Friday, August 2, 2024

MULTIPART_UNMATCHED_BOUNDARY (FIX)

  ﷽


Have You Ever Encountered the MULTIPART_UNMATCHED_BOUNDARY error log on Web Server empowered with ModSecurity and when you inspect the http(s) transaction you found error code 403 appear just like the following log sample bellow ?

WAF-Error: [file "WAF.c"] [line 275] [level 3] [client 114.122.68.101] WebSec: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/config.conf"] [line "96"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "bpi.rizkymd.com"] [uri "/bp-monitoring/sZrm507/loads/FnUnload/306058"] [unique_id "ZqvyxVCLMKbYfeCLtgKpAwAAABA"]
WAF-Error: [file "WAF.c"] [line 275] [level 3] [client 114.122.68.101] WebSec: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/config.conf"] [line "96"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "bpi.rizkymd.com"] [uri "/bp-monitoring/sZrm507/loads/FnUnload/306058"] [unique_id "ZqvzgKhcE5aknXp-LX5IxwAAAIM"]
WAF-Error: [file "WAF.c"] [line 275] [level 3] [client 192.168.14.80] WebSec: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/config.conf"] [line "96"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "bpi.rizkymd.com"] [uri "/bp-monitoring/sZrm507/loads/UpdVerify/306021"] [unique_id "Zqv13VCLMKbYfeCLtgK2qQAAFBI"]
WAF-Error: [file "WAF.c"] [line 275] [level 3] [client 192.168.14.80] WebSec: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/config.conf"] [line "96"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "bpi.rizkymd.com"] [uri "/bp-monitoring/sZrm507/loads/UpdVerify/306021"] [unique_id "Zqv2OOk1aQTQphAFXT8_EwABTBE"]


If so, you might find this alternative solutions helpful while debugging your web application, ensuring that ModSecurity protection continues to operate as expected :

  1. Check yours /etc/php.ini, ensure the value of upload_max_filesize is suits your needs and that its sufficient to handle file upload function.

  2.  Select only one of the following solution :

    Option 1 :  Create Exclusion Rule ;  In my case above, there are 2 (two) URL path parts that affected ; (1) /bp-monitoring/sZrm507/loads/FnUnload/306058 and (2) /bp-monitoring/sZrm507/loads/UpdVerify , so what we are going to do is to create exclusion rules in web-server configuration to change ModSecurity mode everytime the matched URL path found.
    a). Create config file : $ sudo vi /etc/apache2/mods-available/Exclude.conf
    SecRule REQUEST_URI "/bp-monitoring/sZrm507/loads/FnUnload" "phase:1,id:10241000,pass,ctl:ruleEngine=DetectionOnly"
    SecRule REQUEST_URI "/bp-monitoring/sZrm507/loads/UpdVerify" "phase:1,id:10241001,pass,ctl:ruleEngine=DetectionOnly"
    b). Enable the config :
    $ sudo ln -sf /etc/apache2/mods-available/Exclude.conf /etc/apache2/mods--enabled/Exclude.conf
    c). Verify the config (Always ensure the result is OK) : $ sudo apache2ctl configtest
    Syntax OK.
    d). Restart the Web Server service.

    Option 2
    :  Disable the Security Rule ;
    a). Always backup the config file before making any changes in the configuration ; $ sudo cp /etc/modsecurity/modsecurity.conf /etc/modsecurity/modsecurity.conf.original
    b). Disable the Security Rule ; $ sudo  sed -i 's/SecRule MULTIPART_UNM/\#SecRule MULTIPART_UNM/g' /etc/modsecurity/modsecurity.conf
    c). Verify the config (Always ensure the result is OK) : $ sudo apache2ctl configtest
    Syntax OK.
    d). Restart the Web Server service.

    Alhamdulillah, it's done. Hope it's useful!

    Barakallahu fiikum
    Jazakumullahu khair

No comments:

40 Hadist Seputar Keluarga Samawa (Bagian 3)

 ﷽ Ustadz Yusuf Abu Ubaidah As-Sidawi hafizahullohuta'ala Masjid Al-Aziz  Jl. Soekarno Hatta No. 662 Bandung Hadist 11 : Doa Orangtua Bu...