Vigil@nce - ModSecurity: bypassing rules with PHP
July 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a special HTTP multipart/form-data query, in
order to bypass security rules of ModSecurity.
Severity: 2/4
Creation date: 18/06/2012
IMPACTED PRODUCTS
– Debian Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The ModSecurity module can be installed on Apache httpd. It
contains security rules, in order to block malicious queries.
An HTTP query can use the MIME multipart/form-data format to store
data coming from a form entered by the user.
When PHP is installed on Apache httpd, it accepts
multipart/form-data queries containing a quote character inside
parameters. However, ModSecurity does not recognize this invalid
parameter format, and thus does not block a potential attack
contained in the HTTP query.
An attacker can therefore use a special HTTP multipart/form-data
query, in order to bypass security rules of ModSecurity.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ModSecurity-bypassing-rules-with-PHP-11719