From fulldisclosure: SEC Consult Vulnerability Lab Security Advisory < 20121017-0 > ======================================================================= title: ModSecurity multipart/invalid part ruleset bypass product: ModSecurity vulnerable version: <= 2.6.8 fixed version: 2.7.0 CVE number: - impact: Depends what you use it for homepage: http://www.modsecurity.org/ found: 2012-10-12 by: Bernhard Mueller SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vulnerability overview/description: ----------------------------------- Validation of POST parameters can be bypassed on Apache/PHP installations by sending specially formed multipart requests. A POST parameter's content can be hidden from ModSecurity by prepending an invalid part. This first part contains only a Content-Disposition header and has an additional carriage return inserted at the end of the line ([\r\r\n]). This is followed by a boundary in the next line and another Content-Disposition header with a filename. The request content looks like this (newlines are all \r\n except in line 2). --A Content-Disposition: form-data; name="id"[\r][\r][\n] --A Content-Disposition: form-data; name="lol"; filename="x" 1 UNION SELECT 1,2,3,4,5,6,7,8,9,10-- --A-- ModSecurity skips what it believes to be an invalid first part and proceeds to parse the second part. This part is treated as a file and not checked against the ruleset. PHP however treats the whole thing as a single part and processes only the first Content-Disposition header, ignoring the second one. In the opinion of PHP this request contains a POST parameter with the name specified in the first header.
Status update. I'm testing ModSec 2.7 on my blog. It requires modsecurity-crs-2.2.6 as well to work or Apache won't start. But even then the optional/experimental rules won't work. So I'm not sure. Can somebody judge the severity and tell me how much should I push for this?
(In reply to comment #1) > Status update. > > I'm testing ModSec 2.7 on my blog. It requires modsecurity-crs-2.2.6 as well > to work or Apache won't start. But even then the optional/experimental rules > won't work. So I'm not sure. > > Can somebody judge the severity and tell me how much should I push for this? If you were looking for a severity rating from the security team: attackers would be able to bypass filtering rules. Target delay: 20 days.
Sounds good, feel free to ask for stable whenever it's convenient, my tests are vastly (although not absolutely) positive.
Arches, please test and mark stable: =www-apache/mod_security-2.7.0 Target KEYWORDS="amd64 ppc sparc x86"
amd64 stable
x86 done, together with modsecurity-crs-2.2.6-r1.
stable ppc
sparc stable
Thanks, everyone. GLSA vote: no.
Vote: no. Closing noglsa.
