Thread: [Mod-security-rules] UPM (Universal Password Manager) and ModSecurity

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Friends,
I'm using on my VPS, UPM (Universal Password Manager: 
http://upm.sourceforge.net/), all works fine (upload, sync, delete, etc) 
except on Android.
Adrian, the UPM developer has made two php script to put on the same 
directory: https://github.com/adrian/upm-swing/tree/master/server/http.

The problem is that enabling ModSecurity

version:

libapache2-modsecurity         2.8.0-3
modsecurity-crs                2.2.9-1

itstoptheuploadscript (upload.php), here the log:

[Sun Feb 04 13:12:05.641064 2018] [:error] [pid 27440] [client 1.2.3.4] 
ModSecurity: Multipart parsing error (init): Multipart: Invalid boundary 
in C-T (characters). [hostname "www.mydomain.org"] [uri 
"/xyz/upload.php"] [unique_id "GAKgHkFRgJKOhHIjHUHgffhh"]
[Sun Feb 04 13:12:06.153142 2018] [:error] [pid 27440] [client 1.2.3.4] 
ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" 
against "REQBODY_ERROR" required. [file 
"/etc/modsecurity/modsecurity.conf"] [line "61"] [id "200002"] [msg 
"Failed to parse request body."] [data "Multipart: Invalid boundary in 
C-T (characters)."] [severity "CRITICAL"] [hostname "www.mydomain.org"] 
[uri "/xyz/upload.php"] [unique_id "GAKgHkFRgJKOhHIjHUHgffhh"]

Obviously I've absolutely no intention to disable ModSecurity,  so I 
wondered though how permit *only* the *upload.php* execution, in short, 
the safest way.

The first way I've found was to insert on .htaccess, where I've set the 
Apache2 Password Authentication too:

SecRuleRemoveById 200002

or:

<LocationMatch "/(deletefile\.php|upload\.php)">
SecRuleRemoveById 200002
SecRequestBodyAccess Off
</LocationMatch>

or:

<IfModule security2_module>
SecRuleRemoveById 200002
</IfModule>

but but in each of these modes all upload process are blocked.

So I've added on my specific domain VirtualHost config file:

  <LocationMatch /xyz/upload.php>
   SecRuleEngine Off

  </LocationMatch>

Finally, so I'm able to sync from desktop and from Android too.

My question is (since we are talking about a password management 
software):

*Is such an approach safe enough?*

Many many thanks!

Davide
Italy

-- 
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

Thread: [Mod-security-rules] UPM (Universal Password Manager) and ModSecurity

mod-security-rules