MULTIPART_STRICT_ERROR False Positive

[osamamaruf]

The following content type header is blocked by Modsecurity:

Content-Type: multipart/form-data; boundary="----=_Part_0_1679309349.1580725603211"

The boundary should be allowed to have quotes.

Logs and dumps
MULTIPART_BOUNDARY_QUOTED
MULTIPART_DATA_BEFORE

The above rule have been triggered from 200003.

2020/02/03 10:26:43 [warn] 49#49: *2962 [client XX.XX.XXX.XX] ModSecurity: Access denied with code 400 (phase 2). Matched "Operator Eq' with parameter 0' against variable MULTIPART_STRICT_ERROR' (Value: 1' ) [file "/etc/nginx/modsecurity/modsecurity.conf"] [line "61"] [id "200003"] [rev ""] [msg "Multipart request body failed strict validation: \x0aPE 0, \x0aBQ 1, \x0aBW 0, \x0aDB 1, \x0aDA 0, \x0aHF 0, \x0aLF 0, \x0aSM 0, \x0aIQ 0, \x0aIP 0, \x0aIH 0, \x0aFL "] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "XX.XX.XXX.XX"] [uri "/api/my-test"] [unique_id "158072560325.818190"] [ref "v660,1"], client: XX.XX.XXX.XX, server: api-server.com, request: "POST /api/my-test?hello HTTP/1.1", host: "api-server.com"

Expected behavior

The request should not have been blocked.

Server (please complete the following information):

• Web Server and version (Nginx 1.15.9)

Rule Set (please complete the following information):

• CRS version (v3.0.0)
• ModSecurity version (3.0.2)

[airween]

Hi @osamamaruf,

you wrote:

• ModSecurity version (3.0.2)

which was released on Apr 3 2018, but this bug was fixed in 3.0.3, so the upgrade is very welcome :).

Note, that 3.0.4 is still out there.

EDIT: sorry, I didn't realize the quote and data before problems. That fix solved another problems.

[airween]

Buy the way, after a quick review, the 3.0.4 allows the quoted boundary (especially what you gave above). Could you show the full request (without sensitive data)?

[martinhsv]

Hi @osamamaruf ,

Some of the individual conditions checked within MULTIPART_STRICT_ERROR are perfectly RFC-compliant, but are (or at least were historically) unusual, and therefore possibly suspicious.

And you are correct that entirely valid requests with a Content-Type boundary directive could have its value specified within quotes.

You have a couple of options:

• modify your rule that checks MULTIPART_STRICT_ERROR to not result in a blocking action (i.e. detection only)
• maintain blocking, but instead of using MULTIPART_STRICT_ERROR, check each of the individual variables (e.g. MULTIPART_INVALID_PART) except for the one(s) that are causing well-understood false-positives

[osamamaruf]

@airween Thank you for the prompt response. We will upgrade. One question though the request also had hit this rule MULTIPART_DATA_BEFORE I was not able to find documentation explaining what is does. The MULTIPART_BOUNDARY_QUOTED was pretty straight forward. Also here is the request;

---RMgUrPpr---A--
[03/Feb/2020:10:26:43 +0000] 158072560325.818190 XX.XX.XXX.XX XXXX XX.XX.XXX.XX 443
---RMgUrPpr---B--
POST /api/my-test?hello HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: multipart/form-data; boundary="----=_Part_0_1679309349.1580725603211"
MIME-Version: 1.0
Authorization: Bearer sdfasdfadfdfsfafa
Host: api-server.com
Content-Length: 7155
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_181)

---RMgUrPpr---C--

------=_Part_0_1679309349.1580725603211
Content-Type: text/xml; charset=Cp1252; name=hello001-hello-valid.xml
Content-Transfer-Encoding: binary
Content-Disposition: form-data; name="my-file"; filename="hello001-hello-valid.xml"

