This requires Modsecurity 2.9.6
CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header fields abuse
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (
v2.9.6/
v3.0.8) or an updated version with backports of the security fixes in these versions.
If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS".
You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS
without a fix to CVE-2022-39956, however we advise against this workaround.
Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections.
This vulnerability was discovered and reported by
@terjanq (Jan Gora) during the Intigriti 1337UP0522 WAF Promotion Event.