php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81987 Incomplete Multipart/form-data but is passed to PHP
Submitted: 2023-03-10 16:08 UTC Modified: 2023-03-12 01:38 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: me dot ekixu at gmail dot com Assigned:
Status: Open Package: HTTP related
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2023-03-10 16:08 UTC] me dot ekixu at gmail dot com 
Description:
------------
PHP passed Incomplete Multipart/form-data that conflicts with the requirements set by the RFC. It can cause WAF evasion.

As an example

```
POST / HTTP/1.1
User-Agent: Chrome/104.0.5112.102
Accept: */*
Host: 127.0.0.1:5980
Content-Length: 105
Content-Type:multipart/form-data;boundary=boundary

--boundary
Content-Disposition:name="id
1' union select 1,group_concat(user,0x3a,password) from users #
```

First according to RFC1867 there need a form-data token in Content-Disposition header 

Then A CRLF token to terminated sub-headers is excpet after Content-Disposition sub-header according to RFC1867

And The closing boundary which required by RFC1521 is also missing.

Not to mention that the name paramter have an unclosed quotation mark.

According to RFCs. A HTTP Request with multipart/form-data should like this

```
POST / HTTP/1.1
User-Agent: Chrome/104.0.5112.102
Cookie: PHPSESSID=r7kcra0ri3qln9hg7341loh3v7; security=low;
Accept: */*
Host: 127.0.0.1:5980
Content-Length: 130
Content-Type:multipart/form-data;boundary=boundary

--boundary
Content-Disposition:form-data;name="id"

1' union select 1,group_concat(user,0x3a,password) from users #
--boundary
```

However both of them can be passed by php server. As for SECURITY CONSIDERATIONS. It might be used by attack to bypass WAFs.(we had report this to related WAF vendors)





Test script:
---------------
We deploy the server behind nginx in php-fpm mode using docker-compose

```
version: '3'
services:
    web:
        image: nginx:latest
        ports:
            - "5980:80"
        volumes:
            - ./app:/home/wwwroot/
            - ./config/nginx/site.conf:/etc/nginx/conf.d/default.conf
        networks:
            - code-network
    php:
        image: php:7.4-fpm
        volumes:
            - ./app:/home/wwwroot/
        networks:
            - code-network
networks:
    code-network:
        driver: bridge
```

We've test php version from 5.6-fpm to the latest 8.2-fpm

And here is the server side script we used to detect $_POST values

```
<?php

var_dump("POST:",$_POST);
```



Expected result:
----------------
HTTP/1.1 200 OK
Server: nginx/1.23.3
Date: Fri, 10 Mar 2023 14:37:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.4.33
Content-Length: 31

string(5) "POST:"
array(0) {
}


Actual result:
--------------
HTTP/1.1 200 OK
Server: nginx/1.23.3
Date: Fri, 10 Mar 2023 14:32:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.4.33
Content-Length: 121

string(5) "POST:"
array(1) {
  ["id"]=>
  string(63) "1' union select 1,group_concat(user,0x3a,password) from users #"
}

Patches

christian.sewing (last revision 2023-03-13 05:34 UTC by christian dot sewing at db dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-03-12 01:38 UTC] stas@php.net
-Type: Security +Type: Bug
 [2023-03-13 05:34 UTC] christian dot sewing at db dot com 
The following patch has been added/updated:

Patch Name: christian.sewing
Revision:   1678685649
URL:        https://bugs.php.net/patch-display.php?bug=81987&patch=christian.sewing&revision=1678685649
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved. 		Last updated: Wed Mar 29 20:03:46 2023 UTC