(CVE-2009-5031) <modsecurity-apache-2.6.6 : Multipart Quote Parsing Security Bypass Vulnerability (CVE-2009-5031 CVE-2012-2751)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libapache-mod-security (Debian) |
Fix Released
|
Unknown
|
|||
libapache-mod-security (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
modsecurity-apache (Debian) |
Fix Released
|
Unknown
|
|||
modsecurity-apache (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
From secunia security advisory at URL [1]:
Description
A vulnerability has been reported in ModSecurity, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an error when parsing quotes within multipart requests and can be exploited to bypass certain filtering rules.
The vulnerability is reported in versions prior to 2.6.6.
Solution
Update to version 2.6.6.
From oss-sec at URL [2]:
CVE request for mod_security multi-part bypass:
This issue was partially fixed in 2009 and then corrected
completely (I hope =) in 2012, so 2 CVE's.
Please
use CVE-2009-5031 for this issue.
2012: commit c5d749a0d809cf2
brenosilva <brenosilva () 9017d574-
Fri Jun 1 20:16:06 2012 +0000 MODSEC-312 svn co
https:/
modsecurity
svn diff -r 1917:1918
Please use CVE-2012-2751 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
[1] https:/
[2] http://
Related branches
Changed in modsecurity-apache (Debian): | |
status: | Unknown → New |
Changed in libapache-mod-security (Debian): | |
status: | Unknown → New |
Changed in modsecurity-apache (Debian): | |
status: | Incomplete → Fix Released |
Changed in libapache-mod-security (Ubuntu): | |
status: | New → Incomplete |
Changed in libapache-mod-security (Debian): | |
status: | New → Fix Released |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res