Skip to content

MULTIPART_STRICT_ERROR False Positive #2258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
osamamaruf opened this issue Feb 3, 2020 · 5 comments
Closed

MULTIPART_STRICT_ERROR False Positive #2258

osamamaruf opened this issue Feb 3, 2020 · 5 comments
Assignees
@martinhsv

Comments

@osamamaruf
Copy link

The following content type header is blocked by Modsecurity:

Content-Type: multipart/form-data; boundary="----=_Part_0_1679309349.1580725603211"

The boundary should be allowed to have quotes.

Logs and dumps
MULTIPART_BOUNDARY_QUOTED
MULTIPART_DATA_BEFORE

The above rule have been triggered from 200003.

2020/02/03 10:26:43 [warn] 49#49: *2962 [client XX.XX.XXX.XX] ModSecurity: Access denied with code 400 (phase 2). Matched "Operator Eq' with parameter 0' against variable MULTIPART_STRICT_ERROR' (Value: 1' ) [file "/etc/nginx/modsecurity/modsecurity.conf"] [line "61"] [id "200003"] [rev ""] [msg "Multipart request body failed strict validation: \x0aPE 0, \x0aBQ 1, \x0aBW 0, \x0aDB 1, \x0aDA 0, \x0aHF 0, \x0aLF 0, \x0aSM 0, \x0aIQ 0, \x0aIP 0, \x0aIH 0, \x0aFL "] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "XX.XX.XXX.XX"] [uri "/api/my-test"] [unique_id "158072560325.818190"] [ref "v660,1"], client: XX.XX.XXX.XX, server: api-server.com, request: "POST /api/my-test?hello HTTP/1.1", host: "api-server.com"

Expected behavior

The request should not have been blocked.

Server (please complete the following information):

  • Web Server and version (Nginx 1.15.9)

Rule Set (please complete the following information):

  • CRS version (v3.0.0)
  • ModSecurity version (3.0.2)
@airween
Copy link
Member

airween commented Feb 3, 2020
edited
Loading

Hi @osamamaruf,

you wrote:

  • ModSecurity version (3.0.2)

which was released on Apr 3 2018, but this bug was fixed in 3.0.3, so the upgrade is very welcome :).

Note, that 3.0.4 is still out there.

EDIT: sorry, I didn't realize the quote and data before problems. That fix solved another problems.

@airween
Copy link
Member

airween commented Feb 3, 2020

Buy the way, after a quick review, the 3.0.4 allows the quoted boundary (especially what you gave above). Could you show the full request (without sensitive data)?

@martinhsv martinhsv self-assigned this Feb 3, 2020
@martinhsv
Copy link
Contributor

martinhsv commented Feb 3, 2020
edited
Loading

Hi @osamamaruf ,

Some of the individual conditions checked within MULTIPART_STRICT_ERROR are perfectly RFC-compliant, but are (or at least were historically) unusual, and therefore possibly suspicious.

And you are correct that entirely valid requests with a Content-Type boundary directive could have its value specified within quotes.

You have a couple of options:

  • modify your rule that checks MULTIPART_STRICT_ERROR to not result in a blocking action (i.e. detection only)
  • maintain blocking, but instead of using MULTIPART_STRICT_ERROR, check each of the individual variables (e.g. MULTIPART_INVALID_PART) except for the one(s) that are causing well-understood false-positives

@zimmerle zimmerle closed this as completed Feb 3, 2020
@osamamaruf
Copy link
Author

@airween Thank you for the prompt response. We will upgrade. One question though the request also had hit this rule MULTIPART_DATA_BEFORE I was not able to find documentation explaining what is does. The MULTIPART_BOUNDARY_QUOTED was pretty straight forward. Also here is the request;

---RMgUrPpr---A--
[03/Feb/2020:10:26:43 +0000] 158072560325.818190 XX.XX.XXX.XX XXXX XX.XX.XXX.XX 443
---RMgUrPpr---B--
POST /api/my-test?hello HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: multipart/form-data; boundary="----=_Part_0_1679309349.1580725603211"
MIME-Version: 1.0
Authorization: Bearer sdfasdfadfdfsfafa
Host: api-server.com
Content-Length: 7155
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_181)

---RMgUrPpr---C--

------=_Part_0_1679309349.1580725603211
Content-Type: text/xml; charset=Cp1252; name=hello001-hello-valid.xml
Content-Transfer-Encoding: binary
Content-Disposition: form-data; name="my-file"; filename="hello001-hello-valid.xml"

