[Mod-security-developers] [JIRA] Resolved: (MODSEC-155) MULTIPART_UNMATCHED_BOUNDARY in multipart f
Brought to you by:
victorhora,
zimmerletw
From: Breno S. P. (JIRA) <no...@mo...> - 2012-05-10 23:58:27
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-155?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Breno Silva Pinto resolved MODSEC-155. -------------------------------------- Resolution: Cannot Reproduce > MULTIPART_UNMATCHED_BOUNDARY in multipart form > ---------------------------------------------- > > Key: MODSEC-155 > URL: https://www.modsecurity.org/tracker/browse/MODSEC-155 > Project: ModSecurity > Issue Type: Improvement > Security Level: Normal > Components: Core > Affects Versions: 2.5.11 > Environment: RHEL4 + builded httpd-2.2.14 > Reporter: kuRt > Assignee: Breno Silva Pinto > Fix For: 2.7.0 > > Attachments: 1adb435b.gz, 20e02773.gz, b661a066.gz > > > Some petitions are filtered like a MULTIPART_UNMATCHED_BOUNDARY (SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.) > This petitions tries to send POST data via multipart form. > The main problem is that we can't extract the scenario that sets this variable = 1, because just some petitions are blocked and not been observed obvious diferences/similitudes. > I've been searching online but no similar problems are submited. > I've been follow the source code of the parser to tries to understand the reason: > , the function that activates the MULTIPART_UNMATCHED_BOUNDARY modSec var: > (apache2/re_variables.c #1407) > *************************************************************** > static int var_multipart_unmatched_boundary_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, > apr_table_t *vartab, apr_pool_t *mptmp) > { > -> if ((msr->mpd != NULL)&&(msr->mpd->flag_unmatched_boundary != 0)) { > return var_simple_generate(var, vartab, mptmp, "1"); > } else { > return var_simple_generate(var, vartab, mptmp, "0"); > } > } > *************************************************************** > , and the sets of the flag_unmatched_boundary: > (apache2/msc_multipart.c #979) > *************************************************************** > /* Do we have something that looks like a boundary? */ > if ( msr->mpd->buf_contains_line > && (strlen(msr->mpd->buf) > 3) > && (*(msr->mpd->buf) == '-') > && (*(msr->mpd->buf + 1) == '-') ) > { > > /* Does it match our boundary? */ > if ( (strlen(msr->mpd->buf) >= strlen(msr->mpd->boundary) + 2) > && (strncmp(msr->mpd->buf + 2, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0) ) > { > .... > .... > .... > } else { /* It looks like a boundary but we couldn't match it. */ > char *p = NULL; > /* Check if an attempt to use quotes around the boundary was made. */ > if ( (msr->mpd->flag_boundary_quoted) > && (strlen(msr->mpd->buf) >= strlen(msr->mpd->boundary) + 3) > && (*(msr->mpd->buf + 2) == '"') > && (strncmp(msr->mpd->buf + 3, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0) > ) { > msr->mpd->flag_error = 1; > *error_msg = apr_psprintf(msr->mp, "Multipart: Invalid boundary (quotes)."); > return -1; > } > /* Check the beginning of the boundary for whitespace. */ > p = msr->mpd->buf + 2; > while(isspace(*p)) { > p++; > } > if ( (p != msr->mpd->buf + 2) > && (strncmp(p, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0) > ) { > /* Found whitespace in front of a boundary. */ > msr->mpd->flag_error = 1; > *error_msg = apr_psprintf(msr->mp, "Multipart: Invalid boundary (whitespace)."); > return -1; > } > -> msr->mpd->flag_unmatched_boundary = 1; > } > > } else { /* We do not think the buffer contains a boundary. */ > /* Look into the buffer to see if there's anything > * there that resembles a boundary. > */ > if (msr->mpd->buf_contains_line) { > int i, len = (MULTIPART_BUF_SIZE - msr->mpd->bufleft); > char *p = msr->mpd->buf; > for(i = 0; i < len; i++) { > if ((p[i] == '-') && (i + 1 < len) && (p[i + 1] == '-')) > { > if (strncmp(p + i + 2, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0) { > -> msr->mpd->flag_unmatched_boundary = 1; > break; > } > } > } > } > } > *************************************************************** > As a temporal solution, I've modified this rule to not deny the petition, but i'm worried about if this can we a security problem. > PD: This problem is related by the ModSec of every vhost instance of the HTTPd, but the POST petition is just launched over one vhost. Is it normal? > PD2: I'm not sure about the issue type, it might be a improvement or a bug? > Anyone have similar problems? > Any feedback will be appreciated. > Thanks in advance and excuse my bad english. > Regards, > -- > kurt -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |