Open motoyasu-saburi opened 1 year ago
@niftylettuce Please check vulnerability report and PullReqeust.
To clarify, this is not actually a vulnerability in form-data - if an application is not sanitizing user data before sending it into a library, including form-data, then that application is what has a vulnerability.
I have already contacted the two maintainers 3 or 4 times via email and snyk, but have not received any replies, so I'm write this as an Issue.
Summury
I found "multipart/form-data Request tampering vulnerability" caused by Content-Disposition filename lack of escaping in "form-data".
/lib/form_data.js
>FormData.prototype._getContentDisposition()
contains a vulnerability that allows the lack of escape filename.https://github.com/form-data/form-data/blob/53adbd81e9bde27007b28083068f2fc8272614dc/lib/form_data.js#L238
By exploiting this problem, the following attacks are possible
For example, this vulnerability can be exploited to generate the following Content-Disposition.
The Abused Header has multiple name fields and the filename has been rewritten from .txt to .sh.
These problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request.
The cause of this problem is the lack of escaping of the
"
(Double-Quote) &\r
,\n
(CRLF) characters in Content-Disposition > filename.WhatWG's HTML spec has an escaping requirement.
https://html.spec.whatwg.org/#multipart-form-data
My calculations CVSS (v3):
However, I think is that this is a limited problem and an example of CVSS not matching the actual risk.
I'll include an my article explaining this issue as a reference. https://gist.github.com/motoyasu-saburi/1b19ef18e96776fe90ba1b9f910fa714
PoC Environment
OS: macOS Monterey(12.3) Node.js ver: v16.14.2 form-data ver: v4.0.0 (Python3 - HTTP Request Logging Server)
PoC
(Linux or MacOS is required. This is because Windows does not allow file names containing
"
(double-quote) .)Create Project
edit & install package.json
I write Python code, but any method will work as long as you can see the HTTP Request Body. (e.g. Debugger, HTTP Logging Server, Packet Capture)
$ vi logging.py
$ python logging.py
Request Header & Body
Content-Disposition:
& Injected Line (caused by \r\n )
Cause & Fix
Pull Request has been created. https://github.com/form-data/form-data/pull/545
As noted at the beginning of this section, encoding must be done as described in the HTML Spec.
https://html.spec.whatwg.org/#multipart-form-data
Therefore, it is recommended that Content-Disposition be modified by either of the following
e.g.
Attack Scenario
For example, the following may be considered
Validation Bypass
Tampering with hidden requests
Reference (How to implement on other frameworks)
I will post some examples of frameworks that did not have problems as reference.
Golang https://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144
Spring https://github.com/spring-projects/spring-framework/blob/4cc91e46b210b4e4e7ed182f93994511391b54ed/spring-web/src/main/java/org/springframework/http/ContentDisposition.java#L259-L267
Symphony https://github.com/symfony/symfony/blob/123b1651c4a7e219ba59074441badfac65525efe/src/Symfony/Component/Mime/Header/ParameterizedHeader.php#L128-L133
Explanatory article on the lack of escaping filename in Content-Disposition: https://gist.github.com/motoyasu-saburi/1b19ef18e96776fe90ba1b9f910fa714