Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Help with ModSecurity

  • 28-10-2016 12:28pm
    #1
    Posts: 11,614 ✭✭✭✭


    Ive got an issue with modsecurity and Im wondering if anyone can help. I'm running into an issue with uploading files to my application, anytime the file in question has a quote in the filename. Eventually I will do client side validation which will alert a user to a quote in the filename they are trying to upload and tell them to rename it, but for now I need to amend my modsecurity settings to ignore that particular check.

    The modsecurity rule is:
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "phase:2,t:none,log,deny,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_SEMICOLON_MISSING}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
    

    The error Im getting is:
    [2016-10-11T16:08:06.8336+01:00] [OHS] [ERROR:32] [OHS-9999] [blah.c]  [host_id: blah-web-kc1d] [host_addr: 1.2.3.4] [tid: 1724]  [user: SYSTEM] [ecid: 00ibIu6vODDF4ETzA8m3SD0000_^001B9G] [rid: 0]  [VirtualHost: main]  [client 1.2.3.4] ModSecurity: Access denied  with code 403 (phase 2). Match of "eq 0" against  "MULTIPART_STRICT_ERROR" required. [file  "E:/blah/security/blah_base_rules.conf"] [line "65"] [msg  "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB  0, DA 0, HF 0, LF 0, SM , IQ 1, IH 0, IH 0"] [hostname  "www.dev.uk"] [uri  "/pls/dev/blah_details_form.process_blah"] [unique_id  "ZOMG!ROFL.TL;DR"] 
     
    

    IQ 1 suggests its the invalid quoting which makes sense. How do I tell modsecurity, to not block when it detects invalid quoting, without disabling the rest of the rule?

    Thanks

    P.S. I know allowing quotes in a filename potentially introduces SQL injection, but we aren't worried about that for reasons I can't go into.


Advertisement