Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 7536 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF is blocking .axd

mdallagi
Hi all,

starting from the last Microsoft updates, (I don't know why) the WAF is blocking the .axd pages:

2015:04:24-10:48:49 FW-1 reverseproxy: [Fri Apr 24 10:48:49.847480 2015] [security2:error] [pid 14654:tid 4070800240] [client 1.2.3.4] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "services.xyz.net"] [uri "/Pluto/ScriptResource.axd"] [unique_id "VToDcQoAAQIAADk@pTIAAADH"]
2015:04:24-10:48:50 FW-1 reverseproxy: [Fri Apr 24 10:48:50.106933 2015] [security2:error] [pid 14654:tid 4070800240] [client 1.2.3.4] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".axd"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "services.xyz.net"] [uri "/Pluto/DXR.axd"] [unique_id "VToDcgoAAQIAADk@pUgAAADH"]
2015:04:24-10:48:50 FW-1 reverseproxy: [Fri Apr 24 10:48:50.113369 2015] [security2:error] [pid 14654:tid 4070800240] [client 1.2.3.4] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "services.xyz.net"] [uri "/Pluto/DXR.axd"] [unique_id "VToDcgoAAQIAADk@pUgAAADH"]


I tried to create an exception to exclude the path /Pluto/ScriptResource.axd and /Pluto/DXR.axd but it doesn't work.
The solution could be to skip the rules 981203 and/or 960035 but in this way I skip also
other dangerous extensions like .bat, .cmd.....

Anyone with the same problem?

Max.


This thread was automatically locked due to age.
Unfiltered HTML