Discussion:
[Owasp-modsecurity-core-rule-set] File upload problem
Ervin Hegedüs
2017-08-23 07:30:30 UTC
Permalink
Hi folks,

here is a new problem with CRS 3.0(.2). There is an nGinx with
Modsecurity 3.0, and CRS 3.0.2, and an Apache backend, which
serves a webmail (Roundcube).

When I try to import my GPG key through the upload, I got 403
Forbidden answer.

Here are the details:

HTTP req:

POST https://webmail.mydomain.com/?_task=settings&_action=plugin.enigmakeys&_a=import&_unlock=loading1503472197200
...
Content-Length 4443
Content-Type multipart/form-data; boundary=---------------------------186567636118947579521451609378


HTTP resp:

403 Forbidden

Content of audit.log:

---3U4kCbBk---A--
[23/Aug/2017:09:10:32 +0200] 15034722321.000000 client.ip.addr 51048 client.ip.addr 443
---3U4kCbBk---B--
POST /?_task=settings&_action=plugin.enigmakeys&_a=import&_unlock=loading1503472197200
HTTP/1.1
Connection: keep-alive
Referer: https://webmail.mydomain.com/?_task=settings&_framed=1&_action=plugin.enigmakeys&_a=import
Content-Type: multipart/form-data; boundary=---------------------------186567636118947579521451609378
Accept-Encoding: gzip, deflate, br
Cookie: language=hu; _ga=GA1.2.817NNNNNN.14NNNNNNNN; roundcube_sessid=sessionidtoken; roundcube_sessauth=sessauthidtoken
Content-Length: 4443
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Host: webmail.mydomain.com
Upgrade-Insecure-Requests: 1

---3U4kCbBk---D--

---3U4kCbBk---E--
³É(Éͱãå²ÉHML±³)É,ÉIµ310VpË/JÊLIIͳ
...
...
---3U4kCbBk---F--
Server: nginx/1.6.2
Date: Wed, 23 Aug 2017 07:10:32 GMT
Content-Type: text/html
Connection: keep-alive
Content-Encoding: gzip

---3U4kCbBk---H--
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file "/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg "Multipart parser detected a possible unmatched boundary."] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]

---3U4kCbBk---I--

---3U4kCbBk---J--

---3U4kCbBk---Z--


Here is the detail of POST request:

-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_token"

nEWGe3VUF9R1K7d0SSx4rZRYkYeN849B
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_framed"

1
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_file"; filename="airween_at_gmail.com.asc"
Content-Type: text/plain

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFhwuigBEAC+gnmOXXTEtedn5hqcjLirPM6phHGLdeqVUsD0sRDWFjgcoh7b
...
=G+Dl
-----END PGP PUBLIC KEY BLOCK-----

-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_search"


-----------------------------186567636118947579521451609378--




This error occures when I upload the .asc file above, when I try
to upload a "simple" csv, or png, everything works as well.



What should I do? How can I fix this error?



Thanks,


a.
Christian Folini
2017-08-23 07:54:32 UTC
Permalink
Hi there,

Is this the full "H" part of the Audit Log?

Are you sure it's not an extension filter defined on the application
itself?

Did you try this without CRS? Without ModSec?

Just questions that mean to guide you...

Ahoj,

Christian
Post by Ervin Hegedüs
Hi folks,
here is a new problem with CRS 3.0(.2). There is an nGinx with
Modsecurity 3.0, and CRS 3.0.2, and an Apache backend, which
serves a webmail (Roundcube).
When I try to import my GPG key through the upload, I got 403
Forbidden answer.
POST https://webmail.mydomain.com/?_task=settings&_action=plugin.enigmakeys&_a=import&_unlock=loading1503472197200
...
Content-Length 4443
Content-Type multipart/form-data; boundary=---------------------------186567636118947579521451609378
403 Forbidden
---3U4kCbBk---A--
[23/Aug/2017:09:10:32 +0200] 15034722321.000000 client.ip.addr 51048 client.ip.addr 443
---3U4kCbBk---B--
POST /?_task=settings&_action=plugin.enigmakeys&_a=import&_unlock=loading1503472197200
HTTP/1.1
Connection: keep-alive
Referer: https://webmail.mydomain.com/?_task=settings&_framed=1&_action=plugin.enigmakeys&_a=import
Content-Type: multipart/form-data; boundary=---------------------------186567636118947579521451609378
Accept-Encoding: gzip, deflate, br
Cookie: language=hu; _ga=GA1.2.817NNNNNN.14NNNNNNNN; roundcube_sessid=sessionidtoken; roundcube_sessauth=sessauthidtoken
Content-Length: 4443
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Host: webmail.mydomain.com
Upgrade-Insecure-Requests: 1
---3U4kCbBk---D--
---3U4kCbBk---E--
³É(Éͱãå²ÉHML±³)É,ÉIµ310VpË/JÊLIIͳ
...
...
---3U4kCbBk---F--
Server: nginx/1.6.2
Date: Wed, 23 Aug 2017 07:10:32 GMT
Content-Type: text/html
Connection: keep-alive
Content-Encoding: gzip
---3U4kCbBk---H--
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file "/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg "Multipart parser detected a possible unmatched boundary."] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]
---3U4kCbBk---I--
---3U4kCbBk---J--
---3U4kCbBk---Z--
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_token"
nEWGe3VUF9R1K7d0SSx4rZRYkYeN849B
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_framed"
1
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_file"; filename="airween_at_gmail.com.asc"
Content-Type: text/plain
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFhwuigBEAC+gnmOXXTEtedn5hqcjLirPM6phHGLdeqVUsD0sRDWFjgcoh7b
...
=G+Dl
-----END PGP PUBLIC KEY BLOCK-----
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_search"
-----------------------------186567636118947579521451609378--
This error occures when I upload the .asc file above, when I try
to upload a "simple" csv, or png, everything works as well.
What should I do? How can I fix this error?
Thanks,
a.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:***@netnea.com
twitter: @ChrFolini
Ervin Hegedüs
2017-08-23 15:13:41 UTC
Permalink
Hi Christian,
Post by Christian Folini
Hi there,
Is this the full "H" part of the Audit Log?
yes,
Post by Christian Folini
Are you sure it's not an extension filter defined on the application
itself?
yes, I am sure.
Post by Christian Folini
Did you try this without CRS? Without ModSec?
without CRS _and_ with ModSec it occures, without ModSec it
doesn't occure.
Post by Christian Folini
Just questions that mean to guide you...
I have an idea, but may be I'm wrong...

audit.log shows this line:
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file "/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg "Multipart parser detected a possible unmatched boundary."] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]

The id:200004 looks like this:
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

(but this isn't in line 66 in that file).

I think the MULTIPART_UNMATCHED_BOUNDARY is a hard-coded rule,
which exists in libmodsecurity/ code. And may be, that function
parses the GPG key header (and footer) as boundary...?


Regards,


a.
Post by Christian Folini
Ahoj,
Christian
Post by Ervin Hegedüs
Hi folks,
here is a new problem with CRS 3.0(.2). There is an nGinx with
Modsecurity 3.0, and CRS 3.0.2, and an Apache backend, which
serves a webmail (Roundcube).
When I try to import my GPG key through the upload, I got 403
Forbidden answer.
POST https://webmail.mydomain.com/?_task=settings&_action=plugin.enigmakeys&_a=import&_unlock=loading1503472197200
...
Content-Length 4443
Content-Type multipart/form-data; boundary=---------------------------186567636118947579521451609378
403 Forbidden
---3U4kCbBk---A--
[23/Aug/2017:09:10:32 +0200] 15034722321.000000 client.ip.addr 51048 client.ip.addr 443
---3U4kCbBk---B--
POST /?_task=settings&_action=plugin.enigmakeys&_a=import&_unlock=loading1503472197200
HTTP/1.1
Connection: keep-alive
Referer: https://webmail.mydomain.com/?_task=settings&_framed=1&_action=plugin.enigmakeys&_a=import
Content-Type: multipart/form-data; boundary=---------------------------186567636118947579521451609378
Accept-Encoding: gzip, deflate, br
Cookie: language=hu; _ga=GA1.2.817NNNNNN.14NNNNNNNN; roundcube_sessid=sessionidtoken; roundcube_sessauth=sessauthidtoken
Content-Length: 4443
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Host: webmail.mydomain.com
Upgrade-Insecure-Requests: 1
---3U4kCbBk---D--
---3U4kCbBk---E--
³É(Éͱãå²ÉHML±³)É,ÉIµ310VpË/JÊLIIͳ
...
...
---3U4kCbBk---F--
Server: nginx/1.6.2
Date: Wed, 23 Aug 2017 07:10:32 GMT
Content-Type: text/html
Connection: keep-alive
Content-Encoding: gzip
---3U4kCbBk---H--
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file "/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg "Multipart parser detected a possible unmatched boundary."] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]
---3U4kCbBk---I--
---3U4kCbBk---J--
---3U4kCbBk---Z--
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_token"
nEWGe3VUF9R1K7d0SSx4rZRYkYeN849B
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_framed"
1
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_file"; filename="airween_at_gmail.com.asc"
Content-Type: text/plain
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFhwuigBEAC+gnmOXXTEtedn5hqcjLirPM6phHGLdeqVUsD0sRDWFjgcoh7b
...
=G+Dl
-----END PGP PUBLIC KEY BLOCK-----
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_search"
-----------------------------186567636118947579521451609378--
This error occures when I upload the .asc file above, when I try
to upload a "simple" csv, or png, everything works as well.
What should I do? How can I fix this error?
Thanks,
a.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
Chaim Sanders
2017-08-23 15:27:54 UTC
Permalink
Rule '200004' is provided by ModSecurity's recommended configuration file:
https://github.com/SpiderLabs/ModSecurity/blob/v2/master/modsecurity.conf-recommended#L86

