Vigil@nce - ModSecurity: bypassing rules with PHP
November 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a special HTTP multipart/form-data query, in
order to bypass security rules of ModSecurity.
Impacted products: Unix (platform)
Severity: 2/4
Creation date: 17/10/2012
DESCRIPTION OF THE VULNERABILITY
The ModSecurity module can be installed on Apache httpd. It
contains security rules, in order to block malicious queries.
An HTTP query can use the MIME multipart/form-data format to store
data coming from a form entered by the user.
When PHP is installed on Apache httpd, it accepts
multipart/form-data queries containing two ’\r’ characters at the
end of the Content-Disposition header. However, ModSecurity does
not recognize this invalid parameter format, and thus does not
block a potential attack contained in the HTTP query.
An attacker can therefore use a special HTTP multipart/form-data
query, in order to bypass security rules of ModSecurity.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ModSecurity-bypassing-rules-with-PHP-12080