False Positive on REQUEST-930-APPLICATION-ATTACK-LFI
See original GitHub issue_Issue originally created by user neesinch on date 2017-05-18 01:53:04. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/783._
Hi, I am having some trouble in image upload to the server. I am clueless as to what’s triggering REQUEST-930-APPLICATION-ATTACK-LFI while uploading images. And surprisingly mod security allows some images whereas block others citing the above rule.
I am unable to understand as to why LFI has to trigger while uploading or POST as well. Any guidance / help is highly appreciable.
This is my audit log, truncated some information for readability.
—T3oS3FAr—A– [17/May/2017:19:33:54 -0400] 14950640341.000000 192.168.6.253 38322 192.168.6.253 443 —T3oS3FAr—B– POST /Common/ManualUploadChunks HTTP/1.1 Accept-Language: en-US,en;q=0.8 Referer: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt15zAFJdSMDgWhIO Cache-Control: no-cache Accept: application/json parentType: null height: 60 Host: requestorSoid: null Cookie: __RequestVerificationToken=ZWI9ErWWFqnRs24F3xtfU9P4iVaU0ZOhVVmpAG89ipLeWBziLd2St6AA2T_xEzkB6bzQu0AO0P3pWxpQAP8_GAjAajgdUse74Pksfn5A8Cg1; .AspNet.ApplicationCookie=HKooabR_pxY15e68sUUqvK9LXq8gahgQa9aEabhzf2Y98cW9X6POGcCmQtifwEGnt-BAzH5zok8NvmY2HqioZ936AZIdZNvmHvK-K3QGfDomTIFhzUs4B3be1_QW6wTgwayjXV5hKEGyCrvNh9XbACxx15LVE3EPBLnk_m5797xErdZ2hrb8UNn9xqukbxZQ7FdJGp23Qd2_xXZItigdNwUDlDytwjeaLGA5XyOZD1JbASUbDzBCWf3vWo6KZyAB4DyT9QXpimqdqvg-kq_yP6iJ60up98MMxHIv9YJUKQMUYZagL50318pZRkEDQUyHc4IFUkWqNsK0qBpQdVy89PJ3mlQD9ON4RTW-rXpiHP6TA31ftR0-04o3mvNG6W0TDJhOnpR24zeJFoGvI1l3Gw Connection: keep-alive width: 60 type: image Accept-Encoding: gzip, deflate, br Content-Length: 136989 Origin: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 id: undefined X-Requested-With: XMLHttpRequest
—T3oS3FAr—D–
—T3oS3FAr—F– Server: nginx/1.11.12 Date: Wed, 17 May 2017 23:33:54 GMT Content-Length: 572 Content-Type: text/html Connection: keep-alive
—T3oS3FAr—H–
ModSecurity: Warning. Matched “Operator Pm' with parameter
…\ …/’ against variable REQUEST_BODY' (Value:
------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqpartindex”\x (801395 characters omitted)’ ) [file “/opt/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf”] [line “49”] [id “930110”] [rev “1”] [msg “Path Traversal Attack (/…/)”] [data “Matched Data: …/ found within REQUEST_BODY: ------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqpartindex”\x0d\x0a\x0d\x0a0\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqpartbyteoffset”\x0d\x0a\x0d\x0a0\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqchunksize”\x0d\x0a\x0d\x0a136021\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqtotalparts”\x0d\x0a\x0d\x0a1\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqtotalfilesize”\x0d\x0a\x0d\x0a136021\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqfilename”\x0d\x0a\x0d\x0aindianfilmhistory_bg-1024x576.jpg\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qquuid”\x0d\x0a\x0d\x0a84713fb1-241f-43e2-877d-22a3a33eceab\x0d\x0a------WebKitFormBoundaryt15zAFJdSMDgWhIO\x0d\x0aContent-Disposition: form-data; name=“qqfile”; filename=“blob”\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\xffffffff\xffffffd8\xffffffff\xffffffe0\x00\x10JFIF\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\xffffffff\xffffffdb\x00C\x00\x06\x04\x04\x05\x04\x04\x06\x05\x05\x05\x06\x06\x06\x07\x09\x0e\x09\x09\x08\x08\x09\x12\x0d\x0d\x0a\x0e\x15\x12\x16\x16\x15\x12\x14\x14\x17\x1a!\x1c\x17\x18\x1f\x19\x14\x14\x1d’\x1d\x1f”#%%%\x16\x1c),------WebKitFormBoundaryt15zAFJdSMDgWhIO–\x0d\x0a”] [severity “2”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “7”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-lfi”] [tag “OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL”] [ref “o100366,3v1323,136989t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine”]
ModSecurity: Warning. Matched "Operator Ge' with parameter
%{tx.inbound_anomaly_score_threshold}’ against variable TX:ANOMALY_SCORE' (Value:
5’ ) [file “/opt/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “36”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [ref “”]
ModSecurity: Warning. Matched "Operator Ge' with parameter
%{tx.inbound_anomaly_score_threshold}’ against variable TX:INBOUND_ANOMALY_SCORE' (Value:
5’ ) [file “/opt/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf”] [line “61”] [id “980130”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Path Traversal Attack (/…/)'”] [data “”] [severity “0”] [ver “”] [maturity “0”] [accuracy “0”] [tag “event-correlation”] [ref “”]
—T3oS3FAr—I–
—T3oS3FAr—J–
—T3oS3FAr—Z–
—nb7Vj0mJ—A– [17/May/2017:20:49:14 -0400] 14950685541.000000 169.54.244.93 44109 169.54.244.93 80 —nb7Vj0mJ—B– GET / HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: /
—nb7Vj0mJ—D–
—nb7Vj0mJ—F– Server: nginx/1.11.12 Date: Thu, 18 May 2017 00:49:14 GMT Content-Length: 170 Content-Type: text/html Connection: close
—nb7Vj0mJ—H–
ModSecurity: Warning. Matched "Operator Eq' with parameter
0’ against variable REQUEST_HEADERS:Host' (Value:
0’ ) [file “/opt/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “526”] [id “920280”] [rev “2”] [msg “Request Missing a Host Header”] [data “”] [severity “4”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST”] [tag “WASCTC/WASC-21”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [ref “”]
—nb7Vj0mJ—I–
—nb7Vj0mJ—J–
—nb7Vj0mJ—Z–
Issue Analytics
- State:
- Created 3 years ago
- Comments:8
Top GitHub Comments
Our team has been having this issue recently. Is there an update on when this will be fixed?
User lifeforms commented on date 2017-05-18 13:26:07:
I have an open issue for this false positive: #597
We hope to address it in a future update, but for now, writing a custom whitelist rule is your only option. You could add the following to your configuration to disable this check on your upload endpoint. Note that it might enable LFI injections, but unfortunately more fine grained control is not possible at this point. Edit: I recommend removing this configuration once we have fixed the issue:
Thanks for your report. If you are interested in tracking it further, please subscribe to issue #597.