Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Apr 2013 08:23:19 -0400 (EDT)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,
        Breno Silva <>
Subject: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks

Hello Kurt, Steve, Breno, vendors,

  ModSecurity upstream has released v2.7.3 version:

correcting one security flaw (from [2]):
"It was reported that the XML files parser of ModSecurity,
a security module for the Apache HTTP Server, was vulnerable
to XML External Entity attacks. A remote attacker could
provide a specially-crafted XML file that, when processed
might lead to local files disclosure or, potentially,
excessive resources (memory, CPU) consumption."


Relevant upstream patch (seems to be the following):

Could you allocate a CVE id [*] for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

[*] According to:
    there doesn't seem to have been a CVE id allocated for this issue yet.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.