multipart/form-data charset/content-type

[vvvllll]

Details

• NGINX version: 1.26.3
• NAXSI version: 1.6
• Did you install NAXSI from a package manager? NO
• Operating System: Debian Linux 11

Nginx Logs

request_body:


--bWH4JVmYCnf6GfXacrcc\x0D\x0AContent-Disposition: form-data; name=\x22action\x22\x0D\x0AContent-Type: text/plain; charset=UTF-8\x0D\x0A\x0D\x0Awpmdb_verify_connection_to_remote_site\x0D\x0A--bWH4JVmYCnf6GfXacrcc\x0D\x0AContent-Disposition: form-data; name=\x22intent\x22\x0D\x0AContent-Type: text/plain; charset=UTF-8\x0D\x0A\x0D\x0Apull\x0D\x0A--bWH4JVmYCnf6GfXacrcc\x0D\x0AContent-Disposition: form-data; name=\x22referer\x22\x0D\x0AContent-Type: text/plain; charset=UTF-8\x0D\x0A\x0D\x0Alocalhost\x0D\x0A--bWH4JVmYCnf6GfXacrcc\x0D\x0AContent-Disposition: form-data; name=\x22version\x22\x0D\x0AContent-Type: text/plain; charset=UTF-8\x0D\x0A\x0D\x0A2.7.2\x0D\x0A--bWH4JVmYCnf6GfXacrcc\x0D\x0AContent-Disposition: form-data; name=\x22sig\x22\x0D\x0AContent-Type: text/plain; charset=UTF-8\x0D\x0A\x0D\x0AC+exxxxxxxxxxxxx\x0D\x0A--bWH4JVmYCnf6GfXacrcc--\x0D\x0A

decoded:

--bWH4JVmYCnf6GfXacrcc
Content-Disposition: form-data; name="action"
Content-Type: text/plain; charset=UTF-8

wpmdb_verify_connection_to_remote_site
--bWH4JVmYCnf6GfXacrcc
Content-Disposition: form-data; name="intent"
Content-Type: text/plain; charset=UTF-8

pull
--bWH4JVmYCnf6GfXacrcc
Content-Disposition: form-data; name="referer"
Content-Type: text/plain; charset=UTF-8

localhost
--bWH4JVmYCnf6GfXacrcc
Content-Disposition: form-data; name="version"
Content-Type: text/plain; charset=UTF-8

2.7.2
--bWH4JVmYCnf6GfXacrcc
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8

C+exxxxxxxxxxxxx
--bWH4JVmYCnf6GfXacrcc--


NAXSI logs:
uri=/wp-admin/admin-ajax.php&config=drop&rid=xxxx&zone0=BODY&id0=13&var_name0=

Additional details

This hits rule 13 (invalid format) because of the "Content-Type: text/plain; charset=UTF-8" lines.
This is a request that a WP plugin (wp-migrate) is building, i would have forwarded the issue to them BUT i've looked at the RFC and the format seems valid (although different in browsers)
https://datatracker.ietf.org/doc/html/rfc7578#section-4.4
https://datatracker.ietf.org/doc/html/rfc7578#section-4.5

[wargio]

yes that looks like valid.
you can whitelist it as workaround.

[vvvllll]

Yes thanks i did that already, i was just afraid that adding a whitelist on those "core" rules (specifically this 13, other rule 10 etc) could be a bit risky.

Thanks a lot for that quick response

[wargio]

Nono. There it's easy to hit them. I might fix this in the weekend.