|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-05-10 23:58:27
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-155?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-155.
--------------------------------------
Resolution: Cannot Reproduce
> MULTIPART_UNMATCHED_BOUNDARY in multipart form
> ----------------------------------------------
>
> Key: MODSEC-155
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-155
> Project: ModSecurity
> Issue Type: Improvement
> Security Level: Normal
> Components: Core
> Affects Versions: 2.5.11
> Environment: RHEL4 + builded httpd-2.2.14
> Reporter: kuRt
> Assignee: Breno Silva Pinto
> Fix For: 2.7.0
>
> Attachments: 1adb435b.gz, 20e02773.gz, b661a066.gz
>
>
> Some petitions are filtered like a MULTIPART_UNMATCHED_BOUNDARY (SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.)
> This petitions tries to send POST data via multipart form.
> The main problem is that we can't extract the scenario that sets this variable = 1, because just some petitions are blocked and not been observed obvious diferences/similitudes.
> I've been searching online but no similar problems are submited.
> I've been follow the source code of the parser to tries to understand the reason:
> , the function that activates the MULTIPART_UNMATCHED_BOUNDARY modSec var:
> (apache2/re_variables.c #1407)
> ***************************************************************
> static int var_multipart_unmatched_boundary_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
> apr_table_t *vartab, apr_pool_t *mptmp)
> {
> -> if ((msr->mpd != NULL)&&(msr->mpd->flag_unmatched_boundary != 0)) {
> return var_simple_generate(var, vartab, mptmp, "1");
> } else {
> return var_simple_generate(var, vartab, mptmp, "0");
> }
> }
> ***************************************************************
> , and the sets of the flag_unmatched_boundary:
> (apache2/msc_multipart.c #979)
> ***************************************************************
> /* Do we have something that looks like a boundary? */
> if ( msr->mpd->buf_contains_line
> && (strlen(msr->mpd->buf) > 3)
> && (*(msr->mpd->buf) == '-')
> && (*(msr->mpd->buf + 1) == '-') )
> {
>
> /* Does it match our boundary? */
> if ( (strlen(msr->mpd->buf) >= strlen(msr->mpd->boundary) + 2)
> && (strncmp(msr->mpd->buf + 2, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0) )
> {
> ....
> ....
> ....
> } else { /* It looks like a boundary but we couldn't match it. */
> char *p = NULL;
> /* Check if an attempt to use quotes around the boundary was made. */
> if ( (msr->mpd->flag_boundary_quoted)
> && (strlen(msr->mpd->buf) >= strlen(msr->mpd->boundary) + 3)
> && (*(msr->mpd->buf + 2) == '"')
> && (strncmp(msr->mpd->buf + 3, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0)
> ) {
> msr->mpd->flag_error = 1;
> *error_msg = apr_psprintf(msr->mp, "Multipart: Invalid boundary (quotes).");
> return -1;
> }
> /* Check the beginning of the boundary for whitespace. */
> p = msr->mpd->buf + 2;
> while(isspace(*p)) {
> p++;
> }
> if ( (p != msr->mpd->buf + 2)
> && (strncmp(p, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0)
> ) {
> /* Found whitespace in front of a boundary. */
> msr->mpd->flag_error = 1;
> *error_msg = apr_psprintf(msr->mp, "Multipart: Invalid boundary (whitespace).");
> return -1;
> }
> -> msr->mpd->flag_unmatched_boundary = 1;
> }
>
> } else { /* We do not think the buffer contains a boundary. */
> /* Look into the buffer to see if there's anything
> * there that resembles a boundary.
> */
> if (msr->mpd->buf_contains_line) {
> int i, len = (MULTIPART_BUF_SIZE - msr->mpd->bufleft);
> char *p = msr->mpd->buf;
> for(i = 0; i < len; i++) {
> if ((p[i] == '-') && (i + 1 < len) && (p[i + 1] == '-'))
> {
> if (strncmp(p + i + 2, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0) {
> -> msr->mpd->flag_unmatched_boundary = 1;
> break;
> }
> }
> }
> }
> }
> ***************************************************************
> As a temporal solution, I've modified this rule to not deny the petition, but i'm worried about if this can we a security problem.
> PD: This problem is related by the ModSec of every vhost instance of the HTTPd, but the POST petition is just launched over one vhost. Is it normal?
> PD2: I'm not sure about the issue type, it might be a improvement or a bug?
> Anyone have similar problems?
> Any feedback will be appreciated.
> Thanks in advance and excuse my bad english.
> Regards,
> --
> kurt
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
