// ViMbAdmin CRS Plugin

vimbadmin-crs-plugin

A drop-in OWASP CRS 4.0+ plugin that makes the Core Rule Set play nicely with ViMbAdmin — the Postfix/Dovecot mailbox admin panel — and optionally locks the panel down to a strict allowlist.

GitHub  ·  ViMbAdmin write-up  ·  All CRS plugins

Do you need this?

Probably not on its own. ViMbAdmin’s request surface is small and fully known, so the positive-security Angie/nginx vhost shipped in the main repo (contrib/angie/vimbadmin.conf) already does route/method/argument allowlisting at the edge, natively, with no ModSecurity dependency and no per-request CRS cost. That vhost is the recommended primary defence.

This CRS plugin is belt-and-braces: run it in addition only if you already operate libmodsecurity + CRS and want signature scanning of the argument values the app accepts (SQLi/XSS payload heuristics) on top of the vhost’s name/route allowlisting. If you don’t already run ModSecurity, the vhost alone is the right answer.

What it does

  • False-positive exclusions (vimbadmin-before.conf) — surgical, host-scoped ctl:ruleRemoveTargetByTag exclusions so legitimate inputs don’t trip CRS: passwords with symbols, the CSRF token, comma-separated alias goto lists, free-text descriptions and 10GB-style quotas.
  • Positive security / allowlist (vimbadmin-after.conf, opt-in) — allow what ViMbAdmin actually uses, block everything else. Any request argument whose name isn’t one the app uses is denied, and any path outside ViMbAdmin’s real route map is denied. Stops parameter smuggling, mass-assignment probing and the usual /.env / /wp-login.php scanner noise regardless of payload.

Install & roll-out

Copy the three files (vimbadmin-config.conf, vimbadmin-before.conf, vimbadmin-after.conf) into your CRS plugins/ directory. The plugin is OFF by default; enable it per vhost/location only:

location /vimbadmin/ {
    modsecurity on;
    modsecurity_rules '
        SecAction "id:9529001,phase:1,nolog,pass,setvar:tx.vimbadmin-plugin_enabled=1"
    ';
}
  1. Enable the plugin in the ViMbAdmin vhost/location only. The exclusions are safe immediately and never touch other vhosts on the same CRS engine.
  2. Run CRS in DetectionOnly with tx.vimbadmin-plugin_positive_security=1 and watch the audit log for 9529220/9529230 hits — arguments or paths missing from the allowlist. Add legitimate ones to the inline allowlist regex on 9529220.
  3. Flip CRS back to blocking mode.

Rule ID range: 9,529,000–9,529,999. CI runs lint plus the go-ftw regression suite on both Apache + mod_security2 and Angie + libmodsecurity3 3.0.14. Requires CRS 4.0+.