ModSecurity 2.7.3 NULL pointer dereference

2013-05-28 / 2013-07-15
Credit: Athmane
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Hello Steve, vendors, as brought to me by Athmane, ModSecurity upstream has release v2.7.4 version: [1] http://sourceforge.net/mailarchive/message.php?msg_id=30900019 correcting one security NULL pointer dereference flaw (CVE-2013-2765) - from [2]: * Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI). References: [2] https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765 Relevant upstream patch (seems to be the following): [4] https://github.com/SpiderLabs/ModSecurity/commit/0840b13612a0b7ef1ce7441cf811dcfc6b463fba apache2/msc_reqbody.c @@ -170,6 +170,7 @@ static apr_status_t modsecurity_request_body_store_memory(modsec_rec *msr, /* Would storing this chunk mean going over the limit? */ if ((msr->msc_reqbody_spilltodisk) + && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON) && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit)) { msc_data_chunk **chunks; Thank you && Regards, Jan.

References:

http://sourceforge.net/mailarchive/message.php?msg_id=30900019
https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765
ttps://github.com/SpiderLabs/ModSecurity/commit/0840b13612a0b7ef1ce7441cf811dcfc6b463fba
http://cxsecurity.com/issue/WLB-2013060005


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top