8000 false positive 921110 when sending large Attachments via iPhone client · Issue #4170 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
false positive 921110 when sending large Attachments via iPhone client #4170
New issue
New issue
Open
Open
false positive 921110 when sending large Attachments via iPhone client#4170
Labels
➕ False Positive
@Sc0r

Description

@Sc0r
Sc0r
opened on Jun 20, 2025

Description:
Sending Email Attachments via a native iPhone client of roughly over 1 MB anywhere will result in a false positive with ID 921110.
400KB & 800KB attachments worked without issue, 1.1MB and upwards are recognized as http request smuggling attack by your own WAF protection of your Exchange 2016 mailserver.

Replicate:

  1. Protect MS Exchange ActiveSync traffic on it's domain (i.e. mail.domain.com) with Sophos XGS utilising OWASP CRS 3.3.3
  2. Set up MS Exchange (2016) account with iPhone client
  3. Try to send an email with attachment larger than 1MB anywhere

Entry of Sophos XGS reverseproxy.log

[security2:error] [pid 27088:tid 140109391152896] [client IP:Port] [client [clientIP]] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at REQUEST_BODY. [file "/usr/apache/conf/waf/rules/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "53"] [id "921110"] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: put bc/cvy7r7yfs0/a\\x0d found within REQUEST_BODY: \\x03\\x01j\\x00\\x00\\x15eq\\x03ab561e4ba659cc4a88f2c0d4000037b588870000\\x00\\x01\\x08p\\xc3\\xe0\\xdb_from: \\x22[senderAddress]\\x22 <[senderAddress]>\\x0d\\x0ato: recipientName <[recipientAddress]>\\x0d\\x0asubject: testfr\\x0d\\x0athread-topic: testfr\\x0d\\x0athread-index: aqhb4fdg9r xvmoeoeocmapsbhwgxw==\\x0d\\x0ax-ms-exchange-messagesentrepresentingtype: 1\\x0d\\x0adate: fri, 20 jun 2025 14:38:33  0000\\x0d\\x0amessage-id:\\x0..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.3"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [ [hostname "[mailServer]"] [uri "/Microsoft-Server-ActiveSync"] [unique_id "aFVyaTy20IcYjuSoQ8IKuwAAAGA"]

Environment:
Exchange Server 2016 with Sophos XGS2100 WAF utilising OWASP_CRS/3.3.3

  • CRS version (e.g., v3.3.4):
  • Paranoia level setting (e.g. PL1) :
  • ModSecurity version (e.g., 2.9.6):
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54):
  • Operating System and version:

Confirmation

[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ➕ False Positive

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0