In some cases it may trigger FPs, when non standard multipart uploads are
being used. It is possible this is a bug in libmodsecurity (this would need
testing to verify). However if this rule is triggering, it is due to the
ModSecurity supplied configuration, not CRS itself. That being said, It is
simple enough to make an exception for, I can walk you through it if you'd
like. Let me know!
Post by Ervin Hegedüs
Hi Christian,
Post by Christian Folini
Hi there,
Is this the full "H" part of the Audit Log?
yes,
Post by Christian Folini
Are you sure it's not an extension filter defined on the application
itself?
yes, I am sure.
Post by Christian Folini
Did you try this without CRS? Without ModSec?
without CRS _and_ with ModSec it occures, without ModSec it
doesn't occure.
Post by Christian Folini
Just questions that mean to guide you...
I have an idea, but may be I'm wrong...
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against
variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file
"/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg
"Multipart parser detected a possible unmatched boundary."] [data ""]
[severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a
possible unmatched boundary.'"
(but this isn't in line 66 in that file).
I think the MULTIPART_UNMATCHED_BOUNDARY is a hard-coded rule,
which exists in libmodsecurity/ code. And may be, that function
parses the GPG key header (and footer) as boundary...?
Regards,
a.
Post by Christian Folini
Ahoj,
Christian
Post by Ervin Hegedüs
Hi folks,
here is a new problem with CRS 3.0(.2). There is an nGinx with
Modsecurity 3.0, and CRS 3.0.2, and an Apache backend, which
serves a webmail (Roundcube).
When I try to import my GPG key through the upload, I got 403
Forbidden answer.
POST https://webmail.mydomain.com/?_task=settings&_action=plugin.
enigmakeys&_a=import&_unlock=loading1503472197200
Post by Christian Folini
Post by Ervin Hegedüs
...
Content-Length 4443
Content-Type multipart/form-data; boundary=---------------------
------186567636118947579521451609378
Post by Christian Folini
Post by Ervin Hegedüs
403 Forbidden
---3U4kCbBk---A--
[23/Aug/2017:09:10:32 +0200] 15034722321.000000 client.ip.addr 51048
client.ip.addr 443
Post by Christian Folini
Post by Ervin Hegedüs
---3U4kCbBk---B--
POST /?_task=settings&_action=plugin.enigmakeys&_a=import&_
unlock=loading1503472197200
Post by Christian Folini
Post by Ervin Hegedüs
HTTP/1.1
Connection: keep-alive
Referer: https://webmail.mydomain.com/?_task=settings&_framed=1&_
action=plugin.enigmakeys&_a=import
Post by Christian Folini
Post by Ervin Hegedüs
Content-Type: multipart/form-data; boundary=---------------------
------186567636118947579521451609378
Post by Christian Folini
Post by Ervin Hegedüs
Accept-Encoding: gzip, deflate, br
Cookie: language=hu; _ga=GA1.2.817NNNNNN.14NNNNNNNN; roundcube_sessid=sessionidtoken;
roundcube_sessauth=sessauthidtoken
Post by Christian Folini
Post by Ervin Hegedüs
Content-Length: 4443
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
q=0.8
Post by Christian Folini
Post by Ervin Hegedüs
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)
Gecko/20100101 Firefox/55.0
Post by Christian Folini
Post by Ervin Hegedüs
Host: webmail.mydomain.com
Upgrade-Insecure-Requests: 1
---3U4kCbBk---D--
---3U4kCbBk---E--
³É(Éͱãå²ÉHML±³)É,ÉIµ310VpË/JÊLIIͳ
...
...
---3U4kCbBk---F--
Server: nginx/1.6.2
Date: Wed, 23 Aug 2017 07:10:32 GMT
Content-Type: text/html
Connection: keep-alive
Content-Encoding: gzip
---3U4kCbBk---H--
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0'
against variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file
"/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg
"Multipart parser detected a possible unmatched boundary."] [data ""]
[severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]
Post by Christian Folini
Post by Ervin Hegedüs
---3U4kCbBk---I--
---3U4kCbBk---J--
---3U4kCbBk---Z--
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_token"
nEWGe3VUF9R1K7d0SSx4rZRYkYeN849B
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_framed"
1
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_file";
filename="airween_at_gmail.com.asc"
Post by Christian Folini
Post by Ervin Hegedüs
Content-Type: text/plain
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFhwuigBEAC+gnmOXXTEtedn5hqcjLirPM6phHGLdeqVUsD0sRDWFjgcoh7b
...
=G+Dl
-----END PGP PUBLIC KEY BLOCK-----
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_search"
-----------------------------186567636118947579521451609378--
This error occures when I upload the .asc file above, when I try
to upload a "simple" csv, or png, everything works as well.
What should I do? How can I fix this error?
Thanks,
a.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-
modsecurity-core-rule-set
Post by Christian Folini
--
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
--
Chaim Sanders
http://www.ChaimSanders.com
Ervin Hegedüs
2017-08-23 15:55:12 UTC
Permalink
Hi Chaim, and folks,

