False Positives when Uploading Large File from Linux Client

[UM-Li]

Hi, these false positives are preventing Nextcloud's Linux client from syncing an 150MB ZIP file:

[Tue Feb 14 12:56:44.692790 2023] [:error] [pid 63003] [client 127.0.0.1:46696] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "702"] [id "920340"] [msg "Request Containing Content, but Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "www.um-li.xyz"] [uri "/nextcloud/apps/files/"] [unique_id ...]

[Tue Feb 14 13:03:33.049500 2023] [:error] [pid 63058] [client 127.0.0.1:56006] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at REQUEST_BODY. [file "/usr/share/modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "52"] [id "921110"] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: track 001]trck\\x00\\x00\\x00\\x04\\x00\\x00\\x00001\\x00\\xff\\xfb\\xd0\\x00i\\x06\\x00\\x0d found within REQUEST_BODY: \\x14\\xc6\\x13\\x06$\\x8c\\xc6~5\\x03\\xf9\\xa6\\xbfg\\x13p\\xa5\\x11\\xd2.\\x0e9n\\x5c\\xd7\\x8d;m\\x14\\xfc\\xaew4\\xeb\\x8bf/\\x89ou\\x1d\\xbd\\xc6\\xa1\\xe35\\xa1i\\x1esg\\x7fzq\\xdcu\\x0c\\xeef^\\xe0ma\\xae\\xc7.\\xbe\\xb1\\x5c\\x8d\\x0f\\xc8l\\xe6\\x9a\\x93\\xc5e<\\x0a\\xb6\\xce\\xd5\\xcbt\\x0ew\\xfe\\xf5)\\xdc\\x1e\\x09\\x0f~q\\xbcs\\x0c\\x9d\\xd6\\xe9\\x8f:\\x8f\\x93\\xb8y\\xd1f\\xb8ii\\x18\\x9d\\xa8\\xdbn\\xd6%,\\xd45\\xdf\\xc2\\xf1\\xc6u\\xb7\\xf5\\x16f\\x0f\\..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level [hostname "www.um-li.xyz"] [uri "/nextcloud/apps/files/"] [unique_id ...]

[Tue Feb 14 13:08:55.093685 2023] [:error] [pid 63124] [client 127.0.0.1:39012] [client 127.0.0.1] ModSecurity: Warning. String match within "/proxy/ /lock-token/ /content-range/ /if/" at TX:header_name_if. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1106"] [id "920450"] [msg "HTTP header is restricted by policy (/if/)"] [data "Restricted header detected: /if/"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/12.1"] [hostname "www.um-li.xyz"] [uri "/nextcloud/apps/files/"] [unique_id ...]

Nextcloud server version is v25.0.3.

[azurit]

HI @UM-Li,

can you post full audit log from this request? Also add these information:

• CRS version
• ModSecurity version
• type of web server

Thank you.

[UM-Li]

Hi @azurit, thanks for looking into this.

OWASP CRS version: 3.3.0 (comes with Debian package libapache2-mod-security2) ModSecurity version: 2.9.3 Server: Apache 2.4.54

Retesting shows that disabling rules #920340 and #921110 is sufficient to let the archive pass through.

The log is a bit long so I've put it in Gist. Link

Binary data flooded the log at certain positions. Judging by the changes in file size it seems the entire archive was dumped raw into the log, so that's 240,000+ lines of garbled text on each occurrence. These places are marked with [** RAW DATA **].

[UM-Li]

I've found a similar error when uploading a PDF file. It was intercepted according to rule #933210 this time.

Please see Gist for the log. Link

[EsadCetiner]

Should we close this issue?

This false positive doesn't exist on newer Nextcloud versions for Linux clients, and Nextcloud 25 has been EOL for a year now.

I think we've caught all of the false positives with file uploads for the versions currently available/supported by Nextcloud.