| Summary: | apache-mod_security new security issue CVE-2012-4528 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, guillomovitch, oe, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/527913/ | ||
| Whiteboard: | MGA2-64-OK MGA2-32-OK | ||
| Source RPM: | apache-mod_security-2.6.7-1.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-12-04 00:18:52 CET
David Walser
2012-12-04 00:19:03 CET
CC:
(none) =>
guillomovitch
David Walser
2012-12-04 00:19:13 CET
Assignee:
bugsquad =>
guillomovitch
David Walser
2012-12-21 14:26:10 CET
CC:
(none) =>
oe Fixed in Cauldron by Oden. Version:
Cauldron =>
2 Fix added in r334303 (mga2, updates_testing, apache-mod_security-2.6.3-3.3.mga2). Test with the PoC from http://seclists.org/fulldisclosure/2012/Oct/113 Thanks Oden! I'm guessing crs doesn't need an update for 2. Advisory: ======================== Updated apache-mod_security packages fix security vulnerability: ModSecurity before 2.7.0 is vulnerable to multipart/invalid part ruleset bypass (CVE-2012-4528). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4528 http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093619.html ======================== Updated packages in core/updates_testing: ======================== apache-mod_security-2.6.3-3.3.mga2 mlogc-2.6.3-3.3.mga2 from apache-mod_security-2.6.3-3.3.mga2.src.rpm Assignee:
guillomovitch =>
qa-bugs I'm not having any luck with the PoC, can you give any insight into how to use it please. Tried with curl (-d and -H) and using 'postit' firefox extension. I put the PoC data into a file called 8292 $ curl -v -X POST http://localhost/wut.php -d @8292 * About to connect() to localhost port 80 (#0) * Trying 127.0.0.1... * connected * Connected to localhost (127.0.0.1) port 80 (#0) > POST /wut.php HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0 > Host: localhost > Accept: */* > Content-Length: 244 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 244 out of 244 bytes < HTTP/1.1 200 OK < Date: Thu, 27 Dec 2012 10:40:23 GMT < Server: Apache/2.2.23 (Mageia/PREFORK-1.mga2) < X-Powered-By: PHP/5.3.19 < Content-Length: 0 < Content-Type: text/html < * Connection #0 to host localhost left intact * Closing connection #0 $ curl -v -X POST http://localhost/wut.php -H @8292 * About to connect() to localhost port 80 (#0) * Trying 127.0.0.1... * connected * Connected to localhost (127.0.0.1) port 80 (#0) > POST /wut.php HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0 > Host: localhost > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 27 Dec 2012 10:40:42 GMT < Server: Apache/2.2.23 (Mageia/PREFORK-1.mga2) < X-Powered-By: PHP/5.3.19 < Content-Length: 0 < Content-Type: text/html < * Connection #0 to host localhost left intact * Closing connection #0 /var/log/httpd/access_log shows 127.0.0.1 - - [27/Dec/2012:10:54:28 +0000] "POST /wut.php HTTP/1.1" 200 - "-" "curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0" 127.0.0.1 - - [27/Dec/2012:10:54:32 +0000] "POST /wut.php HTTP/1.1" 200 - "-" "curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0" or with postit 127.0.0.1 - - [27/Dec/2012:10:48:40 +0000] "POST /wut.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11" Claire, POST is a command. $ rpm -q -f /usr/bin/POST perl-libwww-perl-6.40.0-1.mga2 Even with that though, I'm not having much luck with the POC yet either. Still looking into it. CC:
(none) =>
davidwhodgins [dave@i2v ~]$ POST /wut.php HTTP/1.1 Please enter content (application/x-www-form-urlencoded) to be POSTed: Content-Type: multipart/form-data; boundary=A Content-Length: 161 --A Content-Disposition: form-data; name="xxx"[\r][\r][\n] --A Content-Disposition: form-data; name="yyy"; filename="z" 1 UNION SELECT 1,2,3,4,5,6,7,8,9,10-- --A-- forbidden[dave@i2v ~]$ I pressed enter, then ctrl+d after pasting in the content. Without a working POC, I'd rather just test that the updated package works. We don't have any packages that require apache-mod_security, and as this is a security update, just testing that the updated module loads with ... # httpd -M 2>/dev/null |grep security security_module (shared) Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm apache-mod_security-2.6.3-3.3.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated apache-mod_security packages fix security vulnerability: ModSecurity before 2.7.0 is vulnerable to multipart/invalid part ruleset bypass (CVE-2012-4528). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4528 http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093619.html https://bugs.mageia.org/show_bug.cgi?id=8292 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0371 Status:
NEW =>
RESOLVED |