Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 18.104.22.168 ModSecurity: Multipart parsing error (init): Multipart: Boundary not found in C-T. [hostname "etax14.ird.gov.hk"] [uri "/something/upload;jsessionid=F1F9D75407997C79035080C826DAC34A.node2"] [unique_id "YaT7xZiKmLFAVfbHhByOVgAAABM"]
The error means an invalid multi-part message was sent by the client (it could be an attack, or it could be a broken client). Specifically this happens when the client sends a boundary that contains an invalid character. According to rfc2046 the characters allowed in the boundary are following:
boundary := 0*69 bcharsnospace
bchars := bcharsnospace / " "
bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "." / "/" / ":" / "=" / "?"
The check is internal in modsecurity (its not a rule), the message means that modsecurity can not make sense of the multi part message and couldnt parse it. When in blocking mode, the rules in 00_asl_z_antievasion.conf will block this, when in detect only mode youll just see an error that modsecurity couldnt parse the message, but in detect only mode the client can bypass the WAF.
Attackers use this method to try to bypass WAFs (if the WAF cant reassemble the message, it cant inspect it), chiefly to try to upload malware or other files to the targeted system.
If this isnt a known valid user, it could be that an attacker was attempting to bypass the WAF. To prevent these bypasses, ensure that 00_asl_z_antievasion.conf is loaded, and the WAF is in blocking mode.