Fedora has issue an advisory on November 16: http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093619.html An update for apache-mod_security-crs also references this issue: http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093620.html Fixed upstream in 2.7.0, and a patch is linked from the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=867424
CC: (none) => guillomovitch
Assignee: bugsquad => guillomovitchWhiteboard: (none) => MGA2TOO
CC: (none) => oe
Fixed in Cauldron by Oden.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
Fix added in r334303 (mga2, updates_testing, apache-mod_security-2.6.3-3.3.mga2). Test with the PoC from http://seclists.org/fulldisclosure/2012/Oct/113
Thanks Oden! I'm guessing crs doesn't need an update for 2. Advisory: ======================== Updated apache-mod_security packages fix security vulnerability: ModSecurity before 2.7.0 is vulnerable to multipart/invalid part ruleset bypass (CVE-2012-4528). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4528 http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093619.html ======================== Updated packages in core/updates_testing: ======================== apache-mod_security-2.6.3-3.3.mga2 mlogc-2.6.3-3.3.mga2 from apache-mod_security-2.6.3-3.3.mga2.src.rpm
Assignee: guillomovitch => qa-bugs
I'm not having any luck with the PoC, can you give any insight into how to use it please. Tried with curl (-d and -H) and using 'postit' firefox extension. I put the PoC data into a file called 8292 $ curl -v -X POST http://localhost/wut.php -d @8292 * About to connect() to localhost port 80 (#0) * Trying 127.0.0.1... * connected * Connected to localhost (127.0.0.1) port 80 (#0) > POST /wut.php HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0 > Host: localhost > Accept: */* > Content-Length: 244 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 244 out of 244 bytes < HTTP/1.1 200 OK < Date: Thu, 27 Dec 2012 10:40:23 GMT < Server: Apache/2.2.23 (Mageia/PREFORK-1.mga2) < X-Powered-By: PHP/5.3.19 < Content-Length: 0 < Content-Type: text/html < * Connection #0 to host localhost left intact * Closing connection #0 $ curl -v -X POST http://localhost/wut.php -H @8292 * About to connect() to localhost port 80 (#0) * Trying 127.0.0.1... * connected * Connected to localhost (127.0.0.1) port 80 (#0) > POST /wut.php HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0 > Host: localhost > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 27 Dec 2012 10:40:42 GMT < Server: Apache/2.2.23 (Mageia/PREFORK-1.mga2) < X-Powered-By: PHP/5.3.19 < Content-Length: 0 < Content-Type: text/html < * Connection #0 to host localhost left intact * Closing connection #0 /var/log/httpd/access_log shows 127.0.0.1 - - [27/Dec/2012:10:54:28 +0000] "POST /wut.php HTTP/1.1" 200 - "-" "curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0" 127.0.0.1 - - [27/Dec/2012:10:54:32 +0000] "POST /wut.php HTTP/1.1" 200 - "-" "curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0" or with postit 127.0.0.1 - - [27/Dec/2012:10:48:40 +0000] "POST /wut.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11"
Claire, POST is a command. $ rpm -q -f /usr/bin/POST perl-libwww-perl-6.40.0-1.mga2 Even with that though, I'm not having much luck with the POC yet either. Still looking into it.
CC: (none) => davidwhodgins
[dave@i2v ~]$ POST /wut.php HTTP/1.1 Please enter content (application/x-www-form-urlencoded) to be POSTed: Content-Type: multipart/form-data; boundary=A Content-Length: 161 --A Content-Disposition: form-data; name="xxx"[\r][\r][\n] --A Content-Disposition: form-data; name="yyy"; filename="z" 1 UNION SELECT 1,2,3,4,5,6,7,8,9,10-- --A-- forbidden[dave@i2v ~]$ I pressed enter, then ctrl+d after pasting in the content. Without a working POC, I'd rather just test that the updated package works. We don't have any packages that require apache-mod_security, and as this is a security update, just testing that the updated module loads with ... # httpd -M 2>/dev/null |grep security security_module (shared) Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm apache-mod_security-2.6.3-3.3.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated apache-mod_security packages fix security vulnerability: ModSecurity before 2.7.0 is vulnerable to multipart/invalid part ruleset bypass (CVE-2012-4528). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4528 http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093619.html https://bugs.mageia.org/show_bug.cgi?id=8292
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0371
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED