Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Nextcloud Photos don't load (SEARCH http method blocked)

See original GitHub issue

Description

Viewing the Gallery of nextcloud does not work, even tough the nextcloud exclusion ruleset is enabled. When opening https://nextcloud.domain.com/apps/photos/ photos won’t load because the call is blocked. Probably because of the SEARCH http method.

Audit Logs / Triggered Rule Numbers

---4Y92Ts47---A--
[06/Jul/2020:23:04:16 +0000] 159407665644.260733 10.1.0.1 30882 10.1.0.1 443
---4Y92Ts47---B--
SEARCH /remote.php/dav/ HTTP/1.1
origin: https://nextcloud.domain.com
depth: infinity
dnt: 1
content-type: text/xml
requesttoken: 
accept-encoding: gzip, deflate, br
cookie: xxxxx; oc_sessionPassphrase=xxxx; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=xxx; nc_token=xxx; nc_session_id=xxx
content-length: 1491
accept-language: en-GB,en;q=0.7,de;q=0.3
te: trailers
accept: text/plain
cache-control: max-age=0
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
host: nextcloud.domain.com

---4Y92Ts47---D--

---4Y92Ts47---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---4Y92Ts47---F--
HTTP/1.1 403
Server: nginx
Date: Mon, 06 Jul 2020 23:04:16 GMT
Content-Length: 146
Content-Type: text/html
Connection: keep-alive

---4Y92Ts47---H--
ModSecurity: Warning. Matched "Operator `Within' with parameter `GET HEAD POST OPTIONS PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp' against variable `REQUEST_METHOD' (Value: `SEARCH' ) [file "/etc/modsecurity/crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "27"] [id "911100"] [rev ""] [msg "Method is not allowed by policy"] [data "SEARCH"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "10.1.0.1"] [uri "/remote.php/dav/"] [unique_id "159407665644.260733"] [ref "v0,6"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.1.0.1"] [uri "/remote.php/dav/"] [unique_id "159407665644.260733"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "80"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "10.1.0.1"] [uri "/remote.php/dav/"] [unique_id "159407665644.260733"] [ref ""]

---4Y92Ts47---I--

---4Y92Ts47---J--

---4Y92Ts47---Z--