issue with MULTIPART_UNMATCHED_BOUNDARY [id "200003"] v2.9.2

[Daijobou]

I get with upload a image this error:

[:error] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "34"] [id "200003"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "www.example.com"] [uri "/myupload"] [unique_id "W...w"], referer: https://www.example.com/myupload
[http:error] AH01579: Invalid response status 44, referer: https://www.example.com/myupload

like #652

I upload simple with
<form action="myupload" method="post" accept-charset="utf-8" enctype="multipart/form-data"><input type="file" name="image"><button type="submit" name="submit">Upload</button></form>

one of many many many image-files with this error "--"

I use modsecurity2.9.2-1.el7 and its set as "off". So why its catch this issue?

System: CentOS Linux 7.5.1804 (Core)‬ with Product Plesk Onyx Version 17.5.3

etc/httpd/conf.d/mod_security.conf

# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

SecRule TX:/^MSC_/ "!@streq 0" \
        "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security

[zimmerle]

Related to #1747

[victorhora]

@Daijobou this should not be an issue with libModSecurity (aka v3.0). 7def498 Please consider upgrading.

I'm going to close this one. If you believe this is still an issue please let us know and we can reopen it. Thanks.

[MohsenNa]

hi
I get with upload a file by 48M size this error:
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Eq' with parameter 0' against variable MULTIPART_UNMATCHED_BOUNDARY' (Value: 1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "60"]

and by comment rule i can upload:
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0"
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

[airween]

Hi MohsenNa,

do you have ModSecurity 2.9? If yes, please review all of this thread, especially this comment.

If you have 3.0 branch, please upgrade to the current master branch, and see the solution:

https://github.com/SpiderLabs/ModSecurity/blob/bc3d3f19154793e23568103b931a15168b34d768/modsecurity.conf-recommended#L77-L120

Anyway, the size of uploaded content not affects this issue, but if you have any boundary-like line in content, the it does.

[MohsenNa]

yes my version is 3.0
very very tanks
my problem is solved

[dwreski]

Can someone tell me if this issue is related to this error? This is on fedora28 with mod_security-2.9.2-5.fc28.x86_64

[Fri Feb 08 22:06:50.144344 2019] [:error] [pid 11255:tid 140146947102464] [client 151.106.0.210:54982] [client 151.106.0.210] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "35"] [id "200003"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "linuxsecurity.com"] [uri "/index.php"] [unique_id "XF5Dyf3kxTYC2M5TGQgxsAAAANU"], referer: https://linuxsecurity.com/index.php?option=com_content&task=new&sectionid=9&itemid=0