If I try to upload a bigger file (tried with ISO and 7Zip file, about 500MB) I get the following error in the WAF log:
2013:12:10-09:39:21 utm reverseproxy: [Tue Dec 10 09:39:21.816101 2013] [security2:error] [pid 6462:tid 3887623024] [client ] ModSecurity: Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "219"] [id "960915"] [rev "1"] [msg "Multipart parser detected a possible unmatched boundary."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "secure.mydomain.com"] [uri "/owncloud/index.php/apps/files/ajax/upload.php"] [unique_id ""]
2013:12:10-09:39:21 utm reverseproxy: [Tue Dec 10 09:39:21.820535 2013] [security2:error] [pid 6462:tid 3887623024] [client ] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960915-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-MULTIPART_UNMATCHED_BOUNDARY. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Multipart parser detected a possible unmatched boundary."] [data "Last Matched Data: 1"] [hostname "secure.mydomain.com"] [uri "/owncloud/index.php/apps/files/ajax/upload.php"] [unique_id ""]
2013:12:10-09:39:21 utm reverseproxy: [Tue Dec 10 09:39:21.820874 2013] [security2:error] [pid 6462:tid 3887623024] [client ] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=, XSS=): Multipart parser detected a possible unmatched boundary."] [hostname "secure.mydomain.com"] [uri "/owncloud/index.php/apps/files/ajax/upload.php"] [unique_id ""]
2013:12:10-09:39:21 utm reverseproxy: srcip="" localip="" size="244" user="-" host="" method="POST" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Multipart parser detected a possible unmatched boundary." exceptions="SkipThreatsFilter_ProtocolViolations, SkipThreatsFilter_SqlInjectionAttacks" time="28337310" url="/owncloud/index.php/apps/files/ajax/upload.php" server="secure.mydomain.com" referer="secure.mydomain.com/.../files" cookie="mailviewsplitter=310; mailviewsplitterv=226; prefviewsplitter=266; identviewsplitter=266; PHPSESSID=; HASH_PHPSESSID=; 508d626f7872f=; HASH_508d626f7872f=" set-cookie="-"
I set an exception for "Protocol Violations", but this doesn't seem to work.
Even if I tick all available exceptions, the error still occurs.
If I set the Firewall profile of the virtual server to "No Profile", it works.
Is this a bug?
See my configuration by attached screenshots.
