ModSecurity 2.7.3 XML External Entity attacks

2013.04.03
Credit: Jan
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

ModSecurity upstream has released v2.7.3 version: [1] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES correcting one security flaw (from [2]): "It was reported that the XML files parser of ModSecurity, a security module for the Apache HTTP Server, was vulnerable to XML External Entity attacks. A remote attacker could provide a specially-crafted XML file that, when processed might lead to local files disclosure or, potentially, excessive resources (memory, CPU) consumption." References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=947842 [3] https://bugs.gentoo.org/show_bug.cgi?id=464188 [4] https://secunia.com/advisories/52847/ Relevant upstream patch (seems to be the following): [5] https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe Could you allocate a CVE id [*] for this? Thank you && Regards, Jan.

References:

https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
https://bugzilla.redhat.com/show_bug.cgi?id=947842
https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
http://seclists.org/oss-sec/2013/q2/5


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top