thanks for the fast reply,
Post by Chaim Sanders
https://github.com/SpiderLabs/ModSecurity/blob/v2/master/modsecurity.conf-recommended#L86
yes, I'm using that :) (as recommended config),
Post by Chaim Sanders
In some cases it may trigger FPs, when non standard multipart uploads are
sorry for my 2c's, but what does it mean "FP", and what do you
mean about the "standard multipart"?
Post by Chaim Sanders
being used. It is possible this is a bug in libmodsecurity (this would need
testing to verify). However if this rule is triggering, it is due to the
ModSecurity supplied configuration, not CRS itself. That being said, It is
simple enough to make an exception for, I can walk you through it if you'd
like. Let me know!
yes, it would be good to solve this problem. We're using
Roundcube, and it supports the GPG keys. Looks like more users
would like to use that feature (in Roundcube), but only the
keys upload doesn't work.

How can I help you to test it?

And you're right, it is due the ModSec, not CRS - I've turned
_off_ the CRS, and this still occured with "native" ModSec.

Sorry for that I posted it for wrong list.


Regards,


a.
Post by Chaim Sanders
Post by Ervin Hegedüs
Hi Christian,
Post by Christian Folini
Hi there,
Is this the full "H" part of the Audit Log?
yes,
Post by Christian Folini
Are you sure it's not an extension filter defined on the application
itself?
yes, I am sure.
Post by Christian Folini
Did you try this without CRS? Without ModSec?
without CRS _and_ with ModSec it occures, without ModSec it
doesn't occure.
Post by Christian Folini
Just questions that mean to guide you...
I have an idea, but may be I'm wrong...
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against
variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file
"/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg
"Multipart parser detected a possible unmatched boundary."] [data ""]
[severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a
possible unmatched boundary.'"
(but this isn't in line 66 in that file).
I think the MULTIPART_UNMATCHED_BOUNDARY is a hard-coded rule,
which exists in libmodsecurity/ code. And may be, that function
parses the GPG key header (and footer) as boundary...?
Regards,
a.
Post by Christian Folini
Ahoj,
Christian
Post by Ervin Hegedüs
Hi folks,
here is a new problem with CRS 3.0(.2). There is an nGinx with
Modsecurity 3.0, and CRS 3.0.2, and an Apache backend, which
serves a webmail (Roundcube).
When I try to import my GPG key through the upload, I got 403
Forbidden answer.
POST https://webmail.mydomain.com/?_task=settings&_action=plugin.
enigmakeys&_a=import&_unlock=loading1503472197200
Post by Christian Folini
Post by Ervin Hegedüs
...
Content-Length 4443
Content-Type multipart/form-data; boundary=---------------------
------186567636118947579521451609378
Post by Christian Folini
Post by Ervin Hegedüs
403 Forbidden
---3U4kCbBk---A--
[23/Aug/2017:09:10:32 +0200] 15034722321.000000 client.ip.addr 51048
client.ip.addr 443
Post by Christian Folini
Post by Ervin Hegedüs
---3U4kCbBk---B--
POST /?_task=settings&_action=plugin.enigmakeys&_a=import&_
unlock=loading1503472197200
Post by Christian Folini
Post by Ervin Hegedüs
HTTP/1.1
Connection: keep-alive
Referer: https://webmail.mydomain.com/?_task=settings&_framed=1&_
action=plugin.enigmakeys&_a=import
Post by Christian Folini
Post by Ervin Hegedüs
Content-Type: multipart/form-data; boundary=---------------------
------186567636118947579521451609378
Post by Christian Folini