<?xml version="1.0" encoding="UTF-8"?>
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:34234.001.001.03" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">                   
        <OuterNode>                                                                                            
        <AnotherHdr>                                                                                                      
                <ABC>xxxxxx</ABC>                                                                                
                <DEF>XXXX-05-02T14:52:09</DEF>                                                               
                <GHI>1</GHI>                                                                                 
                <KLM>YYY.XX</KLM>                                                                              
                <NOP>                                                                                            
                        <QRS>XXXXX</QRS>                                                               
                </NOP>                                                                                           
        </AnotherHdr>
        <TUV>                                                                                                      
                <TUVId>XXXX</TUVId>
		<XYZ>TRF</XYZ>                                                                                 
                <GHI>1</GHI>                                                                                 
                <KLM>YYY.XX</KLM>                                                                              
                <ABCDF>                                                                                            
                    <ABCDFEG> <Cd>YYYY</Cd> </ABCDFEG>
                </ABCDF>                                                                                           
                <XYTR>UUUU-05-02</XYTR>                                                                
                <IJUY>                                                                                                
                        <QRS>UUUUUU</QRS>                                                               
                </IJUY>                                                                                               
                <IJUYSDFDSFSFSF>                                                                                            
                    <Id>                                                                                              
                        <TESTT>546456FGHH</TESTT>                                                              
                    </Id>                                                                                             
                </IJUYSDFDSFSFSF>                                                                                           
                <IJUYAgt>                                                                                             
                    <TERE>                                                                                      
                        <UIII>56546DFGHDFG</UIII>                                                                          
                    </TERE>                                                                                     
                </IJUYAgt>      
                <CHG>45345345</CHG>                                                                            
                <FDDFDF>                                                                                         
                    <DFDDF>                                                                                           
                        <FDFSDDFDFD>3453454353FGFDG</FDFSDDFDFD>                                                       
                    </DFDDF>                                                                                                                                                                                
                    <YYUYTT>                                                                                             
                        <InstdYYUYTT SDF="32324SDF">TTTT.SF</InstdYYUYTT>                                                          
                    </YYUYTT>                                                                                            
                    <GDSDFSD>                                                                                         
                        <TERE>                                                                                  
                            <UIII>SFDFS</UIII>                                                                      
                        </TERE>                                                                                 
                    </GDSDFSD>                                                                                        
                    <TRREE>                                                                                            
                        <SDFSF>SFSDF</SDFSF>                                                                     
                    </TRREE>                                                                                           
                    <TRREESDFDSFSFSF>                                                                                        
                        <YUIYUIYIU>                                                                                          
                            <TESTT>SDFDF</TESTT>                                                          
                        </YUIYUIYIU>                                                                                         
                    </TRREESDFDSFSFSF>                                                                                       
                    <SDFADFSD>                                                                                          
                        <SDFDFDFDSFS>23434. SDFDFF.3R243</SDFDFDFDSFS>                                                                 
                    </SDFADFSD>                                                                                         
                </FDDFDF>
	</TUV>                                                                                        
        </OuterNode>                                                                                           
</Document>  
------=_Part_0_1679309349.1580725603211--


---RMgUrPpr---F--
HTTP/1.1 400
x-frame-options: sameorigin
referrer-policy: same-origin
x-xss-protection: 1; mode=block
Connection: close
x-content-type-options: nosniff
Content-Type: text/html
x-application-context: 
Content-Length: 150
Date: Mon, 03 Feb 2020 10:26:43 GMT
Server: 
Server: 
content-security-policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com data:; object-src 'none'; connect-src 'self'; img-src 'self' data:; font-src https://fonts.gstatic.com 'self' data:; style-src 'self' https://www.gstatic.com https://fonts.googleapis.com 'unsafe-inline'; frame-src 'self'; manifest-src 'self';
Pragma: 
Strict-Transport-Security: max-age=315360000; includeSubDomains

---RMgUrPpr---H--
ModSecurity: Access denied with code 400 (phase 2). Matched "Operator `Eq' with parameter `0' against variable `MULTIPART_STRICT_ERROR' (Value: `1' ) [file "/etc/nginx/modsecurity/modsecurity.conf"] [line "61"] [id "200003"] [rev ""] [msg "Multipart request body failed strict validation: \\x0aPE 0, \\x0aBQ 1, \\x0aBW 0, \\x0aDB 1, \\x0aDA 0, \\x0aHF 0, \\x0aLF 0, \\x0aSM 0, \\x0aIQ 0, \\x0aIP 0, \\x0aIH 0, \\x0aFL "] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "XX.XX.XXX.XX"] [uri "/api/my-test"] [unique_id "158072560325.818190"] [ref "v660,1"]

[airween]

Hi @osamamaruf,

thanks - is there an empty line between the two lines above?

---RMgUrPpr---C--

------=_Part_0_1679309349.1580725603211

If yes, that's the "data before".

For the "boudary quoted": if it's quoted, looks like a flag had been set to true, and log shows:

Warning: boundary was quoted.

also if the data before boundary, I got a message:

Warning: seen data before first boundary.

And looks like the MULTIPART_STRICT_ERROR set to TRUE if any of these flags are set. Also check the reference.

After a quick search, I can't decide that the quoted boundary error is valid or not. If you look at the variable name, which is "strict", then I assume it is (I mean it's valid).

Also if you take a look to the RFC, the examples are very ambiguous: they are several example with extra data before boundary. May be that's not a strict error, but see my opinion above in case DB.

If you think just disable this rule, and make some others for other multipart errors.