Thread: [mod-security-users] Rules blocking cms uploads
Brought to you by:
victorhora,
zimmerletw
From: Jose P. V. L. <pab...@gm...> - 2013-07-23 12:36:30
|
Good afternoon. I have been detected a blocking rule which is a false positive for a cms file uploads as you can see over the netx trace: [Tue Jul 23 13:29:45 2013] [error] [client X.X.X.X] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "97"] [id "XXXXXX"] [msg "Multipart parser detected a possible unmatched boundary"] [hostname "XXXXXX"] [uri "XXXXXXXX"] [unique_id "Ue5pJ1LCWiEAAEeawbAAAAAW"] I have commented rule which trigger a false positive: #SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "id:'200003', phase:2, t:none, log, deny, status:44, msg:'Multipart parser detected a possible unmatched boundary'" Is there any way to solve it without comment that rule? Thanks in advance. Kind regards, |
From: Kurktchiev, B. <bo...@un...> - 2013-07-23 12:42:37
|
I just had to "solve" the same problem, you can just remove the deny in the rule and it will at least keep a log of the action but still allow the uploads. -B On Jul 23, 2013, at 8:36 AM, Jose Pablo Valcárcel Lázaro <pab...@gm...> wrote: > Good afternoon. > > I have been detected a blocking rule which is a false positive for a cms file uploads as you can see over the netx trace: > [Tue Jul 23 13:29:45 2013] [error] [client X.X.X.X] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "97"] [id "XXXXXX"] [msg "Multipart parser detected a possible unmatched boundary"] [hostname "XXXXXX"] [uri "XXXXXXXX"] [unique_id "Ue5pJ1LCWiEAAEeawbAAAAAW"] > > I have commented rule which trigger a false positive: > #SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "id:'200003', phase:2, t:none, log, deny, status:44, msg:'Multipart parser detected a possible unmatched boundary'" > > Is there any way to solve it without comment that rule? > > Thanks in advance. > > Kind regards, > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Jose P. V. L. <pab...@gm...> - 2013-07-23 12:46:48
|
Thanks for yor help!! Kind regards, 2013/7/23 Kurktchiev, Boris <bo...@un...> > I just had to "solve" the same problem, you can just remove the deny in > the rule and it will at least keep a log of the action but still allow the > uploads. > > -B > > On Jul 23, 2013, at 8:36 AM, Jose Pablo Valcárcel Lázaro > <pab...@gm...> > wrote: > > > Good afternoon. > > > > I have been detected a blocking rule which is a false positive for a cms > file uploads as you can see over the netx trace: > > [Tue Jul 23 13:29:45 2013] [error] [client X.X.X.X] ModSecurity: Access > denied with code 44 (phase 2). Match of "eq 0" against > "MULTIPART_UNMATCHED_BOUNDARY" required. [file > "/etc/httpd/conf.d/mod_security.conf"] [line "97"] [id "XXXXXX"] [msg > "Multipart parser detected a possible unmatched boundary"] [hostname > "XXXXXX"] [uri "XXXXXXXX"] [unique_id "Ue5pJ1LCWiEAAEeawbAAAAAW"] > > > > I have commented rule which trigger a false positive: > > #SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "id:'200003', phase:2, > t:none, log, deny, status:44, msg:'Multipart parser detected a possible > unmatched boundary'" > > > > Is there any way to solve it without comment that rule? > > > > Thanks in advance. > > > > Kind regards, > > > ------------------------------------------------------------------------------ > > See everything from the browser to the database with AppDynamics > > Get end-to-end visibility with application monitoring from AppDynamics > > Isolate bottlenecks and diagnose root cause in seconds. > > Start your free trial of AppDynamics Pro today! > > > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Jose P. V. L. <pab...@gm...> - 2013-07-23 12:58:48
|
Hi again. I have observed that it could be a headers request and get a header which is not defined in multipart headers we have defined: SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'200000', phase:1, t:none, t:lowercase, pass, nolog, ctl:requestBodyProcessor=XML" SecRule MULTIPART_STRICT_ERROR "!@eq 0" "id:'200002', phase:2, t:none, log, deny, status:44, msg:'Multipart request body failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_MISSING_SEMICOLON}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IP %{MULTIPART_INVALID_PART}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" # False positive rule #SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "id:'200003', phase:2, t:none, log, deny, status:44, msg:'Multipart parser detected a possible unmatched boundary'" In some thread I have read about this issue: https://www.atomicorp.com/forums/viewtopic.php?f=3&t=6492 Such an event may occur when evasion of ModSecurity is attempted, which is why you want to block these. It can also happen if the client is sending something garbled, broken, or incomplete. Or if the web application just doesnt care about using properly formated multupart messages. If the WAF cant put it back together, it cant figure out what it is (attack or not an attack). I think is a multipart messages cms management, so finally I´m going to disable only for a domain, not the complete rule. Kind regards, 2013/7/23 Jose Pablo Valcárcel Lázaro <pab...@gm...> > Thanks for yor help!! > > Kind regards, > > > 2013/7/23 Kurktchiev, Boris <bo...@un...> > > I just had to "solve" the same problem, you can just remove the deny in >> the rule and it will at least keep a log of the action but still allow the >> uploads. >> >> -B >> >> On Jul 23, 2013, at 8:36 AM, Jose Pablo Valcárcel Lázaro >> <pab...@gm...> >> wrote: >> >> > Good afternoon. >> > >> > I have been detected a blocking rule which is a false positive for a >> cms file uploads as you can see over the netx trace: >> > [Tue Jul 23 13:29:45 2013] [error] [client X.X.X.X] ModSecurity: Access >> denied with code 44 (phase 2). Match of "eq 0" against >> "MULTIPART_UNMATCHED_BOUNDARY" required. [file >> "/etc/httpd/conf.d/mod_security.conf"] [line "97"] [id "XXXXXX"] [msg >> "Multipart parser detected a possible unmatched boundary"] [hostname >> "XXXXXX"] [uri "XXXXXXXX"] [unique_id "Ue5pJ1LCWiEAAEeawbAAAAAW"] >> > >> > I have commented rule which trigger a false positive: >> > #SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "id:'200003', phase:2, >> t:none, log, deny, status:44, msg:'Multipart parser detected a possible >> unmatched boundary'" >> > >> > Is there any way to solve it without comment that rule? >> > >> > Thanks in advance. >> > >> > Kind regards, >> > >> ------------------------------------------------------------------------------ >> > See everything from the browser to the database with AppDynamics >> > Get end-to-end visibility with application monitoring from AppDynamics >> > Isolate bottlenecks and diagnose root cause in seconds. >> > Start your free trial of AppDynamics Pro today! >> > >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > |