Multipart: Invalid boundary in C-T (characters)

You can sometimes see this error ModSecurity log file:

--b2b99b07-H--
Message: Multipart parsing error (init): Multipart: Invalid boundary in C-T (characters).

POST Payload

Typically payload looks below, which cause that error

--b2b99b07-B--
POST /index.php HTTP/1.0
Host: malware.expert
Accept: */*
Referer: http://malware.expert/
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
Content-Length: 389
Content-Type: multipart/form-data; boundary=(UploadBoundary)

Problem is in boundary variable, which ModSecurity looks it false.

According to rfc2046 the characters allowed in the boundary are following:

boundary := 0*69 bcharsnospace
bchars := bcharsnospace / " "
bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "." / "/" / ":" / "=" / "?"

Bug: https://github.com/SpiderLabs/ModSecurity/issues/653

Activity

We have seen lots of activity from bot networks which use this kind of boundary try uploading malware to the servers and bypass ModSecurity.

[uri "/modules/mod_simplefileuploadv1.3/elements/udd.php"]
[uri "/wp-admin/admin-ajax.php"]
[uri "/"]
[uri "/uploadify/uploadify.php"]
[uri "/sites/all/libraries/elfinder/php/connector.minimal.php"]
[uri "/license.php"]

REQBODY_ERROR

To prevent this kind ModSecurity Malfunction is adds this rule:

SecRule REQBODY_ERROR 			"!@eq 0" 	\
"phase:2,id:200001,t:none,log,deny,msg:'Failed to parse request body.'"

Contains the status of the request body processor used for request body parsing. The values can be 0 (no error) or 1 (error). This variable will be set by request body processors (typically the multipart/request-data parser, JSON or the XML parser) when they fail to do their work.

Note: Your policies must have a rule to check for request body processor errors at the very beginning of phase 2. Failure to do so will leave the door open for impedance mismatch attacks. It is possible, for example, that a payload that cannot be parsed by ModSecurity can be successfully parsed by more tolerant parser operating in the application. If your policy dictates blocking, then you should reject the request if error is detected.

Final words

Websites that using Malware Expert – ModSecurity rules are protected against this kind of attacks.