Thread: [mod-security-users] Multipart: invalid Content-Disposition header (-11)?

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] Multipart: invalid Content-Disposition header (-11)?

From: Gerwin K. -|- D. W. <ge...@di...> - 2006-02-16 08:44:38

Heya Ivan and others :)

Some customer trying to upload certain stuff gets the following error:

[Thu Feb 16 00:19:29 2006] [error] [client 80.57.1.99] mod_security
Access denied with code 406. Error processing request body: Multipart:
invalid Content-Disposition header (-11): form-data;
name="uploadedFiles0"; filename="DSCF1848.jpg"; modification-date="ma,
13 feb 2006 13:03:48 CET" [hostname "www.xxxxx.nl"] [uri
"/cms/adm_meetings_upload.php"] [unique_id "iy26GsGKnQQAABAuYQYAAAAd"]

No clue what this means, a little glitch?

Greetings,
Gerwin

Re: [mod-security-users] Multipart: invalid Content-Disposition header (-11)?

From: Ivan R. <iv...@we...> - 2006-02-16 09:19:40

Gerwin Krist -|- Digitalus Webhosting wrote:
> Heya Ivan and others :)
> 
> Some customer trying to upload certain stuff gets the following error:
> 
> [Thu Feb 16 00:19:29 2006] [error] [client 80.57.1.99] mod_security
> Access denied with code 406. Error processing request body: Multipart:
> invalid Content-Disposition header (-11): form-data;
> name="uploadedFiles0"; filename="DSCF1848.jpg"; modification-date="ma,
> 13 feb 2006 13:03:48 CET" [hostname "www.xxxxx.nl"] [uri
> "/cms/adm_meetings_upload.php"] [unique_id "iy26GsGKnQQAABAuYQYAAAAd"]
> 
> No clue what this means, a little glitch?

  The Content-Disposition header of the multipart part appears to
  be invalid. The "modification-date" attribute is not defined in
  the multipart RFC and this is the first time I encounter someone
  using it. The content of the parameter does not appear to be
  valid either: "ma, 13 feb 2006 13:03:48 CET".

  The problem with many of the relevant RFCs is that they are open
  to interpretation. For example RFC 2183 describes the format of
  the Content-Disposition header when used in MIME messages but none
  of the parameter make sense when used in context of the multipart
  upload.

  Which browser/device was used to submit this request?

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Multipart: invalid Content-Disposition header (-11)?

From: Ivan R. <iv...@we...> - 2006-02-16 13:20:37

Gerwin Krist -|- Digitalus Webhosting wrote:
> Hmmm well I dunno exactly whats this customer is using. I figured out
> that customer is using Jupload (http://jupload.biz/) .

  I think JUpload is wrong here, but I've contacted the developers
  to see if they are actually using that parameter for anything.

  I will also consider whether accepting unknown header parameters
  is dangerous or not. Maybe I can relax mod_security checks. ModSecurity
  is strict to reduce the possibility of someone exploiting impedance
  mismatch in parsing.

  In the meantime: commenting out the line "else return -11;" (in
  the ModSecurity source code, of course) should allow the request
  through.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Multipart: invalid Content-Disposition header (-11)?

From: Ivan R. <iv...@we...> - 2006-02-17 21:13:59

Ivan Ristic wrote:
> Gerwin Krist -|- Digitalus Webhosting wrote:
>> Hmmm well I dunno exactly whats this customer is using. I figured out
>> that customer is using Jupload (http://jupload.biz/) .
> 
> I think JUpload is wrong here, but I've contacted the developers
> to see if they are actually using that parameter for anything.

  I just heard from the JUpload developers. They are not using
  the header. They have also removed it from their application in
  their most recent build.

> I will also consider whether accepting unknown header parameters
> is dangerous or not. Maybe I can relax mod_security checks. ModSecurity
> is strict to reduce the possibility of someone exploiting impedance
> mismatch in parsing.

  I am still considering my options here. At the moment I am
  leaning toward introducing a bunch of options to allow for
  better control of the implicit checks. This would be nice to have
  if someone encounters a similar problem in the future.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall