[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Chunked requests to bypass ModSecurity and mod_headers
From: Martin Holst Swende <martin () swende ! se>
Date: 2014-03-31 19:10:39
Message-ID: 5339BDAF.9050709 () swende ! se
[Download RAW message or body]
Hi list,
While playing with requests that used chunked encoding, I found one way
to sneak headers through Apache mod_headers removal mechanism. I also
found a way to sneak pretty much anything through ModSecurity.
More details here:
http://martin.swende.se/blog/HTTPChunked.html
## Timeline
* 2013-09-05 Notified ModSecurity (security@modsecurity.org) about the
problem.
* 2013-09-05 ModSecurity responded; will investigate/patch.
* 2013-09-06 Notified Apache Software Foundation about the problem.
* 2013-09-08 Apache responded; confirmed and looking into the issue.
* 2013-09-09 ModSecurity responded with patch.
* 2013-10-19 Apache security raised the issue on dev@httpd instead, it
was "languishing on the private list".
[Mail](http://marc.info/?l=apache-httpd-dev&m=138219203120175&w=2)
* 2013-12-16 ModSecurity released version 2.7.6, with
[patch](https://github.com/SpiderLabs/ModSecurity/commit/f8d441cd25172fdfe5b613442fedfc0da3cc333d).
Uncredited.
* 2014-03-31 Published details
### Status as of february 2014
The Ubuntu-packaged version of Modsecurity is 2.7.4, both for 13.10 and
earlier. This version is vulnerable.
The latest LTS server version - Ubuntu 12.04 uses Apache 2.2.22, which
*is* vulnerable.
Ubuntu 13.10 repositories contains Apache 2.4.6, which was found *not*
to be vulnerable.
Regards,
Martin Holst Swende (and thanks to Fyodor!)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic