Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"multipart/form-data" Request tampering potential security issue (CRLF Injection) #195

Open
motoyasu-saburi opened this issue Nov 23, 2024 · 0 comments

Comments

@motoyasu-saburi
Copy link

This is a report of a problem that I contacted the Ruby maintainer earlier and the maintainer determined to be a Bug, not a Vulnerability.


I found "multipart/form-data Request tampering vulnerability(CRLF Injection)" caused by Content-Disposition filename lack of escaping( \r\n ) in
lib > net > http > generic_request > def encode_multipart_form_data

https://github.com/ruby/ruby/blob/master/lib/net/http/generic_request.rb
It is contains a vulnerability that allows the lack of escape filename.

By exploiting this problem, the following attacks are possible

(These problems depend on the server-side implementation that receives and parses the response.)

For example, this vulnerability can be exploited to generate the following Content-Disposition.

Input filename:

inject_crlf.txt;\r\n\r\ninjected_crlf\r\ndummy=".txt

Generated header in multipart/form-data:

Content-Disposition: form-data; name="bar"; filename="inject_crlf.txt;
name="foo"; dummy=".txt"
injected_crlf
dummy=\".txt"

This allows you to add a Header such as content-type in multipart/form-data, or to append data that corresponds to the Body.

These problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request.

The cdause of this problem is the lack of escaping of the \r, \n characters in Content-Disposition > filename.

WhatWG's HTML spec has an escaping requirement.
https://html.spec.whatwg.org/#multipart-form-data

For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.

However, the target method implements only " escaping an does not escape\r\n.
https://github.com/ruby/ruby/blob/master/lib/net/http/generic_request.rb#L329

I have found about 20 similar problems and have written a report,
so please refer to it if you have any questions.

Slide(en): https://archive.codeblue.jp/2023/result/pdf/cb23%EF%BD%B0filename-in-content-disposition-is-a-landmine-vulnerability-caused-by-ambiguous-requirements-by-motoyasu-saburi.pdf
Article(en): https://gist.github.com/motoyasu-saburi/1b19ef18e96776fe90ba1b9f910fa714
Artice(jp): https://brutalgoblin.hatenablog.jp/entry/2023/01/05/190150

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant