Browse archive

Latest news

Fighting cybercrime is on the right track

Google set to upgrade its SSL certs

IT security pros have trouble communicating with executives

Zeus variants are back with a vengeance

Facebook phishers target Fan Pages owners

Killer apps: The performance of networked applications

Is it time to professionalize information security?

Google researcher reveals another Windows 0-day

Twitter finally offers 2-factor authentication

DHS employees' info possibly compromised due to system flaw

Teens are into online sharing, but are also more privacy-aware

The dangers of downloading software from unofficial sites

Microsoft decrypts Skype comms to detect malicious links

Review: Logging and Log Management

Hacking charge stations for electric cars

Vulnerabilities in open source WAF ModSecurity

by Ivan Ristic - Director of engineering at Qualys - Monday, 18 June 2012.

To address unknown content type bypass issues, ModSecurity CRS employs rules that allow only known content types to be used. However, these rules are not strict enough. By default, the CRS will check if the MIME type can be found within the following string (all one continuous line):

application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf

This check will indeed reject many unknown and invalid MIME types, but it will also accept any substrings that can be found within the above string. In most cases, such invalid MIME types can be used only against a small number of applications. The only situation where this can be exploited is when attacking applications that expect only certain MIME types known to them (e.g., application/x-www-form-urlencoded) and don't check what actual MIME type is indicated in the Content-Type request header.

The attack was confirmed against Apache Commons FileUpload 1.2.1, but earlier versions are equally likely to contribute to the bypass. Starting with the Servlet 3.0 specification, file uploads are supported natively, without the need to use a separate library. The Tomcat web server bundles the FileUpload library to implement file uploads, so even applications that do not explicitly use upload libraries may be vulnerable. The problem likely affects other web servers that are built on the Tomcat code base. Outside Java, at least one other server-side framework is thought to be vulnerable to the same problem.

The attack was confirmed against Apache Commons FileUpload 1.2.1, but earlier versions are equally likely to contribute to the bypass in this way.

Credit

The new vulnerabilities discussed here were discovered by Ivan Ristic, from Qualys Vulnerability & Malware Research Labs (VMRL).

Notices

Ivan Ristic is the original author of ModSecurity. He started the project in 2002, and led it until January 2009. His last code contribution was in 2010. He remains involved through his ongoing work on ModSecurity Handbook, which is the definitive guide on ModSecurity.
At Qualys, Ivan Ristic is part of a team working on IronBee, which is also an open source web application firewall.
ModSecurity and mod_security are trademarks or registered trademarks of Trustwave Holdings, Inc.