SuperUser

Question

FortiWeb denies some uploaded files

Forum|Forum|1 year ago
January 6, 2025
6 replies
3152 views

Hi WAF admins

Sometimes my FortiWeb denies some uploaded files, just like pdf or png, and it logs an attack of type "generic attack" or "known exploit". The detected pattern can be something like this:

${�ǕN�������$�

Or something like that:

_/

I wonder if this is a real attack or just a false positive, since the signature is inside an uploaded file, while the string ${... looks like a kind of injection, and I think it should be blocked when it is in a form or in URL, not when it is in an uploaded binary data file.

Or maybe I'm misunderstanding something in WAF?

FortiWEB

Jean-Philippe_P

Staff & Editor

Hello dear Abdelkrim,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Jean-Philippe - Fortinet Community Team

AEKAuthor

SuperUser

Thanks for your support, Philippe.

AEK

Jean-Philippe_P

Staff & Editor

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Thanks,

Jean-Philippe - Fortinet Community Team

Pedro_FTNT

Staff

Hi, do you have the logs ? Its possible reproduce ?? we need to take some captures also I could ask to dev team with information taken :)

AEKAuthor

SuperUser

Hi Pedro

Thanks for your response.

Yes the issue is always reproducible, is the same almost anytime I upload a file.

I'll try to share the related logs soon.

AEK

Pedro_FTNT

Staff

Hi, thanks, we could do a remote session to reproduce the issue and take, debugs, logs... :)

AEKAuthor

SuperUser

Hi Pedro

I could reproduce the same in my lab.

Here are some relevant screenshots. As mentioned it happens when I want to upload a file that contains a known attack signature.

Maybe it is worth mentioning that the protected server is Zimbra webmail.

AEK

skynode

New Member

FortiWeb might be flagging some uploaded files, like PDFs or PNGs, as potential threats due to patterns it detects, such as ${..., which resemble injection attempts. This could be a false positive, where the WAF interprets benign content in the file as an attack because it matches known signatures. To resolve this, review the file contents and the WAF's signature settings. If the files are safe, you can adjust the WAF to reduce false positives by fine-tuning the detection rules or excluding specific file types from scrutiny. This would help ensure that the WAF only blocks genuine threats while allowing legitimate files through.

AEKAuthor

SuperUser

I still think an uploaded file should be scanned with AV but it shouldn't be scanned for application attacks like we do with forms and URLs. Am I wrong?

AEK

AEKAuthor

SuperUser

We worked with TAC support and found that the issue happens on some servers and not seen on others, even if we try upload exactly the same file. This is because not all Web servers upload files in the same way. It seems for some upload methods FWB considers them differently and scans the file for attack signatures, while for other upload methods FWB uses only AV scan as expected. With TAC support we didn't go further, since the issue is not really related to FWB which is actually operating as expected.

As I’m not sot specialist in Web so I’m not aware of which upload methods are causing this issue. Any help on this topic will be welcome.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded