ModSecurity XML External Entity Information Disclosure Vulnerability
BID:58810
Info
ModSecurity XML External Entity Information Disclosure Vulnerability
| Bugtraq ID: | 58810 |
| Class: | Design Error |
| CVE: |
CVE-2013-1915 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 28 2013 12:00AM |
| Updated: | Apr 13 2015 09:35PM |
| Credit: | Timur Yunusov and Alexey Osipov of the Positive Technologies Research Team |
| Vulnerable: |
SuSE openSUSE 11.4 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 |
| Not Vulnerable: | |
Discussion
ModSecurity XML External Entity Information Disclosure Vulnerability
ModSecurity is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. The attacker may also exploit this issue to cause excessive memory and CPU consumption resulting in denial-of-service conditions.
ModSecurity 2.7.2 is vulnerable; other versions may also be affected.
ModSecurity is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. The attacker may also exploit this issue to cause excessive memory and CPU consumption resulting in denial-of-service conditions.
ModSecurity 2.7.2 is vulnerable; other versions may also be affected.
Exploit / POC
ModSecurity XML External Entity Information Disclosure Vulnerability
An attacker can exploit this issue using readily available tools.
An attacker can exploit this issue using readily available tools.
Solution / Fix
ModSecurity XML External Entity Information Disclosure Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
Mandriva Business Server 1 X86 64
Solution:
Updates are available. Please see the references or vendor advisory for more information.
MandrakeSoft Enterprise Server 5 x86_64
-
Mandriva apache-mod_security-2.5.12-0.4mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva mlogc-2.5.12-0.4mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/
MandrakeSoft Enterprise Server 5
-
Mandriva apache-mod_security-2.5.12-0.4mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva mlogc-2.5.12-0.4mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/
Mandriva Business Server 1 X86 64
-
Mandriva apache-mod_security-2.6.3-5.2.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva mlogc-2.6.3-5.2.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/
References
ModSecurity XML External Entity Information Disclosure Vulnerability
References:
References:
- Bug 947842- CVE-2013-1915 mod_security: Vulnerable to XXE attacks (Bugzilla)
- CVE-2013-1915 Input Validation vulnerability in ModSecurity (Oracle)
- ModSecurity 2.7.3 changes (Trustwave)
- ModSecurity Homepage (Trustwave)