Rule MULTIPART_UNMATCHED_BOUNDARY, id:'200003' fails on valid multipart/form-data submission

The MULTIPART_UNMATCHED_BOUNDARY rule fires, denying the request if the multipart/form data includes "--" at the beginning of a line.  If there is anything else at the start of the line (e.g. " --") then the rule does not trigger.

This issue was identified against a Liferay 6.2 installation fronted by apache+modsecurity, submitting a freemarker code snippet.

A sample curl command:

```
curl 'https://localhost/group/control_panel/manage?p_auth=MWq0gmZw&p_p_id=166&p_p_lifecycle=1&p_p_state=pop_up&p_p_mode=view&doAsGroupId=10328&refererPlid=10331&controlPanelCategory=current_site.content&_166_refererPortletName=15&_166_refererWebDAVToken=journal&_166_scopeTitle=Templates&_166_struts_action=%2Fdynamic_data_mapping%2Fedit_template' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: JSESSIONID=E10AB37213FD6D61DE10A72AB8FF1A3A; LFR_SESSION_STATE_10345=1390888801890' -H 'DNT: 1' -H 'Host: localhost' -H 'Referer: https://localhost/group/control_panel/manage?p_p_id=166&p_p_lifecycle=0&p_p_state=pop_up&doAsGroupId=10328&refererPlid=10331&controlPanelCategory=current_site.content&_166_refererPortletName=15&_166_refererWebDAVToken=journal&_166_scopeTitle=Templates&_166_cmd=update&_166_struts_action=%2Fdynamic_data_mapping%2Fedit_template&_166_redirect=https%3A%2F%2Flocalhost%2Fgroup%2Fcontrol_panel%2Fmanage%3Fp_p_id%3D166%26p_p_lifecycle%3D0%26p_p_state%3Dpop_up%26p_p_mode%3Dview%26doAsGroupId%3D10328%26refererPlid%3D10331%26controlPanelCategory%3Dcurrent_site.content%26_166_refererPortletName%3D15%26_166_refererWebDAVToken%3Djournal%26_166_scopeTitle%3DTemplates%26_166_groupId%3D10328%26_166_showHeader%3D0%26_166_classNameId%3D10102%26_166_eventName%3DselectStructure%26_166_struts_action%3D%252Fdynamic_data_mapping%252Fview_template&_166_templateId=10850&_166_groupId=10328&_166_classNameId=10102&_166_classPK=0&_166_type=display&_166_structureAvailableFields=' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0' -H 'Content-Type: multipart/form-data; boundary=---------------------------1835282785777842564651277339' --data-binary $'Content-Type: multipart/form-data; boundary=---------------------------1835282785777842564651277339\r\nContent-Length: 3492\r\n\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_formDate"\r\n\r\n1390888796288\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_cmd"\r\n\r\nupdate\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_redirect"\r\n\r\nhttps://localhost/group/control_panel/manage?p_p_id=166&p_p_lifecycle=0&p_p_state=pop_up&p_p_mode=view&doAsGroupId=10328&refererPlid=10331&controlPanelCategory=current_site.content&_166_refererPortletName=15&_166_refererWebDAVToken=journal&_166_scopeTitle=Templates&_166_groupId=10328&_166_showHeader=0&_166_classNameId=10102&_166_eventName=selectStructure&_166_struts_action=%2Fdynamic_data_mapping%2Fview_template\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_closeRedirect"\r\n\r\n\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_portletResource"\r\n\r\n\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_templateId"\r\n\r\n10850\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_groupId"\r\n\r\n10328\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_classNameId"\r\n\r\n10102\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_classPK"\r\n\r\n0\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_type"\r\n\r\ndisplay\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_structureAvailableFields"\r\n\r\n\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_saveAndContinue"\r\n\r\n1\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_name"\r\n\r\nTest\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_name_en_AU"\r\n\r\nTest\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_language"\r\n\r\nftl\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_description"\r\n\r\n\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_description_en_AU"\r\n\r\n\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_smallImage"\r\n\r\nfalse\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_type"\r\n\r\nfalse\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_smallImageFile"; filename=""\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_scriptContent"\r\n\r\n<#--\r\nDisplay templates are used to lay out the fields defined in a data\r\ndefinition.\r\n\r\nPlease use the left panel to quickly add commonly used variables.\r\nAutocomplete is also available and can be invoked by typing "${".\r\n-->\r\n-----------------------------1835282785777842564651277339\r\nContent-Disposition: form-data; name="_166_script"; filename=""\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------1835282785777842564651277339--\r\n'
```

Environment:

```
$ yum list installed | grep httpd
httpd.x86_64                     2.4.6-2.fc18       @updates                    
httpd-tools.x86_64               2.4.6-2.fc18       @updates                    
libmicrohttpd.x86_64             0.9.22-1.fc18      @koji-override-0/$releasever
```

```
$ yum list installed | grep mod_
mod_security.x86_64              2.7.3-2.fc18       @updates                    
mod_ssl.x86_64                   1:2.4.6-2.fc18     @updates          
```

The form submission is valid, with this an obvious false positive.  The workaround is to disable the rule.  However, it would be better if this was catered for an didn't trigger the rule in the first place.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Rule MULTIPART_UNMATCHED_BOUNDARY, id:'200003' fails on valid multipart/form-data submission #652

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Rule MULTIPART_UNMATCHED_BOUNDARY, id:'200003' fails on valid multipart/form-data submission #652

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions