Hi WAF admins
Sometimes my FortiWeb denies some uploaded files, just like pdf or png, and it logs an attack of type "generic attack" or "known exploit". The detected pattern can be something like this:
${�ǕN�������$�
Or something like that:
_/
I wonder if this is a real attack or just a false positive, since the signature is inside an uploaded file, while the string ${... looks like a kind of injection, and I think it should be blocked when it is in a form or in URL, not when it is in an uploaded binary data file.
Or maybe I'm misunderstanding something in WAF?
Hello dear Abdelkrim,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Thanks for your support, Philippe.
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Hi, do you have the logs ? Its possible reproduce ?? we need to take some captures also I could ask to dev team with information taken :)
Hi Pedro
Thanks for your response.
Yes the issue is always reproducible, is the same almost anytime I upload a file.
I'll try to share the related logs soon.
Hi, thanks, we could do a remote session to reproduce the issue and take, debugs, logs... :)
Hi Pedro
It's customer's FortiWeb but I'll schedule the session if possible and let you know. But meanwhile I'll share the logs you requested above.
Thanks a lot for your support, Pedro.
Hi Pedro
I could reproduce the same in my lab.
Here are some relevant screenshots. As mentioned it happens when I want to upload a file that contains a known attack signature.
Maybe it is worth mentioning that the protected server is Zimbra webmail.
FortiWeb might be flagging some uploaded files, like PDFs or PNGs, as potential threats due to patterns it detects, such as ${..., which resemble injection attempts. This could be a false positive, where the WAF interprets benign content in the file as an attack because it matches known signatures. To resolve this, review the file contents and the WAF's signature settings. If the files are safe, you can adjust the WAF to reduce false positives by fine-tuning the detection rules or excluding specific file types from scrutiny. This would help ensure that the WAF only blocks genuine threats while allowing legitimate files through.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1788 | |
1119 | |
768 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.