Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Oct 2012 07:41:05 -0500
From: Breno Silva <breno.silva@...il.com>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: oss-security@...ts.openwall.com, Matthias Weckbecker <mweckbecker@...e.de>, 
	security@...security.org, Kurt Seifried <kseifried@...hat.com>
Subject: Re: CVE request: Fwd: [Full-disclosure] SEC Consult
 SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass

Hello Jan,

Yes i can confirm the issue and the patch.

Thanks

Breno

On Thu, Oct 18, 2012 at 3:58 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote:

> Hi Kurt, Breno,
>
> ----- Original Message -----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/17/2012 02:47 AM, Matthias Weckbecker wrote:
> > Hi Steve, Kurt, vendors,
> >
> > this flaw looks slightly different from the last one and
> > apparently has not got a CVE yet.
> >
> > ----------  Forwarded Message  ----------
> >
> > Subject: [Full-disclosure] SEC Consult SA-20121017-0 ::
> > ModSecurity multipart/invalid part ruleset bypass Date: Wednesday
> > 17 October 2012 From: SEC Consult Vulnerability Lab
> > <research@...-consult.com> To: full-disclosure@...ts.grok.org.uk,
> > bugtraq@...urityfocus.com
> >
> > SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >
> > =======================================================================
> >
> >
> >
> > title: ModSecurity multipart/invalid part ruleset bypass
> > product: ModSecurity vulnerable version: <= 2.6.8 fixed version:
> > 2.7.0 CVE number: - impact: Depends what you use it for homepage:
> > http://www.modsecurity.org/ found: 2012-10-12 by: Bernhard Mueller
> >  SEC Consult Vulnerability Lab https://www.sec-consult.com
> > =======================================================================
> >
> > Looking
> >
> >
> > through
> >
> >
> https://www.modsecurity.org/tracker/secure/ReleaseNote.jspa?projectId=10000&version=10100
> >
> > Is this https://www.modsecurity.org/tracker/browse/MODSEC-155
>
> I am not sure this is related since it is closed with resolution 'Cannot
> Reproduce'.
>
> Based on Changes:
>   [1]
> http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES
>
> I would say this is:
>   "* Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for
> multipart strict"
>
> with relevant upstream commit being:
>   [2]
> http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=date&revision=2081
>
> but Cc-in Breno Silva to definitely confirm this yet.
>
> Breno, could you please confirm / disprove that the patch [2] is upstream
> patch for issue:
>   [3] http://www.openwall.com/lists/oss-security/2012/10/17/1 ?
>
> And if it's not the correct one, provide an explicit revision link to
> the proper one?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> >
> > I'd like to confirm this before assigning a CVE.
> >
> > - --
> > Kurt Seifried Red Hat Security Response Team (SRT)
> > PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.12 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> >
> > iQIcBAEBAgAGBQJQf7OGAAoJEBYNRVNeJnmTFlgQAJxEfUA7oFo8bb0/iSrb7zy9
> > k4IgupMfsxmOLy9uv07G5dy7dRNRkOqYtrQxszFfnnsFqTDtE9+BU7QpX3pmyBlp
> > KYJMTen2A7ygbqr2GSNnh5faCeYty/9gvubTrJ0wmdE8wlwoOqOtZcjkjA0IzRy9
> > T5WYmwxHkkytPsBVQjrirJc4Q2ehKLUNA6ipC6eyq5b+5qqtS+pHRcJbMbNeHj8P
> > PSDeWGAgwSVY56o+vb0WjAjaU/o64kv6ZOn8MFb06cb+GCTUbtpJHwRWaBwmNBaf
> > 9vHqUURjkAkB/np5v9PvKGuovBs8MiDjv43Z8Tl2oWLGJlkaWO0ltC0HBD9nkKBV
> > H+5mSPub3MBrtxXyUXI0lb4Zh4vUtbzDt8O0SVV+6lqAFv18UBX0ksTjzkgK6sIl
> > 987lJr+MiKsVsO7XBZk0OBMQShu9AiZq3ueBwcol99HeY/ICPPZxT+lP/v72rNsc
> > rMaLOBtgdMj2n0yVvqk4Zg1mshZyWP8NAofFhu2sIbItd/x/csCrwFTjJnrar2pN
> > 2wHJKFjq/ssMXBuFws1M/O4CjRDo2iImB4fIYqS5GxSXRQUephI6eIbgmX/PPQgG
> > 5z550ct/fbSCcNm8uzCjN5YbAKcvHqfDqTqrq4v6bBMJ6ww2eOR8gF9/LYFm7OKb
> > jTf1myRV1SAMt6UVd0dJ
> > =XFfO
> > -----END PGP SIGNATURE-----
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.