Have You Ever Encountered the MULTIPART_UNMATCHED_BOUNDARY error log on Web Server empowered with ModSecurity and when you inspect the http(s) transaction you found error code 403 appear just like the following log sample bellow ?
WAF-Error: [file "WAF.c"] [line 275] [level 3] [client 114.122.68.101] WebSec: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/config.conf"] [line "96"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "bpi.rizkymd.com"] [uri "/bp-monitoring/sZrm507/loads/FnUnload/306058"] [unique_id "ZqvyxVCLMKbYfeCLtgKpAwAAABA"]
WAF-Error: [file "WAF.c"] [line 275] [level 3] [client 114.122.68.101] WebSec: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/config.conf"] [line "96"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "bpi.rizkymd.com"] [uri "/bp-monitoring/sZrm507/loads/FnUnload/306058"] [unique_id "ZqvzgKhcE5aknXp-LX5IxwAAAIM"]
WAF-Error: [file "WAF.c"] [line 275] [level 3] [client 192.168.14.80] WebSec: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/config.conf"] [line "96"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "bpi.rizkymd.com"] [uri "/bp-monitoring/sZrm507/loads/UpdVerify/306021"] [unique_id "Zqv13VCLMKbYfeCLtgK2qQAAFBI"]
WAF-Error: [file "WAF.c"] [line 275] [level 3] [client 192.168.14.80] WebSec: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/config.conf"] [line "96"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "bpi.rizkymd.com"] [uri "/bp-monitoring/sZrm507/loads/UpdVerify/306021"] [unique_id "Zqv2OOk1aQTQphAFXT8_EwABTBE"]
If so, you might find this alternative solutions helpful while debugging your web application, ensuring that ModSecurity protection continues to operate as expected :
- Check yours /etc/php.ini, ensure the value of upload_max_filesize is suits your needs and that its sufficient to handle file upload function.
- Select only one of the following solution :
Option 1 : Create Exclusion Rule ; In my case above, there are 2 (two) URL path parts that affected ; (1) /bp-monitoring/sZrm507/loads/FnUnload/306058 and (2) /bp-monitoring/sZrm507/loads/UpdVerify , so what we are going to do is to create exclusion rules in web-server configuration to change ModSecurity mode everytime the matched URL path found.a). Create config file : $ sudo vi /etc/apache2/mods-available/Exclude.confSecRule REQUEST_URI "/bp-monitoring/sZrm507/loads/FnUnload" "phase:1,id:10241000,pass,ctl:ruleEngine=DetectionOnly"
SecRule REQUEST_URI "/bp-monitoring/sZrm507/loads/UpdVerify" "phase:1,id:10241001,pass,ctl:ruleEngine=DetectionOnly"
b). Enable the config : $ sudo ln -sf /etc/apache2/mods-available/Exclude.conf /etc/apache2/mods--enabled/Exclude.confc). Verify the config (Always ensure the result is OK) : $ sudo apache2ctl configtest
Syntax OK.
d). Restart the Web Server service.
Option 2 : Disable the Security Rule ;a). Always backup the config file before making any changes in the configuration ; $ sudo cp /etc/modsecurity/modsecurity.conf /etc/modsecurity/modsecurity.conf.originalAlhamdulillah, it's done. Hope it's useful!
b). Disable the Security Rule ; $ sudo sed -i 's/SecRule MULTIPART_UNM/\#SecRule MULTIPART_UNM/g' /etc/modsecurity/modsecurity.conf
c). Verify the config (Always ensure the result is OK) : $ sudo apache2ctl configtest
Syntax OK.
d). Restart the Web Server service.
Barakallahu fiikum
Jazakumullahu khair
No comments:
Post a Comment