Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 422973 (CVE-2009-5031)

Summary: <www-apache/mod_security-2.6.6 : Multipart Quote Parsing Security Bypass Vulnerability (CVE-2009-5031,CVE-2012-2751)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs, flameeyes
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/49576/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-06-22 12:08:24 UTC
From secunia security advisory at $URL:

Description
A vulnerability has been reported in ModSecurity, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error when parsing quotes within multipart requests and can be exploited to bypass certain filtering rules.

The vulnerability is reported in versions prior to 2.6.6.


Solution
Update to version 2.6.6.
Comment 1 Agostino Sarubbo gentoo-dev 2012-06-22 12:09:42 UTC
@maintainer: 

Is 2.6.6 ready to be stabilized?
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-06-22 12:59:17 UTC
Yes it is.
Comment 3 Agostino Sarubbo gentoo-dev 2012-06-22 13:05:41 UTC
Arches, please test and mark stable:
=www-apache/mod_security-2.6.6
Target KEYWORDS : "amd64 ppc sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-06-22 15:26:17 UTC
amd64 stable
Comment 5 Andreas Schürch gentoo-dev 2012-06-22 21:57:09 UTC
x86 stable, thanks!
Comment 6 Brent Baude (RETIRED) gentoo-dev 2012-07-03 16:03:20 UTC
ppc done
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-07-15 17:00:18 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-07-15 17:24:21 UTC
@security: please vote.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-07-23 19:23:13 UTC
CVE-2012-2751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2751):
  ModSecurity before 2.6.6, when used with PHP, does not properly handle
  single quotes not at the beginning of a request parameter value in the
  Content-Disposition field of a request with a multipart/form-data
  Content-Type header, which allows remote attackers to bypass filtering rules
  and perform other attacks such as cross-site scripting (XSS) attacks.  NOTE:
  this vulnerability exists because of an incomplete fix for CVE-2009-5031.

CVE-2009-5031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5031):
  ModSecurity before 2.5.11 treats request parameter values containing single
  quotes as files, which allows remote attackers to bypass filtering rules and
  perform other attacks such as cross-site scripting (XSS) attacks via a
  single quote in a request parameter in the Content-Disposition field of a
  request with a multipart/form-data Content-Type header.
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-23 19:26:41 UTC
Thanks, everyone.

GLSA vote: no.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-08-14 05:33:51 UTC
Thanks, folks. GLSA Vote: no too. Closing noglsa.