Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

images uploaded blocked by modsecurity #82

Closed
quenenni opened this issue Aug 24, 2015 · 2 comments
Closed

images uploaded blocked by modsecurity #82

quenenni opened this issue Aug 24, 2015 · 2 comments

Comments

@quenenni
Copy link

Hello,

I'm managing a server and noticed that uploads are blocked by our modsecurity firewall (popular and excellent software)

Here is the error:

--f1d2a17b-B--
POST /engine/upload.php?section=untitled55db2db2974ed&entry=2&mediafolder=untitled55db2db2974ed2&session_id=8670jno2603gqir0fuhh75f2o6 HTTP/1.1
Host: www.xxxx.net
User-Agent: Adobe Flash Player 18
Content-Length: 254489
x-flash-version: 18,0,0,232
Accept-Types: text/*
Content-Type: multipart/form-data; boundary=----------gL6ae0cH2ei4Ij5GI3cH2GI3Ij5gL6
Connection: close

--f1d2a17b-F--
HTTP/1.1 412 Precondition Failed
Last-Modified: Thu, 11 Dec 2014 20:23:20 GMT
Accept-Ranges: bytes
Content-Length: 1431
Vary: Accept-Encoding,User-Agent
Cache-Control: public
Connection: close
Content-Type: text/html

--f1d2a17b-H--
Message: Access denied with code 412 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "2.2.5"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)
Stopwatch: 1440429466827192 6000622 (- - -)
Stopwatch2: 1440429466827192 6000622; combined=33958, p1=1092, p2=32740, p3=0, p4=0, p5=126, sr=84, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache/2.2.22 (Debian)

Could you check your upload procedure in order to have it make correct requests.
It's not for my website.
I'm helping you and the berta users to be able to use your software without problem as it looks nice.
I won't remove rules in my modsecurity as it will be bad for our global security.

Good luck
@quenenni quenenni changed the title images upload blocked by modsecurity images uploaded blocked by modsecurity Aug 24, 2015
@uldisrudzitis
Copy link
Collaborator

Disable protection in the /engine directory by adding the .htaccess file with the following configuration:

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

/engine part is accessible after authorisation so it should be safe.

@quenenni
Copy link
Author

Thanks for your quick answer.
I don't think to deactivate modsecurity completely on a folder, even if it's a folder accessed after authentication, is a good idea (very bad from my point of view).

I added a rule more specific to this problem and will see if no other problems appear.
I put it here in case someone else is in the same situation:

SecRule REQUEST_HEADERS:Host "^(www\.)?xxxx.net$" "phase:1,t:none,nolog,chain,pass,setvar:tx.score=1"
  SecRule REQUEST_METHOD "^POST$" "t:none,chain,setvar:tx.score=+1"
  SecRule REQUEST_FILENAME "engine/upload.php" "t:none,chain,setvar:tx.score=+1"
  SecRule TX:SCORE "@eq 3" "ctl:ruleRemoveById=960015"

I wish you the best with your cms. It looks very nice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uldisrudzitis @quenenni