How to Fix the Error – ModSecurity: Access denied with code 44 [Apache]
- Thursday, April 28, 2016 By David Peter
Question: I was trying to upload a PDF file of size 2MB in MediaWiki and hit with 500 internal server error and this error seems to occur whenever I upload a larger file. I quickly verified php.ini, which had the below values:
upload_max_filesize = 32M post_max_size = 20M
and below is the snapshot of httpd error_log.
ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.
I’m using Apache and MediaWiki version 1.23.
The maximum file upload size and POST size can be controlled in two ways – via php.ini and mod_security extension.
Check whether the web server is enabled with mod_security extension as shown below:
# apachectl -M |grep security
You may also look for modsecurity.d folder under /etc/httpd and mod_security.conf file in /etc/httpd/conf.d/. (the Apache installation path might be different in your system).
Note: By default, mod_security is enabled in Apache and it loads few recommended configurations as well.
Open /etc/httpd/conf.d/mod_security.conf file and lookout for the below line:
You may turn Off SecRuleEngine (SecRuleEngine Off) or adjust the values of SecRequestBodyLimit and SecRequestBodyNoFilesLimit.
Warning: It’s not a good practice to disable mod_security, as it’s a web application firewall that prevents SQL Injection, cross site scripting attack, session hijacking, bad user agents and other malicious bots. Instead, adjust the below variables.
SecRequestBodyLimit 13107200 #12.5 MB SecRequestBodyNoFilesLimit 131072 #128kb
Once done, you need to restart the Apache web server
# /etc/init.d/httpd restart
In case, if you are using a shared web hosting and does not have administrator privilege to restart the web server, then you can create .htaccess file as shown below.
#Using .htaccess file to turn Off SecRuleEngine
<IfModule mod_security.c> <Files async-upload.php> SecFilterEngine Off SecFilterScanPOST Off </Files> </IfModule>
The above snippet will turn of async-upload.php. That’s it!