Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks
From: Breno Silva <breno.silva () gmail com>
Date: Mon, 8 Apr 2013 15:34:15 -0300

Hello Jan,

Are you guys backporting de patch to old versions of ModSecurity ?



On Wed, Apr 3, 2013 at 9:23 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:

Hello Kurt, Steve, Breno, vendors,

  ModSecurity upstream has released v2.7.3 version:
[1] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

correcting one security flaw (from [2]):
"It was reported that the XML files parser of ModSecurity,
a security module for the Apache HTTP Server, was vulnerable
to XML External Entity attacks. A remote attacker could
provide a specially-crafted XML file that, when processed
might lead to local files disclosure or, potentially,
excessive resources (memory, CPU) consumption."

[2] https://bugzilla.redhat.com/show_bug.cgi?id=947842
[3] https://bugs.gentoo.org/show_bug.cgi?id=464188
[4] https://secunia.com/advisories/52847/

Relevant upstream patch (seems to be the following):

Could you allocate a CVE id [*] for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

[*] According to:
    there doesn't seem to have been a CVE id allocated for this issue yet.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]