You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a report of a problem that I contacted the Ruby maintainer earlier and the maintainer determined to be a Bug, not a Vulnerability.
I found "multipart/form-data Request tampering vulnerability(CRLF Injection)" caused by Content-Disposition filename lack of escaping( \r\n ) in lib > net > http > generic_request > def encode_multipart_form_data
By exploiting this problem, the following attacks are possible
An attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field. (Example: Override by generating another Content-Disposition Header)
For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.
This is a report of a problem that I contacted the Ruby maintainer earlier and the maintainer determined to be a Bug, not a Vulnerability.
I found "multipart/form-data Request tampering vulnerability(CRLF Injection)" caused by Content-Disposition filename lack of escaping(
\r\n
) inlib
>net
>http
>generic_request
>def encode_multipart_form_data
https://github.com/ruby/ruby/blob/master/lib/net/http/generic_request.rb
It is contains a vulnerability that allows the lack of escape filename.
By exploiting this problem, the following attacks are possible
(These problems depend on the server-side implementation that receives and parses the response.)
For example, this vulnerability can be exploited to generate the following Content-Disposition.
Input filename:
Generated header in multipart/form-data:
This allows you to add a Header such as content-type in multipart/form-data, or to append data that corresponds to the Body.
These problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request.
The cdause of this problem is the lack of escaping of the \r, \n characters in Content-Disposition > filename.
WhatWG's HTML spec has an escaping requirement.
https://html.spec.whatwg.org/#multipart-form-data
However, the target method implements only " escaping an does not escape
\r\n
.https://github.com/ruby/ruby/blob/master/lib/net/http/generic_request.rb#L329
I have found about 20 similar problems and have written a report,
so please refer to it if you have any questions.
Slide(en): https://archive.codeblue.jp/2023/result/pdf/cb23%EF%BD%B0filename-in-content-disposition-is-a-landmine-vulnerability-caused-by-ambiguous-requirements-by-motoyasu-saburi.pdf
Article(en): https://gist.github.com/motoyasu-saburi/1b19ef18e96776fe90ba1b9f910fa714
Artice(jp): https://brutalgoblin.hatenablog.jp/entry/2023/01/05/190150
The text was updated successfully, but these errors were encountered: