ModSecurity CRS RuleID-960000

960000

Attempted multipart/form-data bypass

Identify multipart/form-data name evasion attempts

2 - Critical

SecRule FILES_NAMES|FILES "['\";=]" "phase:2,t:none,id:'960000',rev:'2.2.5',block,capture,msg:'Attempted multipart/form-data bypass',logdata:'%{matched_var}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{tx.0}"

• There are possible impedance mismatches between how ModSecurity interprets multipart file names and how a destination app server such as PHP might parse the Content-Disposition data.
• These rules check for the existence of the ' " ; = meta-characters in either the file or file name variables in order to detect evasion attempts.

///  A description of the regular expression:
///  
///  Match any (single) character contained within the brackets

Content-Disposition: form-data; name="fileRap"; filename="file=.txt"

Include an example ModSecurity Audit Log Entry for when this rule matchs.

--50b28e4c-A--
[27/Jun/2012:16:07:22 +0300] T@sFin8AAQEAADwGDRIAAAAA 127.0.0.1 56803 127.0.0.1 80
--50b28e4c-B--
POST /fileupload.asp HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://localhost/
Content-Type: multipart/form-data; boundary=--------397236876
Content-Length: 930

--50b28e4c-C--
----------397236876
Content-Disposition: form-data; name="fileRap"; filename="file=.txt"
Content-Type: text/plain

[email protected]
----------397236876

--50b28e4c-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Length: 307
Connection: close
Content-Type: text/html; charset=iso-8859-1

--50b28e4c-E--

--50b28e4c-H--
Message: Access denied with code 403 (phase 2). Pattern match "['\";=]" at FILES:fileRap. [file "/opt/modsecurity/etc/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "73"] [id "960000"] [rev "2.2.5"] [msg "Attempted multipart/form-data bypass"] [data "file=.txt"] [severity "CRITICAL"] [tag "RULE_MATURITY/7"] [tag "RULE_ACCURACY/7"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000"]
Action: Intercepted (phase 2)
Stopwatch: 1340802442388746 3425 (- - -)
Stopwatch2: 1340802442388746 3425; combined=2114, p1=1798, p2=300, p3=0, p4=0, p5=15, sr=91, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.0-dev1 (http://www.modsecurity.org/); core ruleset/2.2.5.
Server: Apache/2.2.22 (Debian)
Engine-Mode: "ENABLED"

--50b28e4c-K--
SecRule "FILES_NAMES|FILES" "@rx ['\";=]" "phase:2,log,t:none,id:960000,rev:2.2.5,block,capture,msg:'Attempted multipart/form-data bypass',logdata:%{matched_var},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.id=%{rule.id},tag:RULE_MATURITY/7,tag:RULE_ACCURACY/7,tag:https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{tx.0}"


--50b28e4c-Z--

An attacker manipulated the file name which is mistakenly treated as code by the backend server.

Easy

Easy with regular expressions

None known
If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here: https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives
Send FP Report emails here:
mod-security-report-false-positiveslists.sourceforge.net

None known

7
10 point scale (0-9) where:
0 = Beta/Experimental
9 = Heavily Tested

7
10 point scale (0-9) where:
0 = High % of FP
5 = No false positives reported

Josh Amishav-Zlatin - jamusegmail.com.com

http://www.ietf.org/rfc/rfc2183.txt