Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎01-06-2025 10:51 AM Edited on ‎01-06-2025 10:52 AM

FortiWeb denies some uploaded files

Hi WAF admins

Sometimes my FortiWeb denies some uploaded files, just like pdf or png, and it logs an attack of type "generic attack" or "known exploit". The detected pattern can be something like this:

${�ǕN�������$�

Or something like that:

_/

I wonder if this is a real attack or just a false positive, since the signature is inside an uploaded file, while the string ${... looks like a kind of injection, and I think it should be blocked when it is in a form or in URL, not when it is in an uploaded binary data file.

Or maybe I'm misunderstanding something in WAF?

AEK
AEK
Labels:
819
0 Kudos
10 REPLIES 10
Jean-Philippe_P
Moderator
Moderator

Created on ‎01-08-2025 10:34 PM

Hello dear Abdelkrim, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
612
AEK
SuperUser
SuperUser
In response to Jean-Philippe_P

Created on ‎01-09-2025 05:55 AM

Thanks for your support, Philippe.

AEK
AEK
584
Jean-Philippe_P
Moderator
Moderator

Created on ‎01-10-2025 01:33 AM

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Jean-Philippe - Fortinet Community Team
542
Pedro_FTNT
Staff
Staff

Created on ‎01-14-2025 09:48 AM

Hi, do you have the logs ? Its possible reproduce ?? we need to take some captures also I could ask to dev team with information taken :)

Pedro Ortiz Guzman
479
AEK
SuperUser
SuperUser
In response to Pedro_FTNT

Created on ‎01-15-2025 09:59 AM

Hi Pedro

Thanks for your response.

Yes the issue is always reproducible, is the same almost anytime I upload a file.

I'll try to share the related logs soon.

AEK
AEK
447
0 Kudos
Pedro_FTNT
Staff
Staff
In response to AEK

Created on ‎01-15-2025 11:51 AM

Hi, thanks, we could do a remote session to reproduce the issue and take, debugs, logs... :)

Pedro Ortiz Guzman
444
0 Kudos
AEK
SuperUser
SuperUser
In response to Pedro_FTNT

Created on ‎01-15-2025 11:59 AM

Hi Pedro

It's customer's FortiWeb but I'll schedule the session if possible and let you know. But meanwhile I'll share the logs you requested above.

Thanks a lot for your support, Pedro.

AEK
AEK
440
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-15-2025 11:41 PM

Hi Pedro

I could reproduce the same in my lab.

Here are some relevant screenshots. As mentioned it happens when I want to upload a file that contains a known attack signature.

Maybe it is worth mentioning that the protected server is Zimbra webmail.

 

fp1.pngfp2.pngfp3.png

AEK
AEK
413
0 Kudos
skynode
New Contributor

Created on ‎01-15-2025 11:44 PM

FortiWeb might be flagging some uploaded files, like PDFs or PNGs, as potential threats due to patterns it detects, such as ${..., which resemble injection attempts. This could be a false positive, where the WAF interprets benign content in the file as an attack because it matches known signatures. To resolve this, review the file contents and the WAF's signature settings. If the files are safe, you can adjust the WAF to reduce false positives by fine-tuning the detection rules or excluding specific file types from scrutiny. This would help ensure that the WAF only blocks genuine threats while allowing legitimate files through.

410
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.