ModSecurity CRS RuleID-960000

Saltar a: navegación, buscar

Rule ID: 960000

Rule ID


Rule Message

Attempted multipart/form-data bypass

Rule Summary

Identify multipart/form-data name evasion attempts


2 - Critical


SecRule FILES_NAMES|FILES "['\";=]" "phase:2,t:none,id:'960000',rev:'2.2.5',block,capture,msg:'Attempted multipart/form-data bypass',logdata:'%{matched_var}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:'{}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/7',tag:'{}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{tx.0}"

Detailed Rule Information
  • There are possible impedance mismatches between how ModSecurity interprets multipart file names and how a destination app server such as PHP might parse the Content-Disposition data.
  • These rules check for the existence of the ' " ; = meta-characters in either the file or file name variables in order to detect evasion attempts.
///  A description of the regular expression:
///  Match any (single) character contained within the brackets
Example Payload

Content-Disposition: form-data; name="fileRap"; filename="file=.txt"

Example Audit Log Entry

Include an example ModSecurity Audit Log Entry for when this rule matchs.

[27/Jun/2012:16:07:22 +0300] T@sFin8AAQEAADwGDRIAAAAA 56803 80
POST /fileupload.asp HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://localhost/
Content-Type: multipart/form-data; boundary=--------397236876
Content-Length: 930

Content-Disposition: form-data; name="fileRap"; filename="file=.txt"
Content-Type: text/plain

HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Length: 307
Connection: close
Content-Type: text/html; charset=iso-8859-1


Message: Access denied with code 403 (phase 2). Pattern match "['\";=]" at FILES:fileRap. [file "/opt/modsecurity/etc/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "73"] [id "960000"] [rev "2.2.5"] [msg "Attempted multipart/form-data bypass"] [data "file=.txt"] [severity "CRITICAL"] [tag "RULE_MATURITY/7"] [tag "RULE_ACCURACY/7"] [tag ""]
Action: Intercepted (phase 2)
Stopwatch: 1340802442388746 3425 (- - -)
Stopwatch2: 1340802442388746 3425; combined=2114, p1=1798, p2=300, p3=0, p4=0, p5=15, sr=91, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.0-dev1 (; core ruleset/2.2.5.
Server: Apache/2.2.22 (Debian)
Engine-Mode: "ENABLED"

SecRule "FILES_NAMES|FILES" "@rx ['\";=]" "phase:2,log,t:none,id:960000,rev:2.2.5,block,capture,msg:'Attempted multipart/form-data bypass',logdata:%{matched_var},severity:2,setvar:tx.msg=%{rule.msg},{},tag:RULE_MATURITY/7,tag:RULE_ACCURACY/7,tag:{},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{tx.0}"


Attack Scenarios

An attacker manipulated the file name which is mistakenly treated as code by the backend server.

Ease of Attack


Ease of Detection

Easy with regular expressions

False Positives

None known
If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here:
Send FP Report emails here:

False Negatives

None known

Rule Maturity

10 point scale (0-9) where:
0 = Beta/Experimental
9 = Heavily Tested

Rule Accuracy

10 point scale (0-9) where:
0 = High % of FP
5 = No false positives reported

Rule Documentation Contributor(s)

Josh Amishav-Zlatin -

Additional References