400 bad request, modsecurityV3 in nginx #1824
Comments
|
Can you try to generate a debug file with a broken upload? |
|
@zimmerle Thank you for your immediately help! I did a git pull after your email and with all patches and changes including af4afd3 problem still exists, so I attach you a broken upload debugging log on level 9. I am waiting for your reply! |
|
Here is the problem: Since it does not find the final boundary it is marking the request body as invalid. Do you have access to the request using tcpdump/wireshark? |
|
To fix the 400 error I did chown nobody:nobody of the upload directory, but then every file no matter if it's a hack or a regular one is forbidden and hit the following rule, so I still think that you are right - there is a problem with MULTIPART_UNMATCHED_BOUNDARY. The question remains if the problem is in the code and how to fix it. 2018/06/29 14:11:20 [warn] 29031#0: *26 [client 94.156.138.51] ModSecurity: Warning. Matched "Operator If I commend the following rule the upload works and didn't find a problems. Is it safe as a workaround until it's generally fixed? #SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" I attachеd modsec.pcap file from tcpdump when every file returns 403 and the error from the log above. Please remove .txt from the file name (I renamed it so I can upload it) |
|
Is it confirmed bug? |
|
Hi @zimmerle ! Thanks for the update, but I git pull in the mod security source directory, recompiled it and using the new library from master branch uploading still don't work as in the previous posts. Can you please tell me what information you need to help you debug it or if I skip something other? If I commend the rules 200004 and 200002 there is no problem. |
Hello, I would like to ask for your help about one big problem that I think it's related to case #1767, but I am not completely sure.
First of all, you can review my modsecurity.conf, crs-setup.conf and debug log in the attached files (see the part related to domain SmileWear.eu and uploaded file is success-is-my-duty.jpg
debug.log.txt
).
modsecurity.conf.txt
crs-setup.conf.txt
Nginx version is 1.13 and I use the latest modsecurityv3 master branch and modsecurity-connector.
I use clamdscan to scan files and the error below and from the logs is generated when I upload files through Wordpress (which invoke the script that use clamdscan). It worked before but now it blocks everything including regular files, not only hacks:
2018/06/28 10:53:53 [warn] 21000#21000: *83 [client 78.83.112.81] ModSecurity: Warning. Matched "Operator
Eq' with parameter0' against variableREQBODY_ERROR' (Value:1' ) [file "/usr/local/nginx/conf/owasp-modsecurity-crs/modsecurity.conf"] [line "12"] [id "200002"] [rev ""] [msg "Failed to parse request body."] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "78.83.112.81"] [uri "/wp-admin/async-upload.php"] [unique_id "153017243331.729360"] [ref "v1229,1"], client: 78.83.112.81, server: smilewear.home-touch.me, request: "POST /wp-admin/async-upload.php HTTP/2.0", host: "smilewear.eu", referrer: "https://smilewear.eu/wp-admin/post-new.php"So as I read the previous post which I mentioned the case is the same, but the fix doesn't work for me. Can you please help me with this issue, is it a confirmed but and when it will be fixed? Provide som patch?
The text was updated successfully, but these errors were encountered: