Rule '200004' is provided by ModSecurity's recommended configuration file: https://github.com/SpiderLabs/ModSecurity/blob/v2/master/modsecurity.conf-recommended#L86
In some cases it may trigger FPs, when non standard multipart uploads are being used. It is possible this is a bug in libmodsecurity (this would need testing to verify). However if this rule is triggering, it is due to the ModSecurity supplied configuration, not CRS itself. That being said, It is simple enough to make an exception for, I can walk you through it if you'd like. Let me know! On Wed, Aug 23, 2017 at 11:13 AM, Ervin Hegedüs <airw...@gmail.com> wrote: > Hi Christian, > > On Wed, Aug 23, 2017 at 09:54:32AM +0200, Christian Folini wrote: > > Hi there, > > > > Is this the full "H" part of the Audit Log? > > yes, > > > Are you sure it's not an extension filter defined on the application > > itself? > > yes, I am sure. > > > Did you try this without CRS? Without ModSec? > > without CRS _and_ with ModSec it occures, without ModSec it > doesn't occure. > > > Just questions that mean to guide you... > > I have an idea, but may be I'm wrong... > > audit.log shows this line: > ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against > variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file > "/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg > "Multipart parser detected a possible unmatched boundary."] [data ""] > [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"] > > The id:200004 looks like this: > SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ > "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a > possible unmatched boundary.'" > > (but this isn't in line 66 in that file). > > I think the MULTIPART_UNMATCHED_BOUNDARY is a hard-coded rule, > which exists in libmodsecurity/ code. And may be, that function > parses the GPG key header (and footer) as boundary...? > > > Regards, > > > a. > > > > > Ahoj, > > > > Christian > > > > On Wed, Aug 23, 2017 at 09:30:30AM +0200, Ervin Hegedüs wrote: > > > Hi folks, > > > > > > here is a new problem with CRS 3.0(.2). There is an nGinx with > > > Modsecurity 3.0, and CRS 3.0.2, and an Apache backend, which > > > serves a webmail (Roundcube). > > > > > > When I try to import my GPG key through the upload, I got 403 > > > Forbidden answer. > > > > > > Here are the details: > > > > > > HTTP req: > > > > > > POST https://webmail.mydomain.com/?_task=settings&_action=plugin. > enigmakeys&_a=import&_unlock=loading1503472197200 > > > ... > > > Content-Length 4443 > > > Content-Type multipart/form-data; boundary=--------------------- > ------186567636118947579521451609378 > > > > > > > > > HTTP resp: > > > > > > 403 Forbidden > > > > > > Content of audit.log: > > > > > > ---3U4kCbBk---A-- > > > [23/Aug/2017:09:10:32 +0200] 15034722321.000000 client.ip.addr 51048 > client.ip.addr 443 > > > ---3U4kCbBk---B-- > > > POST /?_task=settings&_action=plugin.enigmakeys&_a=import&_ > unlock=loading1503472197200 > > > HTTP/1.1 > > > Connection: keep-alive > > > Referer: https://webmail.mydomain.com/?_task=settings&_framed=1&_ > action=plugin.enigmakeys&_a=import > > > Content-Type: multipart/form-data; boundary=--------------------- > ------186567636118947579521451609378 > > > Accept-Encoding: gzip, deflate, br > > > Cookie: language=hu; _ga=GA1.2.817NNNNNN.14NNNNNNNN; > > > roundcube_sessid=sessionidtoken; > roundcube_sessauth=sessauthidtoken > > > Content-Length: 4443 > > > Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3 > > > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; > q=0.8 > > > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) > Gecko/20100101 Firefox/55.0 > > > Host: webmail.mydomain.com > > > Upgrade-Insecure-Requests: 1 > > > > > > ---3U4kCbBk---D-- > > > > > > ---3U4kCbBk---E-- > > > ³É(Éͱãå²ÉHML±³)É,ÉIµ310VpË/JÊLIIͳ > > > ... > > > ... > > > ---3U4kCbBk---F-- > > > Server: nginx/1.6.2 > > > Date: Wed, 23 Aug 2017 07:10:32 GMT > > > Content-Type: text/html > > > Connection: keep-alive > > > Content-Encoding: gzip > > > > > > ---3U4kCbBk---H-- > > > ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' > against variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file > "/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg > "Multipart parser detected a possible unmatched boundary."] [data ""] > [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"] > > > > > > ---3U4kCbBk---I-- > > > > > > ---3U4kCbBk---J-- > > > > > > ---3U4kCbBk---Z-- > > > > > > > > > Here is the detail of POST request: > > > > > > -----------------------------186567636118947579521451609378 > > > Content-Disposition: form-data; name="_token" > > > > > > nEWGe3VUF9R1K7d0SSx4rZRYkYeN849B > > > -----------------------------186567636118947579521451609378 > > > Content-Disposition: form-data; name="_framed" > > > > > > 1 > > > -----------------------------186567636118947579521451609378 > > > Content-Disposition: form-data; name="_file"; > filename="airween_at_gmail.com.asc" > > > Content-Type: text/plain > > > > > > -----BEGIN PGP PUBLIC KEY BLOCK----- > > > Version: GnuPG v1 > > > > > > mQINBFhwuigBEAC+gnmOXXTEtedn5hqcjLirPM6phHGLdeqVUsD0sRDWFjgcoh7b > > > ... > > > =G+Dl > > > -----END PGP PUBLIC KEY BLOCK----- > > > > > > -----------------------------186567636118947579521451609378 > > > Content-Disposition: form-data; name="_search" > > > > > > > > > -----------------------------186567636118947579521451609378-- > > > > > > > > > > > > > > > This error occures when I upload the .asc file above, when I try > > > to upload a "simple" csv, or png, everything works as well. > > > > > > > > > > > > What should I do? How can I fix this error? > > > > > > > > > > > > Thanks, > > > > > > > > > a. > > > > > > > > > > > > _______________________________________________ > > > Owasp-modsecurity-core-rule-set mailing list > > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > > https://lists.owasp.org/mailman/listinfo/owasp- > modsecurity-core-rule-set > > > > -- > > ModSecurity courses Oct 2017 in London and Zurich > > https://www.feistyduck.com/training/modsecurity-training-course > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:christian.fol...@netnea.com > > twitter: @ChrFolini > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > -- -- Chaim Sanders http://www.ChaimSanders.com
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
