Mike Gholson Posted September 16 Posted September 16 (edited) Hi all, I am seeing the following errors in IPB 4.7.18. Using Apache on Linux and PHP 8.1.11, this is a new install of IPB. If I upload 6 images, about 2 of them will show failed to upload. The others are fine.  Here are the errors: POST /gallery/submit/?category=1&noAlbum=1 HTTP/1.1 [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "30"] [id "200003"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "gatoryachts.com"] [uri "/gallery/submit/"] [unique_id "ZuerS3eCv1iZ3SBPcQ5aDQAAAAI"], referer: https://gatoryachts.com/gallery/submit/?_new=1 AH01579: Invalid response status 44, referer: https://gatoryachts.com/gallery/submit/?_new=1 Edited September 16 by Mike Gholson
teraßyte Posted September 16 Posted September 16 This is a server issue. You need to contact your hosting about it: ModSecurity: Access denied with code 44 (phase 2).  They must either disable/tweak the ModSecurity rule triggered by the gallery uploads or disable it completely. Marc and Pescao6 2
Mike Gholson Posted September 16 Author Posted September 16 13 hours ago, teraßyte said: This is a server issue. You need to contact your hosting about it: ModSecurity: Access denied with code 44 (phase 2).  They must either disable/tweak the ModSecurity rule triggered by the gallery uploads or disable it completely. Thanks... I own the server. Do you know what I have to change? Mike
Jim M Posted September 16 Posted September 16 4 minutes ago, Mike Gholson said: Do you know what I have to change? You would need to disable or tweak the rule mentioned there in mod_security to allow for upload.
Mike Gholson Posted September 17 Author Posted September 17 On 9/16/2024 at 11:47 AM, Jim M said: You would need to disable or tweak the rule mentioned there in mod_security to allow for upload. Not really sure what option to change. Can you help me determine? <IfModule mod_security2.c> # Default recommended configuration SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecRequestBodyLimitAction Reject SecRule REQBODY_ERROR "!@eq 0" \ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \ failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_MISSING_SEMICOLON}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IP %{MULTIPART_INVALID_PART}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" SecPcreMatchLimit 1000 SecPcreMatchLimitRecursion 1000 SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" SecResponseBodyAccess Off SecDebugLog /var/log/httpd/modsec_debug.log SecDebugLogLevel 0 SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABIJDEFHZ SecAuditLogType Serial SecAuditLog /var/log/httpd/modsec_audit.log SecArgumentSeparator & SecCookieFormat 0 SecTmpDir /var/lib/mod_security SecDataDir /var/lib/mod_security # ModSecurity Core Rules Set and Local configuration IncludeOptional modsecurity.d/*.conf IncludeOptional modsecurity.d/activated_rules/*.conf IncludeOptional modsecurity.d/local_rules/*.conf </IfModule> Â
Jim M Posted September 17 Posted September 17 6 minutes ago, Mike Gholson said: Not really sure what option to change. Can you help me determine? You would want to contact your hosting provider or a server administrator if you’re  not sure.Â
Mike Gholson Posted September 17 Author Posted September 17 Just now, Jim M said: You would want to contact your hosting provider or a server administrator if you’re  not sure. I am the hosting provider.. 😉 I can change anything, just need to know what your software needs to enable multiple uploads. Mike
Jim M Posted September 17 Posted September 17 1 minute ago, Mike Gholson said: I am the hosting provider.. 😉 I can change anything, just need to know what your software needs to enable multiple uploads. Mike We do not provide support with server configurations or extra security modules like mod_security. If you are unsure how to handle this you would need to work with a server administrator. If you want to use these items it would be up to yourself to ensure they do not hinder the software.Â
Mike Gholson Posted September 17 Author Posted September 17 1 minute ago, Jim M said: We do not provide support with server configurations or extra security modules like mod_security. If you are unsure how to handle this you would need to work with a server administrator. If you want to use these items it would be up to yourself to ensure they do not hinder the software. What the? Really? My server meets all your specs and I've been with you guys for years..  trying to launch another website and I get this response?  Seriously ....
Jim M Posted September 17 Posted September 17 1 minute ago, Mike Gholson said: What the? Really? My server meets all your specs and I've been with you guys for years..  trying to launch another website and I get this response?  Seriously .... Sorry that you are disappointed but we have never supported server configurations. Our support only covers our software. As a selfhosted customer, it is your responsibility to configure your server and the additional modules you want to run on it  As mentioned though, if you don’t know how to configured mod_security to work with our software, I would advise disabling it.Â
Mike Gholson Posted September 26 Author Posted September 26 I get it, thanks. Not sure why you don't support server-side functions because your software already has plenty of warnings when something isn't set up correctly (PHP8, file permissions, etc etc). FYI, I do have an idea that could be helpful. During your pre-install check, would it be possible to scan for mod_security? TBH, this only shows up at the end user level (as shown above). An admin may never see that mod_security is stopping the upload of multiple files. m
Jim M Posted September 26 Posted September 26 Thank you for your feedback. We alert on things which are required elements for our software to run (i.e. PHP, MySQL, file permissions, etc..). However, actually supporting them is a whole other matter and depending on the server configuring can vary drastically. Our support is limited to stating "your server administrator needs to assist you with requirement x" or "this may be an issue with your server configuration due to y" as our alerts do and maintaining the server is up to a qualified server administrator to take that knowledge and move forward. This is common of software and pretty much everything in our world. I had an issue with my dryer last week, called out a repair man and after some troubleshooting, it turned out that my house wasn't providing it enough voltage to the socket so I had to call out an electrician. I didn't expect the dryer repair man to fix or tell me how to exactly fix my electricity issues 🙂 . The dryer repair man is an expert in driers, just as we are experts in our software. The underlying items have their own expert(s) which need to attend to those. mod_security is not a required part of our software and it is on the decline for many hosting providers to be using it. While, we strive to provide the best experience to our users, it isn't possible to provide a warning for all possible modules out there. However, I will bring this up internally.
Marc Posted September 27 Posted September 27 15 hours ago, Mike Gholson said: FYI, I do have an idea that could be helpful. During your pre-install check, would it be possible to scan for mod_security? TBH, this only shows up at the end user level (as shown above). An admin may never see that mod_security is stopping the upload of multiple files. I recall this coming up previously. The problem is that unfortunately its not always visible for us to know its present. 15 hours ago, Mike Gholson said: I get it, thanks. Not sure why you don't support server-side functions because your software already has plenty of warnings when something isn't set up correctly (PHP8, file permissions, etc etc). Its worth noting on this one, we do support server side items on server side items we provide and run. However if you are self hosted, by definition, you're the host there (or the company you employ for that of course). We provide a cloud based environment as most tend not to want to mess with servers these days
Recommended Posts