漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
ModSecurity: Multipart form-data parser silently strips embedded line breaks from form-field values, enabling request-body inspection bypass
Vulnerability Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and ARGS_POST because src/request_body_processor/multipart.cc overwrites reserved bytes in m_reserve instead of appending the current buffer. This creates a parser differential between ModSecurity and backend applications that preserve line breaks in form fields, allowing rules that inspect ARGS or ARGS_POST to miss payloads whose dangerous syntax depends on a line break. This issue is fixed in version 3.0.16.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Vulnerability Type
不正确的行为次序:规范化之前验证
Vulnerability Title
owasp-modsecurity ModSecurity 处理逻辑错误漏洞
Vulnerability Description
owasp-modsecurity ModSecurity是owasp-modsecurity的Web应用防火墙模块。 owasp-modsecurity ModSecurity 3.0.16之前版本存在处理逻辑错误漏洞,该漏洞源于libmodsecurity中multipart/form-data请求体解析器在导出非文件表单字段值至ARGS和ARGS_POST时静默删除嵌入换行符,而非追加当前缓冲区,导致解析差异,可能使依赖换行符的危险语法被安全规则忽略。
CVSS Information
N/A
Vulnerability Type
N/A