Page 1 of 1

CSF v5.71 Stopping PDFs being uploaded (~4.5mb)

Posted: 14 Dec 2012, 11:53
by GiraffeDog
Hi

I'm new to this ConfigServer/ModSecurity.

I've got an issue with CSF blocking PDF uploads bigger than 4mb. I've included the logs and removed anything that might identify our site/login details :)

Can anyone advise what to do here?

Thanks

GD


==> /etc/httpd/logs/modsec_audit.log <==
--cba2c550-A--
[14/Dec/2012:11:36:08 +0000] UMsPG1jQ6aQAAFrwNSEAAAAH <myipremoved> 64216 <serveripremoved>80
--cba2c550-B--
POST /wp-admin/async-upload.php HTTP/1.1
Host: examplecom
Connection: keep-alive
Content-Length: 4767258
Origin: http://examplecom
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysq6M37pLPaAHXQFy
Accept: */*
Referer: http://examplecom/wp-admin/media-new.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wordpress_1aa292cead04c3ddf11e2d0b01e94937=wpadminusername%7C1356694180%7Cfa0f321fa41fee27ce29f41b35035ca8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_1aa292cead04c3ddf11e2d0b01e94937=wpadminusername%7C1356694180%7Ccadf48e351fb713a180faa7e7254c0fe; wp-settings-1=hidetb%3D1%26editor%3Dhtml%26imgsize%3Dfull; wp-settings-time-1=1355484581

--cba2c550-I--
name=Land%2dForm%2dProfile%2duser%2dguide%2epdf&post%5fid=0&%5fwpnonce=b4a07bd20c&type=&tab=&short=1
--cba2c550-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 969
Connection: close
Content-Type: text/html

--cba2c550-H--
Message: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: default-handler
Stopwatch: 1355484955291058 13286020 (- - -)
Stopwatch2: 1355484955291058 13286020; combined=463, p1=207, p2=141, p3=0, p4=0, p5=107, sr=0, sw=8, l=0, gc=0
Producer: ModSecurity for Apache/2.6.8 (http://www.modsecurityorg/).
Server: Apache

--cba2c550-Z--

Re: CSF v5.71 Stopping PDFs being uploaded (~4.5mb)

Posted: 14 Dec 2012, 12:07
by GiraffeDog
Additionally PHP is set to allow files up to 8mb