Hi all,

just fyi,


I've found the bug in multipart handler in libmodsecurity, and created a
new PR:
https://github.com/SpiderLabs/ModSecurity/pull/1747

Hope that it will be merged.


Regards,


a.



On Wed, Aug 23, 2017 at 9:30 AM, Ervin Hegedüs <airw...@gmail.com> wrote:

> Hi folks,
>
> here is a new problem with CRS 3.0(.2). There is an nGinx with
> Modsecurity 3.0, and CRS 3.0.2, and an Apache backend, which
> serves a webmail (Roundcube).
>
> When I try to import my GPG key through the upload, I got 403
> Forbidden answer.
>
> Here are the details:
>
> HTTP req:
>
> POST https://webmail.mydomain.com/?_task=settings&_action=plugin.
> enigmakeys&_a=import&_unlock=loading1503472197200
> ...
> Content-Length  4443
> Content-Type    multipart/form-data; boundary=---------------------------
> 186567636118947579521451609378
>
>
> HTTP resp:
>
> 403 Forbidden
>
> Content of audit.log:
>
> ---3U4kCbBk---A--
> [23/Aug/2017:09:10:32 +0200] 15034722321.000000 client.ip.addr 51048
> client.ip.addr 443
> ---3U4kCbBk---B--
> POST /?_task=settings&_action=plugin.enigmakeys&_a=import&_
> unlock=loading1503472197200
> HTTP/1.1
> Connection: keep-alive
> Referer: https://webmail.mydomain.com/?_task=settings&_framed=1&_
> action=plugin.enigmakeys&_a=import
> Content-Type: multipart/form-data; boundary=---------------------------
> 186567636118947579521451609378
> Accept-Encoding: gzip, deflate, br
> Cookie: language=hu; _ga=GA1.2.817NNNNNN.14NNNNNNNN; 
> roundcube_sessid=sessionidtoken;
> roundcube_sessauth=sessauthidtoken
> Content-Length: 4443
> Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)
> Gecko/20100101 Firefox/55.0
> Host: webmail.mydomain.com
> Upgrade-Insecure-Requests: 1
>
> ---3U4kCbBk---D--
>
> ---3U4kCbBk---E--
> ³É(Éͱãå²ÉHML±³)É,ÉIµ310VpË/JÊLIIͳ
> ...
> ...
> ---3U4kCbBk---F--
> Server: nginx/1.6.2
> Date: Wed, 23 Aug 2017 07:10:32 GMT
> Content-Type: text/html
> Connection: keep-alive
> Content-Encoding: gzip
>
> ---3U4kCbBk---H--
> ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against
> variable `MULTIPART_UNMATCHED_BOUNDARY' (Value: `1' ) [file
> "/etc/nginx/modsecurity.conf"] [line "66"] [id "200004"] [rev ""] [msg
> "Multipart parser detected a possible unmatched boundary."] [data ""]
> [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref "v810,1"]
>
> ---3U4kCbBk---I--
>
> ---3U4kCbBk---J--
>
> ---3U4kCbBk---Z--
>
>
> Here is the detail of POST request:
>
> -----------------------------186567636118947579521451609378
> Content-Disposition: form-data; name="_token"
>
> nEWGe3VUF9R1K7d0SSx4rZRYkYeN849B
> -----------------------------186567636118947579521451609378
> Content-Disposition: form-data; name="_framed"
>
> 1
> -----------------------------186567636118947579521451609378
> Content-Disposition: form-data; name="_file"; filename="airween_at_gmail.
> com.asc"
> Content-Type: text/plain
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1
>
> mQINBFhwuigBEAC+gnmOXXTEtedn5hqcjLirPM6phHGLdeqVUsD0sRDWFjgcoh7b
> ...
> =G+Dl
> -----END PGP PUBLIC KEY BLOCK-----
>
> -----------------------------186567636118947579521451609378
> Content-Disposition: form-data; name="_search"
>
>
> -----------------------------186567636118947579521451609378--
>
>
>
>
> This error occures when I upload the .asc file above, when I try
> to upload a "simple" csv, or png, everything works as well.
>
>
>
> What should I do? How can I fix this error?
>
>
>
> Thanks,
>
>
> a.
>
>
>
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to