libhtp
libhtp copied to clipboard
OISF
POST (multipart) arguments are skipped when field name is not in quotes
Multipart/form-data messages have field name listed in Content-Disposition header field. It's something like name="field1". Libhtp parses such messages just fine. However, at least some platforms also accept name=field1, without double quotes (for example, Apache/PHP). Libhtp skips such parameters.
Steps to reproduce:
- Change test with the following patch:
diff --git a/test/files/17-multipart-1.t b/test/files/17-multipart-1.t
index 7c083c6..5fface7 100644
--- a/test/files/17-multipart-1.t
+++ b/test/files/17-multipart-1.t
@@ -16,7 +16,7 @@ Content-Disposition: form-data; name="field1"
0123456789
-----------------------------41184676334
-Content-Disposition: form-data; name="field2"
+Content-Disposition: form-data; name=field2
9876543210
-----------------------------41184676334
(additional spaces were added to keep content length the same. They are not significant for the issue.)
- Run tests (
make test)
Expected results:
Test succeeds.
Actual results:
Test fails.
Oh, so you were asking if that's still an issue for me specifically? If so, then I need to say that I don't use libhtp at the moment. This parsing peculiarity surfaced up when I was evaluating libhtp as a replacement for an in-house security oriented HTTP parser. I don't work on that project anymore, and don't know if they use libhtp or have any code based on libhtp.
but likely not for Suricata's usage
This is a potential bypass vector. Combined with HTTP Parameter Pollution this may be used to feed some innocent parameter values to detectors in Suricata, but allow to pass malicious payloads to the protected application.
This is a potential bypass vector.
Yes, but Suricata does not use libhtp multipart code, and has its own (which had similar bugs fixed recently)