0

We are using ModSecurity CRS 3.0.2 and need to exclude rule 930110 which blocks requests if it contains patterns '../' and '..\'(Path Traversal Attack). If we attach a file while submitting the request, this pattern gets matched frequently and request is blocked which we want to avoid.

I was able to exclude the REQUEST_BODY using below:
SecRuleUpdateTargetById 930110 "!REQUEST_BODY"

Is there a way to exclude just the attachment and scan rest of the REQUEST_BODY?
If not, can we identify if REQUEST_BODY contains an attachment and exclude REQUEST_BODY only in this case. I tried string search as below but it doesn't work. 'filename' is a sample string in REQUEST_BODY I see whenever a file is attached.

SecRule REQUEST_BODY "@contains filename"
"id:1001,phase:1,pass,nolog,
ctl:ruleRemoveTargetById=930110;REQUEST_BODY"

REQUEST_URI filter works though
SecRule REQUEST_URI "@beginsWith /process"
"id:1001,phase:1,pass,nolog,
ctl:ruleRemoveTargetById=930110;REQUEST_BODY"

Karthik
  • 1
  • 1
  • Can someone please help on this – Karthik Apr 16 '21 at 07:30
  • Can you check this issue please? https://github.com/coreruleset/coreruleset/issues/2005 – airween Apr 26 '21 at 05:33
  • The link you shared is for a bug where the rule 930110 is triggered incorrectly – Karthik Apr 29 '21 at 16:06
  • Ah, I think I see your question now. May be the reason was similar as your problem, but the target of this rule in newer version of CRS had changed, please check this: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf#L56-L57 (it is the same in 3.3). Perhaps you should upgrade your rule set. – airween Apr 29 '21 at 16:28

0 Answers0