You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Seems like when press the Sign in button of the webadmin login page, it will POST /api/oauth and /api/token with content type text/plain;charset=UTF-8
This behavior is not allowed by Modsecurity rule 920420, which restricts the content types allowed to be sent to the server as POST and ultimately results in a 403 Forbidden being returned, which appears to be how Webadmin detects the missing TOTP code and ultimately results in the TOTP code page being displayed. stalwartlabs/mail-server#722 (comment)
Given that Modsecurity is used in many WAF programs, perhaps this behavior should be considered a bug and fixed? I'm also not sure how many POST requests are actually sent as text/plain, What do you think?
The text was updated successfully, but these errors were encountered:
Relate to stalwartlabs/mail-server#722
Seems like when press the Sign in button of the webadmin login page, it will POST
/api/oauthand/api/tokenwith content typetext/plain;charset=UTF-8This behavior is not allowed by Modsecurity rule 920420, which restricts the content types allowed to be sent to the server as POST and ultimately results in a 403 Forbidden being returned, which appears to be how Webadmin detects the missing TOTP code and ultimately results in the TOTP code page being displayed. stalwartlabs/mail-server#722 (comment)
Given that Modsecurity is used in many WAF programs, perhaps this behavior should be considered a bug and fixed? I'm also not sure how many POST requests are actually sent as
text/plain, What do you think?The text was updated successfully, but these errors were encountered: