Re: [Owasp-modsecurity-core-rule-set] problems with upload jpg

Wed, 21 May 2014 04:19:32 -0700 

You are not setting the proper Content-Type in your XMLHttpRequest,
you should use

setRequestHeader('Content-Type', 'image/jpeg');
in this case

and define a proper whitelist

famti?

2014-05-21 13:41 GMT+04:00 Ilyass Kaouam <ilyassi...@gmail.com>:
>
> Hello
> I've a problems when i'd like upload a jpg file.
> how i can allow upload some type of file like : jpg, pdf ...
>
> this is the output of modsec_audit.log
>
> --a7f42c69-A--
>
> [21/May/2014:11:35:27 +0200] U3xzXX8AAAEAACYTAbUAAAAG xx.xx.xx.xx 60416
> xx.xx.xx.xx 80
>
> --a7f42c69-B--
>
> POST /upload-useravatar?qqfile=xxxx.jpg HTTP/1.1
>
> Host: www.xxxxxx.com
>
> Connection: keep-alive
>
> Content-Length: 159959
>
> Origin: http://www.xxxxxx.com
>
> X-Requested-With: XMLHttpRequest
>
> X-File-Name: xxxx.jpg
>
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
>
> Content-Type: application/octet-stream
>
> Accept: */*
>
> Referer: http://www.xxxxxx.com/user
>
> Accept-Encoding: gzip,deflate,sdch
>
> Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4,ar;q=0.2
>
> Cookie: JSESSIONID=5B361D7404F645627AFB171BBA0B3F8B;
> __utma=111125463.1873502041.1396101474.1400599956.1400664807.23;
> __utmb=111125463.4.10.1400664807; __utmc=111125463;
> __utmz=111125463.1396101474.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
>
>
> --a7f42c69-F--
>
> HTTP/1.1 403 Forbidden
>
> Content-Length: 219
>
> Connection: close
>
> Content-Type: text/html; charset=iso-8859-1
>
>
> --a7f42c69-E--
>
>
> --a7f42c69-H--
>
> Message: Access denied with code 403 (phase 1). Match of "rx
> ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file
> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"]
> [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not
> allowed by policy"] [data "application/octet-stream"] [severity "CRITICAL"]
> [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag
> "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
>
> Action: Intercepted (phase 1)
>
> Stopwatch: 1400664925455373 1654382 (- - -)
>
> Stopwatch2: 1400664925455373 1654382; combined=371, p1=195, p2=0, p3=0,
> p4=0, p5=105, sr=47, sw=1, l=0, gc=70
>
> Response-Body-Transformed: Dechunked
>
> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.9.
>
> Server: Apache
>
> Engine-Mode: "ENABLED"
>
>
> --a7f42c69-Z-
>
> thank you
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to