Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 Oct 2012 13:13:55 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Breno Silva <breno.silva@...il.com>
CC: Jan Lieskovsky <jlieskov@...hat.com>, oss-security@...ts.openwall.com,
        Matthias Weckbecker <mweckbecker@...e.de>, security@...security.org
Subject: Re: CVE request: Fwd: [Full-disclosure] SEC Consult
 SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/18/2012 06:41 AM, Breno Silva wrote:
> Hello Jan,
> 
> Yes i can confirm the issue and the patch.
> 
> Thanks
> 
> Breno
> 
> On Thu, Oct 18, 2012 at 3:58 AM, Jan Lieskovsky
> <jlieskov@...hat.com <mailto:jlieskov@...hat.com>> wrote:
> 
> Hi Kurt, Breno,
> 
> ----- Original Message ----- -----BEGIN PGP SIGNED MESSAGE----- 
> Hash: SHA1
> 
> On 10/17/2012 02:47 AM, Matthias Weckbecker wrote:
>> Hi Steve, Kurt, vendors,
>> 
>> this flaw looks slightly different from the last one and 
>> apparently has not got a CVE yet.
>> 
>> ----------  Forwarded Message  ----------
>> 
>> Subject: [Full-disclosure] SEC Consult SA-20121017-0 :: 
>> ModSecurity multipart/invalid part ruleset bypass Date:
>> Wednesday 17 October 2012 From: SEC Consult Vulnerability Lab 
>> <research@...-consult.com <mailto:research@...-consult.com>> To:
> full-disclosure@...ts.grok.org.uk 
> <mailto:full-disclosure@...ts.grok.org.uk>,
>> bugtraq@...urityfocus.com <mailto:bugtraq@...urityfocus.com>
>> 
>> SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >
>> 
> =======================================================================
>
> 
> 
>> 
>> 
>> title: ModSecurity multipart/invalid part ruleset bypass product:
>> ModSecurity vulnerable version: <= 2.6.8 fixed version: 2.7.0 CVE
>> number: - impact: Depends what you use it for homepage: 
>> http://www.modsecurity.org/ found: 2012-10-12 by: Bernhard
>> Mueller SEC Consult Vulnerability Lab
>> https://www.sec-consult.com
>> 
> =======================================================================
>
> 
> 
>> Looking
>> 
>> 
>> through
>> 
>> 
> https://www.modsecurity.org/tracker/secure/ReleaseNote.jspa?projectId=10000&version=10100
>
> 
> 
>> Is this https://www.modsecurity.org/tracker/browse/MODSEC-155
> 
> I am not sure this is related since it is closed with resolution 
> 'Cannot Reproduce'.

Yeah I was thinking they might have buried it, never thought to check
the source changelog (assumed the online one was sufficient. sigh).

> 
> Based on Changes: [1] 
> http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES
>
>  I would say this is: "* Added MULTIPART_INVALID_PART flag. Also
> used in rule id 200002 for multipart strict"
> 
> with relevant upstream commit being: [2] 
> http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=date&revision=2081
>
>  but Cc-in Breno Silva to definitely confirm this yet.
> 
> Breno, could you please confirm / disprove that the patch [2] is 
> upstream patch for issue: [3]
> http://www.openwall.com/lists/oss-security/2012/10/17/1 ?
> 
> And if it's not the correct one, provide an explicit revision link
> to the proper one?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team


Please use CVE-2012-4528 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQgFTzAAoJEBYNRVNeJnmTzK8QALJx/zc849kCqf+hFnkLL9kz
oiYQvwRLtNHw3ygEGCsl/VP87ixW+8n1DxQSuL/a3U0jY+4D6woujoJ6S2w0Hreh
7boe+m9AdhrakrsuXZTOSmKZePDuO5xQM3Q+oo2/5z3u8JnPgm1gEB07pzSxfFDa
+nKcaioisXy/VCc9TFtleiie47t2i9ypgajNSNOFjCn3WL3UmO9SBWRveAW+0BAU
XmQuKnH/ZTa5xMRdnu/RvT9uQtMjrwDY/sl7snBGTOVsZ+xHcJ4a4gEJllqPvjHk
NJVNrz5wEXsvfrJt20TW9tP/d1yHfHFinM0KxYswP1GmZ2qhYc2dOqTUFDQunUAo
RsWzp32Bs11o3eiK5v7RFct7mA/SYCjzaj6AfJi07XgY98xRc3ov22PkuTtQ8Sq3
cLM1xeLj89eyBZp5rGrgfj/dtCeuASmWvZDPE4JAz+fKDv5jwXp0cn7JzqYXf+mN
YjszGPX94oDKiih76aylMcp50hYbsdWPaKK/L1tpEV+nzTRLVMFIJ+jgaY/jhBJH
m48sKMPh3F1WE7DdtWYcGD3xLYlk1QjYP1DmkcO9YEH4TT2+qqnkyMBayMCY8Roa
w8dIu6Az/yQQUevmYaJu2+o6v1dUmyBKknWrV6iyA7zqV6YVCXmvQZX9HBkSV84H
bPGFFZBbfOsFX1FGfXNm
=yVSP
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.