Post by Ervin Hegedüs
Accept-Encoding: gzip, deflate, br
Cookie: language=hu; _ga=GA1.2.817NNNNNN.14NNNNNNNN; roundcube_sessid=sessionidtoken;
roundcube_sessauth=sessauthidtoken
Post by Christian Folini
Post by Ervin Hegedüs
Content-Length: 4443
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
q=0.8
Post by Christian Folini
Post by Ervin Hegedüs
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)
Gecko/20100101 Firefox/55.0
Post by Christian Folini
Post by Ervin Hegedüs
Host: webmail.mydomain.com
Upgrade-Insecure-Requests: 1
---3U4kCbBk---D--
---3U4kCbBk---E--
³É(Éͱãå²ÉHML±³)É,ÉIµ310VpË/JÊLIIͳ
...
...
---3U4kCbBk---F--
Server: nginx/1.6.2
Date: Wed, 23 Aug 2017 07:10:32 GMT
Content-Type: text/html
Connection: keep-alive
Content-Encoding: gzip
---3U4kCbBk---H--
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0'
against variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file
"/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg
"Multipart parser detected a possible unmatched boundary."] [data ""]
[severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]
Post by Christian Folini
Post by Ervin Hegedüs
---3U4kCbBk---I--
---3U4kCbBk---J--
---3U4kCbBk---Z--
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_token"
nEWGe3VUF9R1K7d0SSx4rZRYkYeN849B
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_framed"
1
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_file";
filename="airween_at_gmail.com.asc"
Post by Christian Folini
Post by Ervin Hegedüs
Content-Type: text/plain
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFhwuigBEAC+gnmOXXTEtedn5hqcjLirPM6phHGLdeqVUsD0sRDWFjgcoh7b
...
=G+Dl
-----END PGP PUBLIC KEY BLOCK-----
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_search"
-----------------------------186567636118947579521451609378--
This error occures when I upload the .asc file above, when I try
to upload a "simple" csv, or png, everything works as well.
What should I do? How can I fix this error?
Thanks,
a.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-
modsecurity-core-rule-set
Post by Christian Folini
--
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
--
Chaim Sanders
http://www.ChaimSanders.com
s***@gmail.com
2017-08-23 16:36:48 UTC
Permalink
Hi Ervin,

Maybe the modsec engine multipart body processor is not rfc compliant and confuses the CRLF-- with a boundary delimiter instead of doing a full check as described in rfcs 7578 and 2046, try removing the dashes from the beginning and end of the gpg content and if it passes that may be the reason behind this.

To fix it you may add a rule to disable 200004 for that particular URL.

But read the warnings at the documentation.

File uploads are usually risky so it maybe good if you do a full check with @inspectFile for malware viruses etc

Something like
SecRule FILES_TMPNAMES "@inspectFile path/inspectscript" deny..

Cheers!

Enviado desde mi iPhone
Post by Ervin Hegedüs
MULTIPART_UNMATCHED_BOUNDARY
Ervin Hegedüs
2017-08-23 19:33:06 UTC
Permalink
Hi Spartantri,
Post by s***@gmail.com
Hi Ervin,
Maybe the modsec engine multipart body processor is not rfc compliant and confuses the CRLF-- with a boundary delimiter instead of doing a full check as described in rfcs 7578 and 2046, try removing the dashes from the beginning and end of the gpg content and if it passes that may be the reason behind this.
in case of PGP there is no option to remove the lines from the
head (then the pgp app couldn't realise that is a pgp key).

