
|
User rcbarnett-zz commented on date 2013-10-17 20:40:08: strikehawkecomm: Doing a google search, there are a lot of post all over the net about IPN and modsecurity that face the same issue. It should find it's way into the rules, maybe? |
|
User rcbarnett-zz commented on date 2013-10-17 20:40:08: rcbarnett: You need to do an exception in a local modsecurity_crs_15_customerules.conf file for the IPN resource - SecRule REQUEST_METHOD "POST" "chain,phase:1,t:none,nolog,pass" |
|
User rcbarnett-zz commented on date 2013-10-17 20:40:08: strikehawkecomm: Maybe in the slr_rules for osCommerce |
|
User rcbarnett-zz commented on date 2013-10-17 20:40:08: rcbarnett: Did you test the exception I provided? |
|
User rcbarnett-zz commented on date 2013-10-17 20:40:09: rcbarnett: Provided an exception ruleset for IPN transactions. |
|
User beckspaced commented on date 2014-09-04 13:33:36: hello ;-) rcbarnett -> ran into the same issue with paypal IPN being blocked by mod_security. tried to add your exception ruleset for IPN transactions above but after apache restart i received the following error: Sep 04 15:22:44 vs2 start_apache2[13292]: AH00526: Syntax error on line 1 of /etc/apache2/mod_security2.d/modsecurity_crs_15_custom_rules.conf: running mod security 2.8.0 with CRS 2.2.9 any help on how to fix this would be awesome ;-) thanks & greetings |
|
User beckspaced commented on date 2014-09-04 13:47:33: ups ... seems to be that id is mandatory since 2.7 https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id add id and change the exception rule to the following did the trick: SecRule REQUEST_METHOD "POST" "chain,id:99999,phase:1,t:none,nolog,pass" perhaps this might help someone? thanks & greetings |
GitHub does not (yet) have the ability to block PRs / issues as dependencies of other PRs issues. This commit uses gregsdennis/dependency-action as a simple workaround. Now, wording like "blocks coreruleset#123" or "depends on coreruleset#123" will add a check for the completion of the dependent PR / issue.
GitHub does not (yet) have the ability to block PRs / issues as dependencies of other PRs issues. This commit uses gregsdennis/dependency-action as a simple workaround. Now, wording like "blocks #123" or "depends on #123" in the PR / issue description will add a check for the completion of the dependent PR / issue.
Issue originally created by user rcbarnett-zz on date 2013-10-17 20:40:05.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#123.
CORERULES-69: Missing user agent and others for paypal IPN. I'm sure others with more experience will expand upon this issue
The text was updated successfully, but these errors were encountered: