Hi all, just fyi,
I've found the bug in multipart handler in libmodsecurity, and created a new PR: https://github.com/SpiderLabs/ModSecurity/pull/1747 Hope that it will be merged. Regards, a. On Wed, Aug 23, 2017 at 9:30 AM, Ervin Hegedüs <airw...@gmail.com> wrote: > Hi folks, > > here is a new problem with CRS 3.0(.2). There is an nGinx with > Modsecurity 3.0, and CRS 3.0.2, and an Apache backend, which > serves a webmail (Roundcube). > > When I try to import my GPG key through the upload, I got 403 > Forbidden answer. > > Here are the details: > > HTTP req: > > POST https://webmail.mydomain.com/?_task=settings&_action=plugin. > enigmakeys&_a=import&_unlock=loading1503472197200 > ... > Content-Length 4443 > Content-Type multipart/form-data; boundary=--------------------------- > 186567636118947579521451609378 > > > HTTP resp: > > 403 Forbidden > > Content of audit.log: > > ---3U4kCbBk---A-- > [23/Aug/2017:09:10:32 +0200] 15034722321.000000 client.ip.addr 51048 > client.ip.addr 443 > ---3U4kCbBk---B-- > POST /?_task=settings&_action=plugin.enigmakeys&_a=import&_ > unlock=loading1503472197200 > HTTP/1.1 > Connection: keep-alive > Referer: https://webmail.mydomain.com/?_task=settings&_framed=1&_ > action=plugin.enigmakeys&_a=import > Content-Type: multipart/form-data; boundary=--------------------------- > 186567636118947579521451609378 > Accept-Encoding: gzip, deflate, br > Cookie: language=hu; _ga=GA1.2.817NNNNNN.14NNNNNNNN; > roundcube_sessid=sessionidtoken; > roundcube_sessauth=sessauthidtoken > Content-Length: 4443 > Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) > Gecko/20100101 Firefox/55.0 > Host: webmail.mydomain.com > Upgrade-Insecure-Requests: 1 > > ---3U4kCbBk---D-- > > ---3U4kCbBk---E-- > ³É(Éͱãå²ÉHML±³)É,ÉIµ310VpË/JÊLIIͳ > ... > ... > ---3U4kCbBk---F-- > Server: nginx/1.6.2 > Date: Wed, 23 Aug 2017 07:10:32 GMT > Content-Type: text/html > Connection: keep-alive > Content-Encoding: gzip > > ---3U4kCbBk---H-- > ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against > variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file > "/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg > "Multipart parser detected a possible unmatched boundary."] [data ""] > [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"] > > ---3U4kCbBk---I-- > > ---3U4kCbBk---J-- > > ---3U4kCbBk---Z-- > > > Here is the detail of POST request: > > -----------------------------186567636118947579521451609378 > Content-Disposition: form-data; name="_token" > > nEWGe3VUF9R1K7d0SSx4rZRYkYeN849B > -----------------------------186567636118947579521451609378 > Content-Disposition: form-data; name="_framed" > > 1 > -----------------------------186567636118947579521451609378 > Content-Disposition: form-data; name="_file"; filename="airween_at_gmail. > com.asc" > Content-Type: text/plain > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1 > > mQINBFhwuigBEAC+gnmOXXTEtedn5hqcjLirPM6phHGLdeqVUsD0sRDWFjgcoh7b > ... > =G+Dl > -----END PGP PUBLIC KEY BLOCK----- > > -----------------------------186567636118947579521451609378 > Content-Disposition: form-data; name="_search" > > > -----------------------------186567636118947579521451609378-- > > > > > This error occures when I upload the .asc file above, when I try > to upload a "simple" csv, or png, everything works as well. > > > > What should I do? How can I fix this error? > > > > Thanks, > > > a. > > > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set