Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
False Positive on REQUEST-930-APPLICATION-ATTACK-LFI
See original GitHub issue_Issue originally created by user neesinch on date 2017-05-18 01:53:04. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/783._
Hi, I am having some trouble in image upload to the server. I am clueless as to what’s triggering REQUEST-930-APPLICATION-ATTACK-LFI while uploading images. And surprisingly mod security allows some images whereas block others citing the above rule.
I am unable to understand as to why LFI has to trigger while uploading or POST as well. Any guidance / help is highly appreciable.
This is my audit log, truncated some information for readability.
—T3oS3FAr—A– [17/May/2017:19:33:54 -0400] 14950640341.000000 192.168.6.253 38322 192.168.6.253 443 —T3oS3FAr—B– POST /Common/ManualUploadChunks HTTP/1.1 Accept-Language: en-US,en;q=0.8 Referer: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt15zAFJdSMDgWhIO Cache-Control: no-cache Accept: application/json parentType: null height: 60 Host: requestorSoid: null Cookie: __RequestVerificationToken=ZWI9ErWWFqnRs24F3xtfU9P4iVaU0ZOhVVmpAG89ipLeWBziLd2St6AA2T_xEzkB6bzQu0AO0P3pWxpQAP8_GAjAajgdUse74Pksfn5A8Cg1; .AspNet.ApplicationCookie=HKooabR_pxY15e68sUUqvK9LXq8gahgQa9aEabhzf2Y98cW9X6POGcCmQtifwEGnt-BAzH5zok8NvmY2HqioZ936AZIdZNvmHvK-K3QGfDomTIFhzUs4B3be1_QW6wTgwayjXV5hKEGyCrvNh9XbACxx15LVE3EPBLnk_m5797xErdZ2hrb8UNn9xqukbxZQ7FdJGp23Qd2_xXZItigdNwUDlDytwjeaLGA5XyOZD1JbASUbDzBCWf3vWo6KZyAB4DyT9QXpimqdqvg-kq_yP6iJ60up98MMxHIv9YJUKQMUYZagL50318pZRkEDQUyHc4IFUkWqNsK0qBpQdVy89PJ3mlQD9ON4RTW-rXpiHP6TA31ftR0-04o3mvNG6W0TDJhOnpR24zeJFoGvI1l3Gw Connection: keep-alive width: 60 type: image Accept-Encoding: gzip, deflate, br Content-Length: 136989 Origin: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 id: undefined X-Requested-With: XMLHttpRequest
—T3oS3FAr—D–
—T3oS3FAr—F– Server: nginx/1.11.12 Date: Wed, 17 May 2017 23:33:54 GMT Content-Length: 572 Content-Type: text/html Connection: keep-alive
—T3oS3FAr—H–
ModSecurity: Warning. Matched “Operator Pm' with parameter …\ …/’ against variable REQUEST_BODY' (Value: ------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqpartindex”\x (801395 characters omitted)’ ) [file “/opt/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf”] [line “49”] [id “930110”] [rev “1”] [msg “Path Traversal Attack (/…/)”] [data “Matched Data: …/ found within REQUEST_BODY: ------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqpartindex”\x0d\x0a\x0d\x0a0\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqpartbyteoffset”\x0d\x0a\x0d\x0a0\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqchunksize”\x0d\x0a\x0d\x0a136021\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqtotalparts”\x0d\x0a\x0d\x0a1\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqtotalfilesize”\x0d\x0a\x0d\x0a136021\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqfilename”\x0d\x0a\x0d\x0aindianfilmhistory_bg-1024x576.jpg\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qquuid”\x0d\x0a\x0d\x0a84713fb1-241f-43e2-877d-22a3a33eceab\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqfile”; filename=“blob”\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\xffffffff\xffffffd8\xffffffff\xffffffe0\x00\x10JFIF\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\xffffffff\xffffffdb\x00C\x00\x06\x04\x04\x05\x04\x04\x06\x05\x05\x05\x06\x06\x06\x07\x09\x0e\x09\x09\x08\x08\x09\x12\x0d\x0d\x0a\x0e\x15\x12\x16\x16\x15\x12\x14\x14\x17\x1a!\x1c\x17\x18\x1f\x19\x14\x14\x1d’\x1d\x1f”#%%%\x16\x1c),------WebKitFormBoundaryt15zAFJdSMDgWhIO–\x0d\x0a”] [severity “2”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “7”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-lfi”] [tag “OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL”] [ref “o100366,3v1323,136989t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine”]
ModSecurity: Warning. Matched "Operator Ge' with parameter %{tx.inbound_anomaly_score_threshold}’ against variable TX:ANOMALY_SCORE' (Value: 5’ ) [file “/opt/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “36”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [ref “”]
ModSecurity: Warning. Matched "Operator Ge' with parameter %{tx.inbound_anomaly_score_threshold}’ against variable TX:INBOUND_ANOMALY_SCORE' (Value: 5’ ) [file “/opt/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf”] [line “61”] [id “980130”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Path Traversal Attack (/…/)'”] [data “”] [severity “0”] [ver “”] [maturity “0”] [accuracy “0”] [tag “event-correlation”] [ref “”]
—T3oS3FAr—I–
—T3oS3FAr—J–
—T3oS3FAr—Z–
—nb7Vj0mJ—A– [17/May/2017:20:49:14 -0400] 14950685541.000000 169.54.244.93 44109 169.54.244.93 80 —nb7Vj0mJ—B– GET / HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: /
—nb7Vj0mJ—D–
—nb7Vj0mJ—F– Server: nginx/1.11.12 Date: Thu, 18 May 2017 00:49:14 GMT Content-Length: 170 Content-Type: text/html Connection: close
—nb7Vj0mJ—H–
ModSecurity: Warning. Matched "Operator Eq' with parameter 0’ against variable REQUEST_HEADERS:Host' (Value: 0’ ) [file “/opt/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “526”] [id “920280”] [rev “2”] [msg “Request Missing a Host Header”] [data “”] [severity “4”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST”] [tag “WASCTC/WASC-21”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [ref “”]
—nb7Vj0mJ—I–
—nb7Vj0mJ—J–
—nb7Vj0mJ—Z–
Issue Analytics
- State:
- Created 3 years ago
- Comments:8
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Our team has been having this issue recently. Is there an update on when this will be fixed?
User lifeforms commented on date 2017-05-18 13:26:07:
I have an open issue for this false positive: #597
We hope to address it in a future update, but for now, writing a custom whitelist rule is your only option. You could add the following to your configuration to disable this check on your upload endpoint. Note that it might enable LFI injections, but unfortunately more fine grained control is not possible at this point. Edit: I recommend removing this configuration once we have fixed the issue:
Thanks for your report. If you are interested in tracking it further, please subscribe to issue #597.