Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

quotes in uploaded filenames

See original GitHub issue

_Issue originally created by user quenenni on date 2014-10-23 21:28:58. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/199._

Hello,

It appears modsec doesn’t like filenames with single quotes in them.

I have that error:

[Mon Oct 20 16:00:48 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "81"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM , IQ 1, IQ 0, IH 0, IH 0"] [hostname "www.xxx.be"] [uri "/ecrire/"] [unique_id "VEUVf09jyzIAAAbkFlcAAABI"]

The ‘IQ 1’ is the “%{MULTIPART_INVALID_QUOTING}” var that was set to 1 and thus triggered the MULTIPART_STRICT_ERROR rule.

Unfortunately, single quotes are often used in french.

After digging on the net, I noticed people complain about false positives with this rule (MULTIPART_STRICT_ERROR) and the suggestions are to not block anymore but just log these transactions.

I would like to just remove the “MULTIPART_INVALID_QUOTING” test (that increments the “MULTIPART_STRICT_ERROR”) in order to keep the other tests active.

But I couldn’t find where these tests are (/etc/modsecurity /usr/share/modsecurity-crs/) or how I could update the rule to achieve what I want… or even if it’s something that can be done.

Any idea how I can do that? Thanks.

Another thing: The rule "SecRule MULTIPART_STRICT_ERROR “!@eq 0” can be found in 2 separate files and I have the impression it’s not on purpose:

1 - /etc/modsecurity/modsecurity.conf (line 67)

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IQ %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

2 - /usr/share/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf (line 106)

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
        "phase:2,t:none,block,msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}',id:'960914',severity:2,setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"

The n°1 is the one always triggered. I’m not sure the n°2 is ever triggered afaik. You can notice few differences between the two. The n°1 has no id and throw a status 44, and n°2 doesn’t have the “MULTIPART_INVALID_PART”.

As I have a Debian Stable server, I don’t have the latest versions (modsec & rules), so maybe that’s already fixed. Sorry if it’s the case.

libapache2-modsecurity 2.6.6-6+deb7u2 modsecurity-crs 2.2.5-2

Issue Analytics

State:
Created 3 years ago
Comments:15

Top GitHub Comments

1reaction

CRS-migration-botcommented, May 13, 2020

User quenenni commented on date 2016-06-23 14:17:16:

Your solution works nicely… Much appreciated.

I put the complete rule in case someone else need it too.

I kept the first one (id: 70000 that recreate the id:960000 and remove the test on the quote)** I removed the second one (id:70001) I created a new one based on your input:

SecRule MULTIPART_BOUNDARY_QUOTED               "@eq 0"         "id:70001,phase:2,chain,pass,ctl:ruleRemoveById=960914"
  SecRule MULTIPART_BOUNDARY_WHITESPACE         "@eq 0"         "chain"
  SecRule MULTIPART_DATA_BEFORE                 "@eq 0"         "chain"
  SecRule MULTIPART_DATA_AFTER                  "@eq 0"         "chain"
  SecRule MULTIPART_HEADER_FOLDING              "@eq 0"         "chain"
  SecRule MULTIPART_LF_LINE                     "@eq 0"         "chain"
  SecRule MULTIPART_INVALID_QUOTING             "@eq 1"         "chain"
  SecRule MULTIPART_INVALID_HEADER_FOLDING      "@eq 0"         "chain"
  SecRule MULTIPART_FILE_LIMIT_EXCEEDED         "@eq 0"

One strange thing though. I had to remove the line:

SecRule MULTIPART_SEMICOLON_MISSING           "@eq 0"         "chain"

from the rule. If not, I have this error on apachectl configtest:

Error creating rule: Unknown variable: MULTIPART_SEMICOLON_MISSING

Strange because “MULTIPART_SEMICOLON_MISSING” is part of the rule 960914

Also, it is not compulsory to put all these lines. As I only need to test the quote in the filename, this simpler rule is good enough (the other variables are still test for the value 0 and the request blocked if not):

SecRule MULTIPART_INVALID_QUOTING               "@eq 1"         "id:70001,phase:2,pass,ctl:ruleRemoveById=960914"

** I tried to update the rule id:960000 instead of recreating it but failed to do so:

SecRuleUpdateTargetById 960000 !FILES_NAMES “'”
SecRuleUpdateTargetById 960000 !FILES_NAMES:’
SecRuleUpdateTargetById 960000 !FILES_NAMES:“'”
SecRuleUpdateTargetById 960000 !FILES_NAMES:'
SecRuleUpdateTargetById 960000 FILES_NAMES|FILES “[";=]”
SecRuleUpdateTargetById 960000 FILES_NAMES|FILES:“[";=]”

And the errors are:

Error to update target - [] is not valid target
ModSecurity: Error parsing rule targets to append variable
ModSecurity: Error parsing rule targets to append variable
ModSecurity: Error parsing rule targets to append variable
Error to update target - [\xc0^\xf9]\xf6\x02] is not valid target (the part within the [ ] changes on every configtest)
Error to update target - [FILES_NAMES|FILES] is not valid target

Any hint on how to achieve this?

0reactions

CRS-migration-botcommented, May 13, 2020

User dune73 commented on date 2016-12-03 08:31:12:

I had hoped renaming was possible. That sucks. But I guess what you can do is catch it before the upload and warn users they should rename the file?

Seriously, I see your problem. I do not like the way ModSecurity handles this single quote thing. But there is little that we can do to help you. It is an unsolved problem with languages that use single quotes in filenames. Ignoring these rules might be the best bet from a usability standpoint. But it really lowers your defenses. Sorry that there is no real solution right now.