CVE 2009-5031
ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header.
Related bugs and status
CVE-2009-5031 (Candidate) is related to these bugs:
Bug #1016909: (CVE-2009-5031) <modsecurity-apache-2.6.6 : Multipart Quote Parsing Security Bypass Vulnerability (CVE-2009-5031 CVE-2012-2751)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1016909 | (CVE-2009-5031) <modsecurity-apache-2.6.6 : Multipart Quote Parsing Security Bypass Vulnerability (CVE-2009-5031 CVE-2012-2751) | modsecurity-apache (Ubuntu) | Undecided | Invalid | ||
1016909 | (CVE-2009-5031) <modsecurity-apache-2.6.6 : Multipart Quote Parsing Security Bypass Vulnerability (CVE-2009-5031 CVE-2012-2751) | modsecurity-apache (Debian) | Unknown | Fix Released | ||
1016909 | (CVE-2009-5031) <modsecurity-apache-2.6.6 : Multipart Quote Parsing Security Bypass Vulnerability (CVE-2009-5031 CVE-2012-2751) | libapache-mod-security (Ubuntu) | Undecided | Invalid | ||
1016909 | (CVE-2009-5031) <modsecurity-apache-2.6.6 : Multipart Quote Parsing Security Bypass Vulnerability (CVE-2009-5031 CVE-2012-2751) | libapache-mod-security (Debian) | Unknown | Fix Released |
Bug #1169030: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
See the
CVE page on Mitre.org
for more details.