MULTIPART_STRICT_ERROR False Positive
osamamaruf opened this issue · comments
Description
Modsecurity flags the following content type header
Content-Type: multipart/form-data; boundary="----=_Part_0_1679309349.1580725603211"
The boundary should be allowed to have quotes.
Audit Logs / Triggered Rule Numbers
MULTIPART_BOUNDARY_QUOTED
MULTIPART_DATA_BEFORE
The above rule have been triggered from 200003
.
2020/02/03 10:26:43 [warn] 49#49: *2962 [client XX.XX.XXX.XX] ModSecurity: Access denied with code 400 (phase 2). Matched "Operator
Eq' with parameter
0' against variableMULTIPART_STRICT_ERROR' (Value:
1' ) [file "/etc/nginx/modsecurity/modsecurity.conf"] [line "61"] [id "200003"] [rev ""] [msg "Multipart request body failed strict validation: \x0aPE 0, \x0aBQ 1, \x0aBW 0, \x0aDB 1, \x0aDA 0, \x0aHF 0, \x0aLF 0, \x0aSM 0, \x0aIQ 0, \x0aIP 0, \x0aIH 0, \x0aFL "] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "XX.XX.XXX.XX"] [uri "/api/my-test"] [unique_id "158072560325.818190"] [ref "v660,1"], client: XX.XX.XXX.XX, server: api-server.com, request: "POST /api/my-test?hello HTTP/1.1", host: "api-server.com"
Your Environment
- CRS version (v3.0.0)
- ModSecurity version (3.0.2)
- Web Server and version (Nginx 1.15.9)
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
Sorry for the inconvenience, but the rule 200003 is not part of CRS, it is one of the recommended rules by ModSecurity itself. It is based on variables written by ModSecurity and thus the engine itself.
I'm closing this here and ask you to go over to the ModSec project.