Windows 2012, MS 2.9.1-64bit definitely truncating form post body when processing it #1149
Description
What’s going on in this system is that I receive a [friendly URL] and rewrite it to /index.cfm?404;/[friendly URL]/. This has been working for decades. The friendly URL pass truncates the body of the form data, but the rewritten version doesn’t (and just happens to correctly fail other tests I haven’t whitelisted yet.)
The following two are for the same request, with just the URL rewritten by IIS URLRewrite. The actual data does get passed to IIS (and thence to my application server.) This following one breaks and fails the tests because it can't determine the correct ARG_NAME for the first parameter. Notice the size of the Content-Length …
--d25c0000-A--
[11/May/2016:11:07:11 --0400] 12177733394557306202 69.12.26.106:23691 80 127.0.0.1 80
--d25c0000-B--
POST /featured_volunteers/description HTTP/1.1
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 2975
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: _ga=GA1.2.219992625.1458320050; __utma=165789951.219992625.1458320050.1462818223.1462821173.2; __utmc=165789951; __utmz=165789951.1462818223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=63EE19F6E809FFAF93F6A49EF57E3693.cfusion; __utma=220594061.606745990.1458227854.1462818276.1462978225.14; __utmb=220594061.2.10.1462978225; __utmc=220594061; __utmz=220594061.1458227854.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
Host: my.server.com
Referer: http://my.server.com/featured_volunteers/description
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Origin: http://my.server.com
Upgrade-Insecure-Requests: 1
--d25c0000-C--
rc+is+knowledgeable%2C+and+kind... [which is a segment of my form post but starting further down, truncated so that it doesn’t even include the ARG_NAME for this bit of data, followed by the rest of the post.]
This rewritten one works (and fails the tests for the right reasons). Notice Content-Length …
--4e120000-A--
[11/May/2016:11:07:11 --0400] 12177733394557306202 69.12.26.106:23691 80 127.0.0.1 80
--4e120000-B--
POST /index.cfm?404;/featured_volunteers/description HTTP/1.1
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 11167
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: _ga=GA1.2.219992625.1458320050; __utma=165789951.219992625.1458320050.1462818223.1462821173.2; __utmc=165789951; __utmz=165789951.1462818223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=63EE19F6E809FFAF93F6A49EF57E3693.cfusion; __utma=220594061.606745990.1458227854.1462818276.1462978225.14; __utmb=220594061.2.10.1462978225; __utmc=220594061; __utmz=220594061.1458227854.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
Host: my.server.com
Referer: http://my.server.com/featured_volunteers/description
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Origin: http://my.server.com
Upgrade-Insecure-Requests: 1
X-Original-URL: /featured_vols/description
--dc220000-C--
Description=%3Ch3%3EWelcome+to [… the rest of the full post]