Filenames with single quotes are giving internal 500 error while uploading images or files in to production

Question

While uploading images or files with single quotes throwing 500 internal server error in our production, but in our localhost and QA instance the same code is working fine.

we have seen the log file (ssl_error_log) and found the below error

[Fri Nov 25 05:41:56.926603 2016] [:error] [pid 29449] [client 183.82.3.44] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "31"] [id "200002"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 1, IP 0, IH 0, FL 0"] [hostname "www.gatewaychamber.com"] [uri "/edit-profile/"] [unique_id "WDgVc7JgaWA0yezMJ2n@TAAAAAc"]

We have found the solution at this url by disabling rule 200002 in my httpd configuration file:

SecRuleRemoveById 200002

However we have not tried this because we want to know any security issues or evasion attacks after disabling this in the server. Please give any solution or advice to solve this problem. Also, could anyone please explain any security issues if we disable this rule SecRuleRemoveById 200002 in modsecurity.conf file.

If it should be disabled to solve the problem please advise better way to disable this rule. Alternatively, can we modify file name in the frond end using jQuery?

I have seen LinkedIn and Facebook and some other websites accepting single quotes while uploading, without any problem or renaming the file/images. How is this possible?

Thanks in advance.

Answer 1

Based on the information from this link , there was a way to circumvent ModSecurity and sneak in some malicious php code.

ModSecurity up to 2.6.8 has this vulnerability and should have rule 200002 in place. If it is possible to upgrade your version of ModSecurity to at least 2.7.0 the rule is no longer needed. The current version of ModSecurity is 2.9.1.