Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability alert 9411

ModSecurity: denials of service

Synthesis of the vulnerability

An attacker can generate several denials of service in the ModSecurity module for Apache httpd.
Severity: 2/4.
Creation date: 08/02/2010.

Description of the vulnerability

The ModSecurity module can be installed on Apache httpd, in order to filter queries. It is impacted by several vulnerabilities.

An attacker can use a complex url, in order to force the regular expression engine to consume resources. [severity:2/4; >]

ModSecurity does not detect complex path exiting from the root. [severity:2/4; >]

Some MIME multipart separators are not correctly analyzed. [severity:2/4; >]

An attacker can use a malformed cookie, in order to generate a memory leak during its analysis. [severity:2/4; >]

A remote attacker can therefore generate a denial of service on ModSecurity.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: ModSecurity: denials of service.
Keywords: Apache MIME ModSecurity denials odSecurity service.
Identifiers: BID-38156, FEDORA-2010-1862, FEDORA-2010-1903, MDVSA-2010:050, VIGILANCE-VUL-9411.

Information sources

Publications and announces

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : PCRE

An attacker can use a complex url, in order to force the regular expression engine to consume resources.
Severity: 2/4.

Vulnerability : path normalization

ModSecurity does not detect complex path exiting from the root.
Severity: 2/4.

Vulnerability : multipart

Some MIME multipart separators are not correctly analyzed.
Severity: 2/4.

Vulnerability : cookie parser

An attacker can use a malformed cookie, in order to generate a memory leak during its analysis.
Severity: 2/4.

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer vulnerability database



















France Télécom Copyright 1999-2010 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française