False Positive Seafile (Nextcloud alternative) Upload File

Description

Seafile is an open source alternative to Nextcloud (and way more stable(!) + blazing fast 😉 written in python/django, the CRS 3.3.0 is hitting false positives when uploading a file bigger than 3-5MB and also when trying to delete files.

I did resolve the issue by:

(updated as mentioned, putting DELETE in SecAction id 900200 rule)

<IfModule mod_security2.c>
  SecRuleEngine On

  ### Allow huge file size uploads in my seafile environment
  SecRequestBodyLimit 3010720000
  SecRequestBodyNoFilesLimit 3010720000

  ### SeaFile dealing with Mod Security false positives

  ### Make sure REST API DELETE and PUT is working, Seafile up/downloads are using REST API
  SecAction "id:900200,phase:1,nolog,pass,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS DELETE PUT'"

  ### added in modsecurity.conf to make sure user files are not scanned
  SecRule REQUEST_FILENAME "@beginsWith /seafhttp/repo/" "id:1,phase:2,nolog,allow,ctl:ruleEngine=Off"

    <LocationMatch "/seafhttp">
      #Allow Upload File bigger than 2-5MB
      SecRuleRemoveById 200004 920450
      #Allow Uploads without Content-Type Header
      SecRuleRemoveById 920340
    </LocationMatch>
</IfModule>

Audit Logs / Triggered Rule Numbers

#Upload failed Part #1 May 28 23:44:30.835631 2021] [:error] [pid 1815521:tid 140292159448832] [client 31.18.248.40:55955] [client 31.18.248.40] ModSecurity: Access denied with code 403 (phase 2). Match of “eq 0” against “MULTIPART_UNMATCHED_BOUNDARY” required. [file “/etc/modsecurity/modsecurity.conf”] [line “88”] [id “200004”] [msg “Multipart parser detected a possible unmatched boundary.”] [hostname “seafile.schroeffu.ch”] [uri “/seafhttp/upload-aj/2b27f7d1-3d83-48c7-80f6-ca3d004b3660”] [unique_id “YLFkO4GabnaHgvL-PBPj6QAAABM”], referer: https://seafile.schroeffu.ch/library/4551f3c5-bf6c-4720-b77a-7acbff5719ea/Dateien/

#Upload failed Part #2 [Fri May 28 23:54:15.343412 2021] [:error] [pid 1819770:tid 139823242995456] [client 31.18.248.40:10700] [client 31.18.248.40] ModSecurity: Warning. String match within “/proxy/ /lock-token/ /content-range/ /if/” at TX:header_name_content-range. [file “/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “1106”] [id “920450”] [msg “HTTP header is restricted by policy (/content-range/)”] [data “Restricted header detected: /content-range/”] [severity “CRITICAL”] [ver “OWASP_CRS/3.3.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/210/272”] [tag “PCI/12.1”] [hostname “seafile.schroeffu.ch”] [uri “/seafhttp/upload-aj/8edf184d-22e8-46a5-9ecc-5fd90f132cd8”] [unique_id “YLFmg5iURb3zH47gxybUpAAAABM”], referer: https://seafile.schroeffu.ch/library/4551f3c5-bf6c-4720-b77a-7acbff5719ea/Dateien/ [Fri May 28 23:54:15.352826 2021] [:error] [pid 1819770:tid 139823242995456] [client 31.18.248.40:10700] [client 31.18.248.40] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file “/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “93”] [id “949110”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [severity “CRITICAL”] [ver “OWASP_CRS/3.3.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “seafile.schroeffu.ch”] [uri “/seafhttp/upload-aj/8edf184d-22e8-46a5-9ecc-5fd90f132cd8”] [unique_id “YLFmg5iURb3zH47gxybUpAAAABM”], referer: https://seafile.schroeffu.ch/library/4551f3c5-bf6c-4720-b77a-7acbff5719ea/Dateien/ [Fri May 28 23:54:15.353621 2021] [:error] [pid 1819770:tid 139822979012352] [client 31.18.248.40:10700] [client 31.18.248.40] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file “/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf”] [line “91”] [id “980130”] [msg “Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0”] [ver “OWASP_CRS/3.3.0”] [tag “event-correlation”] [hostname “seafile.schroeffu.ch”] [uri “/seafhttp/upload-aj/8edf184d-22e8-46a5-9ecc-5fd90f132cd8”] [unique_id “YLFmg5iURb3zH47gxybUpAAAABM”], referer: https://seafile.schroeffu.ch/library/4551f3c5-bf6c-4720-b77a-7acbff5719ea/Dateien/

#Delete Files in WebUI/Android App [Sat May 29 00:13:26.059649 2021] [:error] [pid 1830496:tid 140706484025088] [client 31.18.248.40:10652] [client 31.18.248.40] ModSecurity: Warning. Match of “within %{tx.allowed_methods}” against “REQUEST_METHOD” required. [file “/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf”] [line “43”] [id “911100”] [msg “Method is not allowed by policy”] [data “DELETE”] [severity “CRITICAL”] [ver “OWASP_CRS/3.3.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/210/272/220/274”] [tag “PCI/12.1”] [hostname “seafile.schroeffu.ch”] [uri “/api2/repos/4551f3c5-bf6c-4720-b77a-7acbff5719ea/file/”] [unique_id “YLFrBpl@0qltoPED9FBt@QAAAA0”]

Your Environment

• CRS version (e.g., v3.2.0): 3.3.0
• Paranoia level setting: default
• ModSecurity version (e.g., 2.9.3): 2.9.3
• Web Server and version (e.g., apache 2.4.41): 2.4.41
• Operating System and version: Ubuntu 20.04 Server, ModSec from Repo, CRS RuleSet 3.3.0 from latest Ubuntu .deb package
• Seafile Server Version: 7.1.5 (latest ist 8.x but not used yet)

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.