Difference between revisions of "WAF 390700"
m |
m |
||
Line 9: | Line 9: | ||
'''Alert Message''' | '''Alert Message''' | ||
− | Atomicorp.com WAF Rules: | + | Atomicorp.com WAF Rules: Invalid filename in FILES argument. Which may be a possible attempt at multipart/form-data bypass |
'''Description''' | '''Description''' |
Latest revision as of 19:42, 18 December 2013
Rule ID
390700
Status
Active rule currently published.
Alert Message
Atomicorp.com WAF Rules: Invalid filename in FILES argument. Which may be a possible attempt at multipart/form-data bypass
Description
This rule can be triggered if an attacker attempts to bypass the WAF's multipart assembler. There are several known attack methods that attempt to bypass WAFs by using this method.
Additionally, if any of the following characters are used in a filename this rule will be triggered:
";=
These characters are not supported in the filename and are reserved characters.
False Positives
False Positives are rare with this rule. We do not recommend you disable this unless you want to ignore any evasion based on the multipart parser in the WAF. Currently there are no known vulnerabilities in the 2.5.12 version of the WAF (ASL versions 2.2.7 and up are not vulnerable). Therefore, if you know that your client sends an invalid multipart message when uploading a file, you are running the latest version of ASL and you do not care about detecting and blocking evasion based attacks disable this rule. We do not recommend you disable this rule, rather we recommend fixing the application to ensure that it does not accept broken multipart messages.
If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.
Tuning Recommendations
If you know that this behaviour is acceptable for your application, you can tune it by disabling this rule for the application or virtual host.
If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.