Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks

[Breno Silva <breno.silva () gmail com>]

Hello Jan,

Are you guys backporting de patch to old versions of ModSecurity ?

Thanks

Breno


On Wed, Apr 3, 2013 at 9:23 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:

> Hello Kurt, Steve, Breno, vendors,
>
>   ModSecurity upstream has released v2.7.3 version:
> [1] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
>
> correcting one security flaw (from [2]):
> "It was reported that the XML files parser of ModSecurity,
> a security module for the Apache HTTP Server, was vulnerable
> to XML External Entity attacks. A remote attacker could
> provide a specially-crafted XML file that, when processed
> might lead to local files disclosure or, potentially,
> excessive resources (memory, CPU) consumption."
>
> References:
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=947842
> [3] https://bugs.gentoo.org/show_bug.cgi?id=464188
> [4] https://secunia.com/advisories/52847/
>
> Relevant upstream patch (seems to be the following):
> [5]
> https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
>
> Could you allocate a CVE id [*] for this?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> [*] According to:
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ModSecurity
>     there doesn't seem to have been a CVE id allocated for this issue yet.