Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 438724 (CVE-2012-4528) - <www-apache/mod_security-2.7.0: multipart/invalid part ruleset bypass (CVE-2012-4528)
Summary: <www-apache/mod_security-2.7.0: multipart/invalid part ruleset bypass (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2012-4528
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-17 17:33 UTC by Agostino Sarubbo
Modified: 2012-12-16 22:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-10-17 17:33:36 UTC
From fulldisclosure:

SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >
=======================================================================
              title: ModSecurity multipart/invalid part ruleset bypass
            product: ModSecurity
 vulnerable version: <= 2.6.8
      fixed version: 2.7.0
         CVE number: -
             impact: Depends what you use it for
           homepage: http://www.modsecurity.org/
              found: 2012-10-12
                 by: Bernhard Mueller
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vulnerability overview/description:
-----------------------------------
Validation of POST parameters can be bypassed on Apache/PHP installations by
sending specially formed multipart requests. A POST parameter's content can be
hidden from ModSecurity by prepending an invalid part. This first part
contains only a Content-Disposition header and has an additional carriage
return inserted at the end of the line ([\r\r\n]). This is followed by a
boundary in the next line and another Content-Disposition header with a
filename. The request content looks like this (newlines are all \r\n except in
line 2).

--A
Content-Disposition: form-data; name="id"[\r][\r][\n]
--A
Content-Disposition: form-data; name="lol"; filename="x"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

--A--

ModSecurity skips what it believes to be an invalid first part and proceeds to
parse the second part. This part is treated as a file and not checked against
the ruleset.

PHP however treats the whole thing as a single part and processes only the
first Content-Disposition header, ignoring the second one. In the opinion of
PHP this request contains a POST parameter with the name specified in the
first header.
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-10-18 04:59:54 UTC
Status update.

I'm testing ModSec 2.7 on my blog. It requires modsecurity-crs-2.2.6 as well to work or Apache won't start. But even then the optional/experimental rules won't work. So I'm not sure.

Can somebody judge the severity and tell me how much should I push for this?
Comment 2 Sean Amoss gentoo-dev Security 2012-10-24 00:01:34 UTC
(In reply to comment #1)
> Status update.
> 
> I'm testing ModSec 2.7 on my blog. It requires modsecurity-crs-2.2.6 as well
> to work or Apache won't start. But even then the optional/experimental rules
> won't work. So I'm not sure.
> 
> Can somebody judge the severity and tell me how much should I push for this?

If you were looking for a severity rating from the security team: attackers would be able to bypass filtering rules. Target delay: 20 days.
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-10-25 17:42:59 UTC
Sounds good, feel free to ask for stable whenever it's convenient, my tests are vastly (although not absolutely) positive.
Comment 4 Sean Amoss gentoo-dev Security 2012-11-14 00:11:45 UTC
Arches, please test and mark stable:
=www-apache/mod_security-2.7.0
Target KEYWORDS="amd64 ppc sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-11-14 13:35:04 UTC
amd64 stable
Comment 6 Andreas Schürch gentoo-dev 2012-11-15 14:49:04 UTC
x86 done, together with modsecurity-crs-2.2.6-r1.
Comment 7 Anthony Basile gentoo-dev 2012-11-24 22:46:07 UTC
stable ppc
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-12-15 20:12:27 UTC
sparc stable
Comment 9 Sean Amoss gentoo-dev Security 2012-12-16 14:33:22 UTC
Thanks, everyone. 

GLSA vote: no.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 22:05:49 UTC
Vote: no. Closing noglsa.