170180 – net-www/mod_security <=2.1.0: \0 byte evasion

Bug 170180 - net-www/mod_security <=2.1.0: \0 byte evasion

Summary: net-www/mod_security <=2.1.0: \0 byte evasion

Status:	RESOLVED DUPLICATE of bug 169778

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.php-security.org/MOPB/BONU...
Whiteboard:	B4 [upstream] Falco
Keywords:

Depends on:
Blocks:

Reported:	2007-03-09 21:07 UTC by Raphael Marichez (Falco) (RETIRED)
Modified:	2007-03-09 21:33 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-09 21:07:27 UTC

Althouth that was disclosed within the month of PHP bug, that concerns another package. Upstream has not been contacted by the discoverer.

Workaround from upstream: 
http://www.modsecurity.org/blog/archives/2007/03/modsecurity_asc.html

Secunia:
http://secunia.com/advisories/24373/
"The problem is that it is possible to bypass rules by adding NULL bytes to POST data with the application/x-www-form-urlencoded media type."

No CVE yet AFAICT

No upstream fix AFAICT

Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-09 21:08:18 UTC

and ccing chtekk :)

Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-09 21:33:12 UTC


*** This bug has been marked as a duplicate of bug 169778 ***