oss-sec mailing list archives
Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks
From: Breno Silva <breno.silva () gmail com>
Date: Mon, 8 Apr 2013 15:34:15 -0300
Hello Jan, Are you guys backporting de patch to old versions of ModSecurity ? Thanks Breno On Wed, Apr 3, 2013 at 9:23 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:
Hello Kurt, Steve, Breno, vendors, ModSecurity upstream has released v2.7.3 version: [1] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES correcting one security flaw (from [2]): "It was reported that the XML files parser of ModSecurity, a security module for the Apache HTTP Server, was vulnerable to XML External Entity attacks. A remote attacker could provide a specially-crafted XML file that, when processed might lead to local files disclosure or, potentially, excessive resources (memory, CPU) consumption." References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=947842 [3] https://bugs.gentoo.org/show_bug.cgi?id=464188 [4] https://secunia.com/advisories/52847/ Relevant upstream patch (seems to be the following): [5] https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe Could you allocate a CVE id [*] for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team [*] According to: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ModSecurity there doesn't seem to have been a CVE id allocated for this issue yet.
Current thread:
- CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Jan Lieskovsky (Apr 03)
- Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Kurt Seifried (Apr 03)
- Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Breno Silva (Apr 08)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Jan Lieskovsky (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Breno Silva (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Athmane Madjoudj (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Breno Silva (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Athmane Madjoudj (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Jan Lieskovsky (Apr 09)