how to warn instead of block invalid quoting in modsecurity

Question

Ive got an issue with modsecurity and Im wondering if anyone can help. I'm running into an issue with uploading files to my application, anytime the file in question has a quote in the filename. Eventually I will do client side validation which will alert a user to a quote in the filename they are trying to upload and tell them to rename it, but for now I need to amend my modsecurity settings to ignore that particular check.

The modsecurity rule is:

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

The error Im getting is:

[2016-10-11T16:08:06.8336+01:00] [OHS]  [ERROR:32] [OHS-9999] [blah.c]  [host_id: blah-web-kc1d] [host_addr: 1.2.3.4] [tid: 1724]  [user: SYSTEM] [ecid: 00ibIu6vODDF4ETzA8m3SD0000_^001B9G] [rid: 0]  [VirtualHost: main]  [client 1.2.3.4] ModSecurity: Access denied  with code 403 (phase 2). Match of "eq 0" against  "MULTIPART_STRICT_ERROR" required. [file  "E:/blah/security/<span class="skimlinks-unlinked">blah_base_rules.conf</span>"] [line "65"] [msg  "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB  0, DA 0, HF 0, LF 0, SM , IQ 1, IH 0, IH 0"] [hostname  "<span class="skimlinks-unlinked">www.dev.uk</span>"] [uri  "/pls/dev/blah_details_form.process_blah"] [unique_id  "ZOMG!<span class="skimlinks-unlinked">ROFL.TL;DR</span>"] 

IQ 1 suggests its the invalid quoting which makes sense. How do I tell modsecurity, to not block when it detects invalid quoting, without disabling the rest of the rule?

Thanks

P.S. I know allowing quotes in a filename potentially introduces SQL injection, but we aren't worried about that for reasons I can't go into.

Answer 1

Just replace the current rule (which checks the overall MULTIPART_STRICT_ERROR variable) with separate rules for each individual variable instead, changing the deny to a warn for the one variable you don't want to deny:

SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \ "phase:2,t:none,log,deny,msg:'Multipart request body \ failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}'"

SecRule MULTIPART_BOUNDARY_QUOTED "!@eq 0" \ "phase:2,t:none,log,deny,msg:'Multipart request body \ failed strict validation: \ BQ %{MULTIPART_BOUNDARY_QUOTED}'"

...etc.

SecRule MULTIPART_INVALID_QUOTING "!@eq 0" \ "phase:2,t:none,log,warn,msg:'Multipart request body \ failed strict validation: \ IQ %{MULTIPART_INVALID_QUOTING}'"

SecRule MULTIPART_INVALID_HEADER_FOLDING "!@eq 0" \ "phase:2,t:none,log,deny,msg:'Multipart request body \ failed strict validation: \ IH %{MULTIPART_INVALID_HEADER_FOLDING}'"

...etc.

Note newer versions of ModSecurity (since 2.7) require a unique id so if your rule has an id which you've not shown in your question then make sure you make it unique when creating the many rules.

Finally it is also possible to check all the variables in one rule or have the rules sum up the values (or have them as part of one large chained rule where values are similarly summed up) and then check sum = 0 but separate rules is probably just simpler and easier to follow in future.

Answer 2

I fixed this by renaming the file name to upload as it contains some unrecognized pattern.

How do I resolve the issue?
Simply put, rename the file to remove the offending special character from the file name or (disable this security rule in /etc/{path}/mod_security.conf by commenting the line " SecRule MULTIPART_STRICT_ERROR "!@eq 0" \" or by .htaccess file - NOT RECOMMENDED AT ALL)

How is this error caused?
This error is caused by mod_security blocking a potentially malicious upload. While it may be completely harmless, mod_security has no way of knowing if it is harmless or not. Typically, the content in question is a file being uploaded which contains a special character such as a single or double quote within the file name which is often used by attackers to inject malicious scripts into websites.