[Bug 231728] CVE-2007-1359: mod_security <= 2.1.0 request rule bypass

bugzilla at redhat.com bugzilla at redhat.com
Sat Mar 10 23:36:10 UTC 2007


Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2007-1359: mod_security <= 2.1.0 request rule bypass


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231728


mfleming+rpm at enlartenment.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED




------- Additional Comments From mfleming+rpm at enlartenment.com  2007-03-10 18:36 EST -------
Thanks for the reminder Ville.

Ivan (Ristic, ModSecurity author) hasn't released an update for the 1.9.x branch
as yet to fix this, but does have a rule for 2.x and up that mitigates the issue
pending a full release of 2.1.1 (and I would assume a 1.9.5 version)

>From http://www.modsecurity.org/blog/archives/2007/03/modsecurity_asc.html:

SecRule REQUEST_BODY "@validateByteRange 1-255" \
"log,deny,phase:2,t:none,msg:'ModSecurity ASCIIZ Evasion Attempt'

I'm going to run up a local package of ModSecurity 2.1.0 (+Core Rules and the
above as a "local" rule) this morning and try this on my own site
(www.enlartenment.com) prior to adding it to Extras (should it work out OK).

I've been meaning to update the version for a while but time constraints got the
better of me. Be warned however that the configuration and rule syntax has
changed since 1.9.x (admins are going to have to make some manual changes if
they've got local additions) but on the upside it's 200% faster and the rule
syntax allows for more flexibility.

If there's any objections by all means let me know and I'll hold off until a
proper 1.9.x fix is available.


-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.




More information about the Fedora-security-list mailing list