Description of problem: it appears that SecRequestBodyLimit uses the wrong units, the mod_security documentation states the default is 131072 KB, but the RPM seems to be set at 131072 B http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/modsecurity2-apache-reference.html#N10878 Version-Release number of selected component (if applicable): mod_security-2.5.12-3.el5 httpd-2.2.3-63.el5_8.1 How reproducible: do not alter mod_security defaults, attempt to submit form or upload image > 128kb Steps to Reproduce: 1. do not alter mod_security defaults, attempt to submit form or upload image > 128kb, 413 error 2. update modsecurity_localrules.conf: SecRequestBodyLimit 8192000 3. successful upload Actual results: 413: Request Entity Too Large or Internet Explorer Cannot open page error Request body (Content-Length) is larger than the configured limit (131072) Expected results: 200: OK Additional info: error_log: [Wed Apr 25 16:12:19 2012] [error] [client x.x.x.x] ModSecurity: Request body (Content-Length) is larger than the configured limit (131072). [hostname "site.domain.com"] [uri "/admin/banner_edit.php"] [unique_id "U57nT8CoAisAAHDpH78AAAAE"] modsec_audit: --cb2a8e68-A-- [25/Apr/2012:16:12:19 --0500] U57nT8CoAisAAHDpH78AAAAE x.x.x.x 38808 y.y.y.y 80 --cb2a8e68-B-- POST /admin/banner_edit.php HTTP/1.0 Host: site.domain.com Content-Length: 245046 Origin: http://site.domain.com User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHySJ12eVrqcnoLjq Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://site.domain.com/admin/banner_edit.php?type=type Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __unam=87ac9f7-1350c6b6449-47ae7c19-193; __utma=97994624.1621275359.1320701487.1335379177.1335381370.97; __utmc=97994624; __utmz=97994624.1334755122.91.4.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); IS3_GSV=DPL-0_TES-1335385485_PCT-1335385485_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; __utma=185507454.1952222390.1334851061.1335295829.1335385485.14; __utmc=185507454; __utmz=185507454.1334851061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); IS3_History=1328016809-8-40_3--8+13--8+32--8+49--8__3-13-32-49_3-13-32-49; s_pers=%20s_vnum%3D1335416400541%2526vn%253D1%7C1335416400541%3B%20s_cpmcvp%3D%255B%255B'Other%252520Referrers-site.domain.com'%252C'1335295828634'%255D%252C%255B'Other%252520Referrers-client.domain.com'%252C'1335297466459'%255D%252C%255B'Other%252520Referrers-site.domain.com'%252C'1335385489756'%255D%252C%255B'Other%252520Referrers-client.domain.com'%252C'1335386737459'%255D%252C%255B'Other%252520Referrers-site.domain.com'%252C'1335387953657'%255D%255D%7C1493154353657%3B%20s_evar54%3D0%7C1335474354741%3B%20s_visit%3D1%7C1335389756065%3B%20gpv_pageName%3Dncc%252Fhttp%253A%252F%252Fsite.domain.com%252Fga%252Fatlanta%252Fqfece%252F%7C1335389756068%3B%20s_nr%3D1335387956076-Repeat%7C1366923956076%3B%20s_invisit%3Dtrue%7C1335389756083%3B; s_sess=%20s_ria%3Dflash%252011%257C%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_cm%3DOther%2520Natural%2520Referrersundefinedsite.domain.com%3B%20s_cpc%3D0%3B%20s_sq%3D%3B; PHPSESSID=95cceagm8jc98n0g7soso0v4i0 Via: 1.1 cudawf.domain.com:8080 (http_scan/4.0.2.6.19) CUDA_CLIIP: z.z.z.z Cache-Control: max-age=0 Connection: keep-alive --cb2a8e68-F-- HTTP/1.1 413 Request Entity Too Large Content-Length: 438 Connection: close Content-Type: text/html; charset=iso-8859-1 --cb2a8e68-H-- Message: Request body (Content-Length) is larger than the configured limit (131072). Stopwatch: 1335388339627855 1774 (- - -) Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5. Server: Apache/2.2.3 (Red Hat) --cb2a8e68-Z-- httpd.conf: LimitRequestBody 8192000 # grep _max /etc/php.ini log_errors_max_len = 1024 post_max_size = 8M upload_max_filesize = 2M # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.8 (Tikanga) # rpm -qa | grep "http\|mod_sec" mod_security-2.5.12-3.el5 httpd-2.2.3-63.el5_8.1 fix: /etc/httpd/modsecurity.d/modsecurity_localrules.conf: SecRequestBodyLimit 8192000
the image being uploaded was a 238KB PNG
Can check if this issue is still reproducible with the latest mod_security and mod_security_crs from epel-testing.