Hi all, I am seeing the following errors in IPB 4.7.18.  Using Apache on Linux and PHP 8.1.11, this is a new install of IPB.

If I upload 6 images, about 2 of them will show failed to upload.  The others are fine.  

Here are the errors:

POST /gallery/submit/?category=1&noAlbum=1 HTTP/1.1

[client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "30"] [id "200003"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "gatoryachts.com"] [uri "/gallery/submit/"] [unique_id "ZuerS3eCv1iZ3SBPcQ5aDQAAAAI"], referer: https://gatoryachts.com/gallery/submit/?_new=1

AH01579: Invalid response status 44, referer: https://gatoryachts.com/gallery/submit/?_new=1

Edited September 16, 2024Sep 16 by Mike Gholson

This is a server issue. You need to contact your hosting about it:

ModSecurity: Access denied with code 44 (phase 2).

 

They must either disable/tweak the ModSecurity rule triggered by the gallery uploads or disable it completely.

 

This is a server issue. You need to contact your hosting about it:

ModSecurity: Access denied with code 44 (phase 2).

 

They must either disable/tweak the ModSecurity rule triggered by the gallery uploads or disable it completely.

Thanks...  I own the server.  Do you know what I have to change?

Mike

 

Do you know what I have to change?

You would need to disable or tweak the rule mentioned there in mod_security to allow for upload.

 

You would need to disable or tweak the rule mentioned there in mod_security to allow for upload.

Not really sure what option to change.  Can you help me determine?

<IfModule mod_security2.c>
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_MISSING_SEMICOLON}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IP %{MULTIPART_INVALID_PART}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security

    # ModSecurity Core Rules Set and Local configuration
        IncludeOptional modsecurity.d/*.conf
        IncludeOptional modsecurity.d/activated_rules/*.conf
        IncludeOptional modsecurity.d/local_rules/*.conf

</IfModule>

 

 

Not really sure what option to change.  Can you help me determine?

You would want to contact your hosting provider or a server administrator if you’re  not sure. 

 

You would want to contact your hosting provider or a server administrator if you’re  not sure. 

I am the hosting provider..  😉  I can change anything, just need to know what your software needs to enable multiple uploads.

Mike

 

I am the hosting provider..  😉  I can change anything, just need to know what your software needs to enable multiple uploads.

Mike

We do not provide support with server configurations or extra security modules like mod_security. If you are unsure how to handle this you would need to work with a server administrator.

If you want to use these items it would be up to yourself to ensure they do not hinder the software. 

 

We do not provide support with server configurations or extra security modules like mod_security. If you are unsure how to handle this you would need to work with a server administrator.

If you want to use these items it would be up to yourself to ensure they do not hinder the software. 

What the?  Really?  My server meets all your specs and I've been with you guys for years..   trying to launch another website and I get this response?   

Seriously ....

 

What the?  Really?  My server meets all your specs and I've been with you guys for years..   trying to launch another website and I get this response?   

Seriously ....

Sorry that you are disappointed but we have never supported server configurations. Our support only covers our software. As a selfhosted customer, it is your responsibility to configure your server and the additional modules you want to run on it  

As mentioned though, if you don’t know how to configured mod_security to work with our software, I would advise disabling it. 

I get it, thanks.  Not sure why you don't support server-side functions because your software already has plenty of warnings when something isn't set up correctly (PHP8, file permissions, etc etc).

FYI, I do have an idea that could be helpful.  During your pre-install check, would it be possible to scan for mod_security?  TBH, this only shows up at the end user level (as shown above).  An admin may never see that mod_security is stopping the upload of multiple files.

m

Thank you for your feedback. 

We alert on things which are required elements for our software to run (i.e. PHP, MySQL, file permissions, etc..). However, actually supporting them is a whole other matter and depending on the server configuring can vary drastically. Our support is limited to stating "your server administrator needs to assist you with requirement x" or "this may be an issue with your server configuration due to y" as our alerts do and maintaining the server is up to a qualified server administrator to take that knowledge and move forward.

This is common of software and pretty much everything in our world. I had an issue with my dryer last week, called out a repair man and after some troubleshooting, it turned out that my house wasn't providing it enough voltage to the socket so I had to call out an electrician. I didn't expect the dryer repair man to fix or tell me how to exactly fix my electricity issues 🙂 . The dryer repair man is an expert in driers, just as we are experts in our software. The underlying items have their own expert(s) which need to attend to those.

mod_security is not a required part of our software and it is on the decline for many hosting providers to be using it. While, we strive to provide the best experience to our users, it isn't possible to provide a warning for all possible modules out there. However, I will bring this up internally.

 

FYI, I do have an idea that could be helpful.  During your pre-install check, would it be possible to scan for mod_security?  TBH, this only shows up at the end user level (as shown above).  An admin may never see that mod_security is stopping the upload of multiple files.

I recall this coming up previously. The problem is that unfortunately its not always visible for us to know its present.

 

I get it, thanks.  Not sure why you don't support server-side functions because your software already has plenty of warnings when something isn't set up correctly (PHP8, file permissions, etc etc).

Its worth noting on this one, we do support server side items on server side items we provide and run. However if you are self hosted, by definition, you're the host there (or the company you employ for that of course). We provide a cloud based environment as most tend not to want to mess with servers these days