oss-sec mailing list archives
Re: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 18 Oct 2012 13:13:55 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/18/2012 06:41 AM, Breno Silva wrote:
Hello Jan, Yes i can confirm the issue and the patch. Thanks Breno On Thu, Oct 18, 2012 at 3:58 AM, Jan Lieskovsky <jlieskov () redhat com <mailto:jlieskov () redhat com>> wrote: Hi Kurt, Breno, ----- Original Message ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/17/2012 02:47 AM, Matthias Weckbecker wrote:Hi Steve, Kurt, vendors, this flaw looks slightly different from the last one and apparently has not got a CVE yet. ---------- Forwarded Message ---------- Subject: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass Date: Wednesday 17 October 2012 From: SEC Consult Vulnerability Lab <research () sec-consult com <mailto:research () sec-consult com>> To:full-disclosure () lists grok org uk <mailto:full-disclosure () lists grok org uk>,bugtraq () securityfocus com <mailto:bugtraq () securityfocus com> SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >=======================================================================title: ModSecurity multipart/invalid part ruleset bypass product: ModSecurity vulnerable version: <= 2.6.8 fixed version: 2.7.0 CVE number: - impact: Depends what you use it for homepage: http://www.modsecurity.org/ found: 2012-10-12 by: Bernhard Mueller SEC Consult Vulnerability Lab https://www.sec-consult.com=======================================================================Looking throughhttps://www.modsecurity.org/tracker/secure/ReleaseNote.jspa?projectId=10000&version=10100Is this https://www.modsecurity.org/tracker/browse/MODSEC-155I am not sure this is related since it is closed with resolution 'Cannot Reproduce'.
Yeah I was thinking they might have buried it, never thought to check the source changelog (assumed the online one was sufficient. sigh).
Based on Changes: [1] http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES I would say this is: "* Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict" with relevant upstream commit being: [2] http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=date&revision=2081 but Cc-in Breno Silva to definitely confirm this yet. Breno, could you please confirm / disprove that the patch [2] is upstream patch for issue: [3] http://www.openwall.com/lists/oss-security/2012/10/17/1 ? And if it's not the correct one, provide an explicit revision link to the proper one? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Please use CVE-2012-4528 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQgFTzAAoJEBYNRVNeJnmTzK8QALJx/zc849kCqf+hFnkLL9kz oiYQvwRLtNHw3ygEGCsl/VP87ixW+8n1DxQSuL/a3U0jY+4D6woujoJ6S2w0Hreh 7boe+m9AdhrakrsuXZTOSmKZePDuO5xQM3Q+oo2/5z3u8JnPgm1gEB07pzSxfFDa +nKcaioisXy/VCc9TFtleiie47t2i9ypgajNSNOFjCn3WL3UmO9SBWRveAW+0BAU XmQuKnH/ZTa5xMRdnu/RvT9uQtMjrwDY/sl7snBGTOVsZ+xHcJ4a4gEJllqPvjHk NJVNrz5wEXsvfrJt20TW9tP/d1yHfHFinM0KxYswP1GmZ2qhYc2dOqTUFDQunUAo RsWzp32Bs11o3eiK5v7RFct7mA/SYCjzaj6AfJi07XgY98xRc3ov22PkuTtQ8Sq3 cLM1xeLj89eyBZp5rGrgfj/dtCeuASmWvZDPE4JAz+fKDv5jwXp0cn7JzqYXf+mN YjszGPX94oDKiih76aylMcp50hYbsdWPaKK/L1tpEV+nzTRLVMFIJ+jgaY/jhBJH m48sKMPh3F1WE7DdtWYcGD3xLYlk1QjYP1DmkcO9YEH4TT2+qqnkyMBayMCY8Roa w8dIu6Az/yQQUevmYaJu2+o6v1dUmyBKknWrV6iyA7zqV6YVCXmvQZX9HBkSV84H bPGFFZBbfOsFX1FGfXNm =yVSP -----END PGP SIGNATURE-----
Current thread:
- CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass Matthias Weckbecker (Oct 17)
- Re: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass Kurt Seifried (Oct 18)
- Re: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass Jan Lieskovsky (Oct 18)
- Re: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass Breno Silva (Oct 18)
- Re: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass Kurt Seifried (Oct 18)
- Re: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass Jan Lieskovsky (Oct 18)
- Re: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass Kurt Seifried (Oct 18)