OSVDB ID: 32778 Title: ModSecurity (mod_security) POST Data Null Byte Filter Bypass |
Info |
|
|
Dates |
||||
|
|
Description |
ModSecurity contains a flaw that may allow a user to bypass security rules. The issue is triggered when ModSecurity parses POST requests with the application/x-www-form-urlencoded content type containing an un-encoded NULL byte (ASCIIZ) embedded in the payload. It is possible that the flaw may allow a remote user to submit malicious input to ModSecurity-protected sites by bypassing security rules that use variables that refer to request parameters (e.g. ARGS) due to ModSecurity not scanning anything beyond the NULL byte and resulting in a loss of confidentiality. |
Classification |
Location:
Remote / Network Access
Attack Type: Input Manipulation Impact: Loss of Confidentiality Exploit: Exploit Public Disclosure: OSVDB Verified |
Solution |
Upgrade to version 2.1.1-rc1 or higher as it has been reported to fix this vulnerability. It is also possible to correct the flaw by adding the following rule to your rule set: SecRule REQUEST_BODY "@validateByteRange 1-255" \ "log,deny,phase:2,t:none,msg:'ModSecurity ASCIIZ Evasion Attempt'" |
Products |
|
References |
|
Credit |
|
hardened-php.net - www.hardened-php.net