<?xml version="1.0" encoding="UTF-8"?>
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:34234.001.001.03" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">                   
        <OuterNode>                                                                                            
        <AnotherHdr>                                                                                                      
                <ABC>xxxxxx</ABC>                                                                                
                <DEF>XXXX-05-02T14:52:09</DEF>                                                               
                <GHI>1</GHI>                                                                                 
                <KLM>YYY.XX</KLM>                                                                              
                <NOP>                                                                                            
                        <QRS>XXXXX</QRS>                                                               
                </NOP>                                                                                           
        </AnotherHdr>
        <TUV>                                                                                                      
                <TUVId>XXXX</TUVId>
		<XYZ>TRF</XYZ>                                                                                 
                <GHI>1</GHI>                                                                                 
                <KLM>YYY.XX</KLM>                                                                              
                <ABCDF>                                                                                            
                    <ABCDFEG> <Cd>YYYY</Cd> </ABCDFEG>
                </ABCDF>                                                                                           
                <XYTR>UUUU-05-02</XYTR>                                                                
                <IJUY>                                                                                                
                        <QRS>UUUUUU</QRS>                                                               
                </IJUY>                                                                                               
                <IJUYSDFDSFSFSF>                                                                                            
                    <Id>                                                                                              
                        <TESTT>546456FGHH</TESTT>                                                              
                    </Id>                                                                                             
                </IJUYSDFDSFSFSF>                                                                                           
                <IJUYAgt>                                                                                             
                    <TERE>                                                                                      
                        <UIII>56546DFGHDFG</UIII>                                                                          
                    </TERE>                                                                                     
                </IJUYAgt>      
                <CHG>45345345</CHG>                                                                            
                <FDDFDF>                                                                                         
                    <DFDDF>                                                                                           
                        <FDFSDDFDFD>3453454353FGFDG</FDFSDDFDFD>                                                       
                    </DFDDF>                                                                                                                                                                                
                    <YYUYTT>                                                                                             
                        <InstdYYUYTT SDF="32324SDF">TTTT.SF</InstdYYUYTT>                                                          
                    </YYUYTT>                                                                                            
                    <GDSDFSD>                                                                                         
                        <TERE>                                                                                  
                            <UIII>SFDFS</UIII>                                                                      
                        </TERE>                                                                                 
                    </GDSDFSD>                                                                                        
                    <TRREE>                                                                                            
                        <SDFSF>SFSDF</SDFSF>                                                                     
                    </TRREE>                                                                                           
                    <TRREESDFDSFSFSF>                                                                                        
                        <YUIYUIYIU>                                                                                          
                            <TESTT>SDFDF</TESTT>                                                          
                        </YUIYUIYIU>                                                                                         
                    </TRREESDFDSFSFSF>                                                                                       
                    <SDFADFSD>                                                                                          
                        <SDFDFDFDSFS>23434. SDFDFF.3R243</SDFDFDFDSFS>                                                                 
                    </SDFADFSD>                                                                                         
                </FDDFDF>
	</TUV>                                                                                        
        </OuterNode>                                                                                           
</Document>  
------=_Part_0_1679309349.1580725603211--


---RMgUrPpr---F--
HTTP/1.1 400
x-frame-options: sameorigin
referrer-policy: same-origin
x-xss-protection: 1; mode=block
Connection: close
x-content-type-options: nosniff
Content-Type: text/html
x-application-context: 
Content-Length: 150
Date: Mon, 03 Feb 2020 10:26:43 GMT
Server: 
Server: 
content-security-policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com data:; object-src 'none'; connect-src 'self'; img-src 'self' data:; font-src https://fonts.gstatic.com 'self' data:; style-src 'self' https://www.gstatic.com https://fonts.googleapis.com 'unsafe-inline'; frame-src 'self'; manifest-src 'self';
Pragma: 
Strict-Transport-Security: max-age=315360000; includeSubDomains

---RMgUrPpr---H--
ModSecurity: Access denied with code 400 (phase 2). Matched "Operator `Eq' with parameter `0' against variable `MULTIPART_STRICT_ERROR' (Value: `1' ) [file "/etc/nginx/modsecurity/modsecurity.conf"] [line "61"] [id "200003"] [rev ""] [msg "Multipart request body failed strict validation: \\x0aPE 0, \\x0aBQ 1, \\x0aBW 0, \\x0aDB 1, \\x0aDA 0, \\x0aHF 0, \\x0aLF 0, \\x0aSM 0, \\x0aIQ 0, \\x0aIP 0, \\x0aIH 0, \\x0aFL "] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "XX.XX.XXX.XX"] [uri "/api/my-test"] [unique_id "158072560325.818190"] [ref "v660,1"]

@airween
Copy link
Member

airween commented Feb 4, 2020

Hi @osamamaruf,

thanks - is there an empty line between the two lines above?

---RMgUrPpr---C--

------=_Part_0_1679309349.1580725603211

If yes, that's the "data before".

For the "boudary quoted": if it's quoted, looks like a flag had been set to true, and log shows:

Warning: boundary was quoted.

also if the data before boundary, I got a message:

Warning: seen data before first boundary.

And looks like the MULTIPART_STRICT_ERROR set to TRUE if any of these flags are set. Also check the reference.

After a quick search, I can't decide that the quoted boundary error is valid or not. If you look at the variable name, which is "strict", then I assume it is (I mean it's valid).

Also if you take a look to the RFC, the examples are very ambiguous: they are several example with extra data before boundary. May be that's not a strict error, but see my opinion above in case DB.

If you think just disable this rule, and make some others for other multipart errors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martinhsv martinhsv

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@airween @zimmerle @osamamaruf @martinhsv