POST (multipart) arguments are skipped when field name is not in quotes

[i-rinat]

Multipart/form-data messages have field name listed in Content-Disposition header field. It's something like name="field1". Libhtp parses such messages just fine. However, at least some platforms also accept name=field1, without double quotes (for example, Apache/PHP). Libhtp skips such parameters.

Steps to reproduce:

1. Change test with the following patch:

diff --git a/test/files/17-multipart-1.t b/test/files/17-multipart-1.t
index 7c083c6..5fface7 100644
--- a/test/files/17-multipart-1.t
+++ b/test/files/17-multipart-1.t
@@ -16,7 +16,7 @@ Content-Disposition: form-data; name="field1"
 
 0123456789
 -----------------------------41184676334
-Content-Disposition: form-data; name="field2"
+Content-Disposition: form-data;   name=field2
 
 9876543210
 -----------------------------41184676334

(additional spaces were added to keep content length the same. They are not significant for the issue.)

2. Run tests (make test)

Expected results:

Test succeeds.

Actual results:

Test fails.

[victorjulien]

I will have a look, thanks.

[catenacyber]

Is this still an issue ?

[i-rinat]

Is this still an issue?

The test still fails.

[catenacyber]

How are you using libhtp ? With Suricata ?

[i-rinat]

Oh, so you were asking if that's still an issue for me specifically? If so, then I need to say that I don't use libhtp at the moment. This parsing peculiarity surfaced up when I was evaluating libhtp as a replacement for an in-house security oriented HTTP parser. I don't work on that project anymore, and don't know if they use libhtp or have any code based on libhtp.

[catenacyber]

May be still an issue, but likely not for Suricata's usage

[i-rinat]

but likely not for Suricata's usage

This is a potential bypass vector. Combined with HTTP Parameter Pollution this may be used to feed some innocent parameter values to detectors in Suricata, but allow to pass malicious payloads to the protected application.

[catenacyber]

This is a potential bypass vector.

Yes, but Suricata does not use libhtp multipart code, and has its own (which had similar bugs fixed recently)

[i-rinat]

Suricata does not use libhtp multipart code

Oh... okay.