Mod Security+csf Blocking picture upload scripts such as that in wordpress?

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
Anyone else having problems with mod_security + csf having legitimate customers getting blocked when using image upload scripts like that found in wordpress?

I've been getting a few customers each week calling me with their IP address being blocked. When I look in the mod security rules it says:

Access denied with code 403. Error processing request body: Multipart: final boundary missing [severity "EMERGENCY"]
But I can't find the rule that is causing this? Anyone else have this problem?
 

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
You need to check in the mod_security log in /etc/httpd/logs for the rule that triggered the hit; it's easy enough to fix from there.

Brian,

Thanks for the response. That's normally what I would do, but that excerpt is from the logs....all it says is:

Access denied with code 403. Error processing request body: Multipart: final boundary missing [severity "EMERGENCY"]

That's why I can't find the rule...
 

mtindor

Well-Known Member
Sep 14, 2004
1,416
80
178
inside a catfish
cPanel Access Level
Root Administrator
What rule sets /apache ver are you using? Have you searched them for something simple like 403 ?
If there aren't IDs associated with each rule, it's nearly impossible to search for them amongst a ton of rules in a conf file. 403 is all over the place in my conf file as well. I had gotten my rules from hostmerit or something and they did not contain IDs. So when something triggers, it's a hit or miss best guess oftentimes when trying to figure out exactly what rule was triggered.

Mike
 

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
I'm using the modsecurity_1 with the hostmerit rules as well as a few of my own custom rules.

How do you go about adding id's to them? Sounds like something that would take me forever....lol.

I've been googling that error, and apparently I'm not the only one this is happening to. It is to the point where a large majority of people are disabling the secfilter stuff in their .htaccess file. I certainly don't want users having to bypass my mod_security rules...
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Without doing any research I'm just wondering whether that's an inbuilt rule. It sounds like the incoming data is mangled if a mime boundary tag is missing? Is that possible? Or maybe you are hitting a mod_security bug?

You could always go through your rules and apply tags to them all. The message you're seeing now, without any rule description, implies an internal rule to me though.
 

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
Without doing any research I'm just wondering whether that's an inbuilt rule. It sounds like the incoming data is mangled if a mime boundary tag is missing? Is that possible? Or maybe you are hitting a mod_security bug?

You could always go through your rules and apply tags to them all. The message you're seeing now, without any rule description, implies an internal rule to me though.
Yea, that's kind of what I was thinking. I've been looking a little more into it, and it seems to be affecting any "flash"-style upload utilities, such as the one in the new version of wordpress, and I think I saw one that was in joomla. I haven't looked into whether this upload utility uses ajax or what, but I think it has some sort of Flash front end interface....