ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031.

The remote Solaris system is missing necessary patches to address security updates :

  - ModSecurity before 2.6.6, when used with PHP, does not     properly handle single quotes not at the beginning of a     request parameter value in the Content-Disposition field     of a request with a multipart/form-data Content-Type     header, which allows remote attackers to bypass     filtering rules and perform other attacks such as     cross-site scripting (XSS) attacks. NOTE: this     vulnerability exists because of an incomplete fix for     CVE-2009-5031. (CVE-2012-2751)

  - ModSecurity before 2.7.3 allows remote attackers to read     arbitrary files, send HTTP requests to intranet servers,     or cause a denial of service (CPU and memory     consumption) via an XML external entity declaration in     conjunction with an entity reference, aka an XML     External Entity (XXE) vulnerability. (CVE-2013-1915)

- complete overhaul of this package, with update to 2.7.5.

  - ruleset update to 2.2.8-0-g0f07cbb.

  - new configuration framework private to mod_security2:
    /etc/apache2/conf.d/mod_security2.conf loads     /usr/share/apache2-mod_security2/rules/modsecurity_crs_1     0_setup.conf, then /etc/apache2/mod_security2.d/*.conf ,     as set up based on advice in     /etc/apache2/conf.d/mod_security2.conf Your     configuration starting point is     /etc/apache2/conf.d/mod_security2.conf

  - !!! Please note that mod_unique_id is needed for     mod_security2 to run!

  - modsecurity-apache_2.7.5-build_fix_pcre.diff changes     erroneaous linker parameter, preventing rpath in shared     object.

  - fixes contained for the following bugs :

  - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request     parameter handling

  - [bnc#768293] multi-part bypass, minor threat

  - CVE-2013-1915 [bnc#813190] XML external entity     vulnerability

  - CVE-2012-4528 [bnc#789393] rule bypass

  - CVE-2013-2765 [bnc#822664] NULL pointer dereference     crash

  - new from 2.5.9 to 2.7.5, only major changes :

  - GPLv2 replaced by Apache License v2

  - rules are not part of the source tarball any longer, but     maintaned upstream externally, and included in this     package.

  - documentation was externalized to a wiki. Package     contains the FAQ and the reference manual in html form.

  - renamed the term 'Encryption' in directives that     actually refer to hashes. See CHANGES file for more     details.

  - new directive SecXmlExternalEntity, default off

  - byte conversion issues on s390x when logging fixed.

  - many small issues fixed that were discovered by a     Coverity scanner

  - updated reference manual

  - wrong time calculation when logging for some timezones     fixed.

  - replaced time-measuring mechanism with finer granularity     for measured request/answer phases. (Stopwatch remains     for compat.)

  - cookie parser memory leak fix

  - parsing of quoted strings in multipart     Content-Disposition headers fixed.

  - SDBM deadlock fix

  - @rsub memory leak fix

  - cookie separator code improvements

  - build failure fixes

  - compile time option --enable-htaccess-config (set)

- complete overhaul of this package, with update to 2.7.5.

  - ruleset update to 2.2.8-0-g0f07cbb. 

  - new configuration framework private to mod_security2:
    /etc/apache2/conf.d/mod_security2.conf loads     /usr/share/apache2-mod_security2/rules/modsecurity_crs_1     0_setup.conf, then /etc/apache2/mod_security2.d/*.conf ,     as set up based on advice in     /etc/apache2/conf.d/mod_security2.conf Your     configuration starting point is     /etc/apache2/conf.d/mod_security2.conf

  - !!! Please note that mod_unique_id is needed for     mod_security2 to run!

  - modsecurity-apache_2.7.5-build_fix_pcre.diff changes     erroneaous linker parameter, preventing rpath in shared     object.

  - fixes contained for the following bugs :

  - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request     parameter handling

  - [bnc#768293] multi-part bypass, minor threat

  - CVE-2013-1915 [bnc#813190] XML external entity     vulnerability

  - CVE-2012-4528 [bnc#789393] rule bypass

  - CVE-2013-2765 [bnc#822664] NULL pointer dereference     crash

  - new from 2.5.9 to 2.7.5, only major changes :

  - GPLv2 replaced by Apache License v2

  - rules are not part of the source tarball any longer, but     maintaned upstream externally, and included in this     package.

  - documentation was externalized to a wiki. Package     contains the FAQ and the reference manual in html form.

  - renamed the term 'Encryption' in directives that     actually refer to hashes. See CHANGES file for more     details.

  - new directive SecXmlExternalEntity, default off

  - byte conversion issues on s390x when logging fixed.

  - many small issues fixed that were discovered by a     Coverity scanner

  - updated reference manual

  - wrong time calculation when logging for some timezones     fixed.

  - replaced time-measuring mechanism with finer granularity     for measured request/answer phases. (Stopwatch remains     for compat.)

  - cookie parser memory leak fix

  - parsing of quoted strings in multipart     Content-Disposition headers fixed.

  - SDBM deadlock fix

  - @rsub memory leak fix

  - cookie separator code improvements

  - build failure fixes

  - compile time option --enable-htaccess-config (set)

Multiple vulnerabilities has been discovered and corrected in apache-mod_security :

ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031 (CVE-2012-2751).

ModSecurity <= 2.6.8 is vulnerable to multipart/invalid part ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16) (CVE-2012-4528).

The updated packages have been patched to correct these issues.

Qualys Vulnerability & Malware Research Labs discovered a vulnerability in ModSecurity, a security module for the Apache webserver. In situations where both 'Content:Disposition: attachment' and 'Content-Type: multipart' were present in HTTP headers, the vulnerability could allow an attacker to bypass policy and execute cross-site script (XSS) attacks through properly crafted HTML documents.

ID	Name	Product	Family	Severity
80704	Oracle Solaris Third-Party Patch Update : modsecurity (cve_2012_2751_improper_input)	Nessus	Solaris Local Security Checks	high
75113	openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)	Nessus	SuSE Local Security Checks	high
75112	openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1336-1)	Nessus	SuSE Local Security Checks	high
63331	Mandriva Linux Security Advisory : apache-mod_security (MDVSA-2012:182)	Nessus	Mandriva Local Security Checks	medium
59825	Debian DSA-2506-1 : libapache-mod-security - ModSecurity bypass	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2012-2751

medium

Tenable Plugins

high

high

high

medium

medium