New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive Seafile (Nextcloud alternative) Upload File #2108
Comments
Hi @Schroeffu, first, thanks for your report. A quick response to your issues:
this is a known issue in mod_security, and there is an unapplied fix. This is not a CRS issue.
Looks like the problem is the existence header with name
You can extend the list of allowed methods in this rule, your |
Hi @airween sorry didn't have the time yet, will come back here asap with an update |
Hi @airween , today i was getting confused because i couldn't reproduce the #Upload failed Part #2 issue, so here is the header log from 10 days ago initially the issue happened:
Does this help in any way?
|
just got another fp, the upload via Seafile desktop app seems not adding any Content-Type (i guess because seafile is running by block storage technology)
Disarmed via:
|
Hi @Schroeffu, thanks for the details. If I'm right, for your first comment today you don't need any help. For the second issue: looks like you handle the issues perfectly, but let me clear the situation above. The first line shows the rule 920340 which does not have any disruptive action (disruptive actions which makes any intervention, eg The problem is that the configured limit for request body is smaller than your request. Just see the log:
is greater than your config (131072 - which is the default). Please increase this value if your clients send requests with size of this value. You can do this in the Btw I'm not sure your workaround (put the |
Thank you for all the explanations, I think I got it why to increase SecRequestBodyNoFilesLimit in this case, as you explained. I think we can close this issue. Currently my Seafile is working as expected with all the adjustments discussed here :-) thanks again! |
Hello, I faced the same problem, but increasing SecRequestBodyNoFilesLimit to 134217728 bytes did not help. SecRequestBodyLimit is set to the default value. (I want to say right away that I do not communicate well in English, I apologize if there are a lot of errors in the text). nginx version: nginx/1.21.4
|
Hi @deniskonovalov64 ! No need to apologize, if we don't understand, we will ask again :) First, there is a lot of information disclosure in the log you pasted here. Can you clean it from names at least? Also, there should be more information about additional rules matching. Can you provide those in a new issue? |
Hello @fzipi, thanks for answering my question. Let me clarify a little what you mean by talking about a large number of disclosed information: DNS, hostname, internal IP addresses. Did I understand you correctly? |
@deniskonovalov64 Please provide the following if possible:
ATTENTION: When submitting logs, please remove all personal information like IP addresses, hostnames, passwords, etc. |
Got it, thanks @fzipi |
Description
Seafile is an open source alternative to Nextcloud (and way more stable(!) + blazing fast ;) written in python/django, the CRS 3.3.0 is hitting false positives when uploading a file bigger than 3-5MB and also when trying to delete files.
I did resolve the issue by:
(updated as mentioned, putting DELETE in SecAction id 900200 rule)
Audit Logs / Triggered Rule Numbers
#Upload failed Part #1
May 28 23:44:30.835631 2021] [:error] [pid 1815521:tid 140292159448832] [client 31.18.248.40:55955] [client 31.18.248.40] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/modsecurity/modsecurity.conf"] [line "88"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "seafile.schroeffu.ch"] [uri "/seafhttp/upload-aj/2b27f7d1-3d83-48c7-80f6-ca3d004b3660"] [unique_id "YLFkO4GabnaHgvL-PBPj6QAAABM"], referer: https://seafile.schroeffu.ch/library/4551f3c5-bf6c-4720-b77a-7acbff5719ea/Dateien/
#Upload failed Part #2
[Fri May 28 23:54:15.343412 2021] [:error] [pid 1819770:tid 139823242995456] [client 31.18.248.40:10700] [client 31.18.248.40] ModSecurity: Warning. String match within "/proxy/ /lock-token/ /content-range/ /if/" at TX:header_name_content-range. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1106"] [id "920450"] [msg "HTTP header is restricted by policy (/content-range/)"] [data "Restricted header detected: /content-range/"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/12.1"] [hostname "seafile.schroeffu.ch"] [uri "/seafhttp/upload-aj/8edf184d-22e8-46a5-9ecc-5fd90f132cd8"] [unique_id "YLFmg5iURb3zH47gxybUpAAAABM"], referer: https://seafile.schroeffu.ch/library/4551f3c5-bf6c-4720-b77a-7acbff5719ea/Dateien/
[Fri May 28 23:54:15.352826 2021] [:error] [pid 1819770:tid 139823242995456] [client 31.18.248.40:10700] [client 31.18.248.40] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "seafile.schroeffu.ch"] [uri "/seafhttp/upload-aj/8edf184d-22e8-46a5-9ecc-5fd90f132cd8"] [unique_id "YLFmg5iURb3zH47gxybUpAAAABM"], referer: https://seafile.schroeffu.ch/library/4551f3c5-bf6c-4720-b77a-7acbff5719ea/Dateien/
[Fri May 28 23:54:15.353621 2021] [:error] [pid 1819770:tid 139822979012352] [client 31.18.248.40:10700] [client 31.18.248.40] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"] [hostname "seafile.schroeffu.ch"] [uri "/seafhttp/upload-aj/8edf184d-22e8-46a5-9ecc-5fd90f132cd8"] [unique_id "YLFmg5iURb3zH47gxybUpAAAABM"], referer: https://seafile.schroeffu.ch/library/4551f3c5-bf6c-4720-b77a-7acbff5719ea/Dateien/
#Delete Files in WebUI/Android App
[Sat May 29 00:13:26.059649 2021] [:error] [pid 1830496:tid 140706484025088] [client 31.18.248.40:10652] [client 31.18.248.40] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "DELETE"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "seafile.schroeffu.ch"] [uri "/api2/repos/4551f3c5-bf6c-4720-b77a-7acbff5719ea/file/"] [unique_id "YLFrBpl@0qltoPED9FBt@QAAAA0"]
Your Environment
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: