Hi, I have a self hosted InvoceNinja 4.5.17. Via web browser everything works perfectly, but if I use an IOS app or a desktop app it doesn’t.
I can correctly login with the apps and see all the data, but it is impossible to change anything. I get a 403 error with this message:
“You don’t have permission to access /api/v1/task/5 on this server”
Any idea?
Thanks
Hmmm… are there any details in the web server error logs?
You are right Hillel, I found this in the server error log:
[error] [client ...omitted...] ModSecurity: Access denied with code 403 (phase 2). Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_30_http_policy.conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "ninja.domain.com"] [uri "/tasks/5"]
I think that modsecurity blocks the IOS app operation.
Great, that likely explains the problem.