I've try to upload a simple certificate (as attachment), which also
contains a header and footer lines:

-----BEGIN CERTIFICATE-----
MIIE3TCCA8WgAwIBAgIQX+iZdkBxaFky7vr2n2sS5zANBgkqhkiG9w0BAQsFADB4
...
jg==
-----END CERTIFICATE-----

I've got 403 Forbidden again. Then I removed the leader "-"
chars, and attachment had uploaded correctly.

I think there isn't a CRLF problem.
Post by s***@gmail.com
To fix it you may add a rule to disable 200004 for that particular URL.
I don't want to disable this rule :)
Post by s***@gmail.com
But read the warnings at the documentation.
Something like
thanks, but I'm afraid that's not option (I mean to disable this
rule)


Thanks for your help,


a.
--
I � UTF-8
Ervin Hegedüs
2018-04-19 20:07:32 UTC
Permalink
Hi all,

just fyi,


I've found the bug in multipart handler in libmodsecurity, and created a
new PR:
https://github.com/SpiderLabs/ModSecurity/pull/1747

Hope that it will be merged.


Regards,


a.
Post by Ervin Hegedüs
Hi folks,
here is a new problem with CRS 3.0(.2). There is an nGinx with
Modsecurity 3.0, and CRS 3.0.2, and an Apache backend, which
serves a webmail (Roundcube).
When I try to import my GPG key through the upload, I got 403
Forbidden answer.
POST https://webmail.mydomain.com/?_task=settings&_action=plugin.
enigmakeys&_a=import&_unlock=loading1503472197200
...
Content-Length 4443
Content-Type multipart/form-data; boundary=---------------------------
186567636118947579521451609378
403 Forbidden
---3U4kCbBk---A--
[23/Aug/2017:09:10:32 +0200] 15034722321.000000 client.ip.addr 51048 client.ip.addr 443
---3U4kCbBk---B--
POST /?_task=settings&_action=plugin.enigmakeys&_a=import&_
unlock=loading1503472197200
HTTP/1.1
Connection: keep-alive
Referer: https://webmail.mydomain.com/?_task=settings&_framed=1&_
action=plugin.enigmakeys&_a=import
Content-Type: multipart/form-data; boundary=---------------------------
186567636118947579521451609378
Accept-Encoding: gzip, deflate, br
Cookie: language=hu; _ga=GA1.2.817NNNNNN.14NNNNNNNN; roundcube_sessid=sessionidtoken;
roundcube_sessauth=sessauthidtoken
Content-Length: 4443
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)
Gecko/20100101 Firefox/55.0
Host: webmail.mydomain.com
Upgrade-Insecure-Requests: 1
---3U4kCbBk---D--
---3U4kCbBk---E--
³É(Éͱãå²ÉHML±³)É,ÉIµ310VpË/JÊLIIͳ
...
...
---3U4kCbBk---F--
Server: nginx/1.6.2
Date: Wed, 23 Aug 2017 07:10:32 GMT
Content-Type: text/html
Connection: keep-alive
Content-Encoding: gzip
---3U4kCbBk---H--
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against
variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file
"/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg
"Multipart parser detected a possible unmatched boundary."] [data ""]
[severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]
---3U4kCbBk---I--
---3U4kCbBk---J--
---3U4kCbBk---Z--
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_token"
nEWGe3VUF9R1K7d0SSx4rZRYkYeN849B
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_framed"
1
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_file"; filename="airween_at_gmail.
com.asc"
Content-Type: text/plain
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFhwuigBEAC+gnmOXXTEtedn5hqcjLirPM6phHGLdeqVUsD0sRDWFjgcoh7b
...
=G+Dl
-----END PGP PUBLIC KEY BLOCK-----
-----------------------------186567636118947579521451609378
Content-Disposition: form-data; name="_search"
-----------------------------186567636118947579521451609378--
This error occures when I upload the .asc file above, when I try
to upload a "simple" csv, or png, everything works as well.
What should I do? How can I fix this error?
Thanks,
a.
Continue reading on narkive:
Loading...