How to Fix the Error – ModSecurity: Access denied with code 44 [Apache]

Updated on September 2, 2017

Question: I was trying to upload a PDF file of size 2MB in MediaWiki and hit with 500 internal server error and this error seems to occur whenever I upload a larger file. I quickly verified php.ini, which had the below values:

upload_max_filesize = 32M
post_max_size = 20M

and below is the snapshot of httpd error_log.

ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

I’m using Apache and MediaWiki version 1.23.

increase file upload limit


The maximum file upload size and POST size can be controlled in two ways – via php.ini and mod_security extension.

Check whether the web server is enabled with mod_security extension as shown below:

# apachectl -M |grep security

You may also look for modsecurity.d folder under /etc/httpd and mod_security.conf file in /etc/httpd/conf.d/. (the Apache installation path might be different in your system).

Note: By default, mod_security is enabled in Apache and it loads few recommended configurations as well.

Open /etc/httpd/conf.d/mod_security.conf file and lookout for the below line:

SecRuleEngine On

You may turn Off SecRuleEngine (SecRuleEngine Off) or adjust the values of SecRequestBodyLimit and SecRequestBodyNoFilesLimit.

Warning: It’s not a good practice to disable mod_security, as it’s a web application firewall that prevents SQL Injection, cross site scripting attack, session hijacking, bad user agents and other malicious bots. Instead, adjust the below variables.

SecRequestBodyLimit 13107200          #12.5 MB
SecRequestBodyNoFilesLimit 131072  #128kb

Once done, you need to restart the Apache web server

# /etc/init.d/httpd restart

In case, if you are using a shared web hosting and does not have administrator privilege to restart the web server, then you can create .htaccess file as shown below.

#Using .htaccess file to turn Off SecRuleEngine

<IfModule mod_security.c>
 <Files async-upload.php>
 SecFilterEngine Off
 SecFilterScanPOST Off

The above snippet will turn of async-upload.php. That’s it!

Was this article helpful?

Related Articles

Leave a Comment