Skip to content

Rule 932180 FP on Filename Substring #4320

Closed
#4338
Closed
Rule 932180 FP on Filename Substring#4320
#4338
Assignees
EsadCetiner
Labels
➕ False Positive
@ssigwart

Description

@ssigwart
ssigwart
opened on Nov 4, 2025

Description

Rule 932180 triggers for substrings in filenames. See curl examples below.

How to reproduce the misbehavior (-> curl call)

This example is likely a user's initials (JAC).

echo "contents" | curl -X POST -F "file1=@-;filename=JACpic.jpg;type=text/plain" -H "x-format-output: txt-matched-rules" https://sandbox.coreruleset.org/
932180 PL1 Restricted File Upload Attempt
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL? Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

This one triggers due to boto.

echo "contents" | curl -X POST -F "file1=@-;filename=abc.botox.jpg;type=text/plain" -H "x-format-output: txt-matched-rules" https://sandbox.coreruleset.org/
932180 PL1 Restricted File Upload Attempt
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL? Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

This triggers due to mtrr

echo "contents" | curl -X POST -F "file1=@-;filename=amtrra.jpg;type=text/plain" -H "x-format-output: txt-matched-rules" https://sandbox.coreruleset.org/
932180 PL1 Restricted File Upload Attempt
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL? Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

Your Environment

  • CRS version (e.g., v3.3.4): 4.18.0
  • Paranoia level setting (e.g. PL1) : PL1
  • ModSecurity version (e.g., 2.9.6): 3.0.14
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Nginx 1.26
  • Operating System and version: Amazon Linux 2

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Metadata

Metadata

Assignees

Labels

➕ False Positive

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions