BID:22831

Mod_Security ASCIIZ Byte POST Bypass Vulnerability

Info

Mod_Security ASCIIZ Byte POST Bypass Vulnerability

Bugtraq ID:	22831
Class:	Input Validation Error
CVE:	CVE-2007-1359
Remote:	Yes
Local:	No
Published:	Mar 06 2007 12:00AM
Updated:	Jul 15 2008 11:09PM
Credit:	Stefan Esser disclosed this issue.
Vulnerable:	Oracle Oracle10g Application Server 10.1.3 .3.0 Oracle Oracle10g Application Server 10.1.3 .2.0 Oracle Oracle10g Application Server 10.1.3 .1.0 Oracle Oracle10g Application Server 10.1.3 .0.0 Oracle Oracle10g Application Server 10.1.2 .2.0 Oracle Oracle10g Application Server 10.1.2 Oracle Oracle10g Application Server 10.1.2.3.0 Oracle Application Server Release 2 10.1.2 .0.0 Oracle Application Server 10g 10.1.2 mod_security mod_security 2.1 mod_security mod_security 1.9.4 mod_security mod_security 1.7.5 mod_security mod_security 1.7.4 mod_security mod_security 1.7.2 mod_security mod_security 1.7.1 mod_security mod_security 1.7 Gentoo Linux

Not Vulnerable:	mod_security mod_security 2.1.1

Discussion

Mod_Security ASCIIZ Byte POST Bypass Vulnerability

Mod_Security is prone to a POST-parsing-bypass vulnerability. Successful attacks could allow an attacker to bypass mod_security restrictions and successfully submit malicious input to mod_security-protected sites.

The issue derives from a difference in the way the mod_security HTTP request parser and protected backend web-scripting languages process incoming data following ASCIIZ bytes.

This issue is reported to affect all iterations of mod_security below 2.1.0.

Exploit / POC

Mod_Security ASCIIZ Byte POST Bypass Vulnerability

Attackers may exploit this issue with standard HTTP data.

Solution / Fix

Mod_Security ASCIIZ Byte POST Bypass Vulnerability

Solution:
The vendor released an update and fixes to address this issue. Please see the references for more information.

mod_security mod_security 1.7

mod_security modsecurity-apache_2.1.1.tar.gz
http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz

mod_security mod_security 1.7.1

mod_security modsecurity-apache_2.1.1.tar.gz
http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz

mod_security mod_security 1.7.2

mod_security modsecurity-apache_2.1.1.tar.gz
http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz

mod_security mod_security 1.7.4

mod_security modsecurity-apache_2.1.1.tar.gz
http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz

mod_security mod_security 1.7.5

mod_security modsecurity-apache_2.1.1.tar.gz
http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz

mod_security mod_security 1.9.4

mod_security modsec-1_9_4-asciiz.patch
http://www.modsecurity.org/download/modsec-1_9_4-asciiz.patch

mod_security modsecurity-apache_2.1.1.tar.gz
http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz

mod_security mod_security 2.1

mod_security modsecurity-apache_2.1.1.tar.gz
http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz

References

Mod_Security ASCIIZ Byte POST Bypass Vulnerability

References:

Mod_Security Homepage (Mod_Security)
ModSecurity ASCIIZ Evasion (ModSecurity)
BONUS-12-2007:mod_security POST Rules Bypass Vulnerability (PHP-Security)
Oracle Critical Patch Update Advisory - July 2008 (Oracle)