How to filter in multipart/form-data

[gitQuestions]

Hello all,

I am fixing "Comments -wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload" vulnerability.

Here, an attacker could upload an infected php file in an upload image field. I would like to make a rule which could filter and look for legit files.

But the problem is when I have to look into multipart/form-data parameters (like in the image attach.) where I would like to obtain the "filename", "Content-Type" of "wmu_files" parameter. to do that.

Is it possible?

[martinhsv]

Hi @gitQuestions ,

You don't mention which version of ModSecurity you are using.

In v2.9.x if you want to test filename but only for parts matching a particular name, you should be able to do something like this:

SecRule FILES:'/^wmu_files/' "@contains screen222" ...

(Of course, your rule may vary from that depending on the specifics of what you wish to test for.)

While I have only taken an initial look, it unfortunately appears that this may not work in v3.

I don't think we expose the Content-Type of individual parts in any convenient way.

One possible alternative in ModSecurity v3 (for both name-filename association and the Content-Type question) could be to try to do your detection with a regex against REQUEST_BODY.

[martinhsv]

Update:

I have created a pull request that I believe resolves the v3 issue whereby name and filename are not associated as a key-value pair in the FILES collection:

#2379

Note that this change has not yet been reviewed or merged, so please regard the fix as tentative for the time being.

[zimmerle]

#2379 is already merged. Marking this one as fixed.