ModSecurity: What do MULTIPART_DATA_BEFORE and MULTIPART_DATA_AFTER mean?

Question

I'm getting the following ModSecurity error when posting form data to a LiquidWeb server:

Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 1, DA 1, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0

As you can see DB and DA have been set to 1. And looking at the ModSecurity docs on this, DB means MULTIPART_DATA_BEFORE and DA means MULTIPART_DATA_AFTER, which isn't very helpful.

Can anyone explain what these mean?

score 0 · Answer 1 · edited Oct 07 '21 at 08:14

0

Although I'm not cent percent sure about their actual definitions. DB and DA should correspond to preamble and epilogue around multi-part boundaries . Which may sound platonic at first, until you read about the recent BadEpilogue Malware evasion.

After-all, organizations which has this detection turned-on are not completely paranoiac.

edited Oct 07 '21 at 08:14

Community

1

answered Oct 12 '16 at 16:28

user1929880

1

ModSecurity: What do MULTIPART_DATA_BEFORE and MULTIPART_DATA_AFTER mean?

1 Answers1