Vulnerability identifier: #VU43224

Vulnerability risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2012-4528

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
ModSecurity
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Trustwave

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.

Mitigation
Install update from vendor's website.

Vulnerable software versions

ModSecurity: 2.0.0 - 2.0.4, 2.1.0 - 2.1.6, 2.5.0 - 2.5.13, 2.6.0 - 2.6.8

---

External links
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093011.html
http://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html
http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html
http://lists.opensuse.org/opensuse-updates/2013-08/msg00031.html
http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES
http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/apache2/msc_multipart.c?sortby=date&r1=2081&r2=2080&pathrev=2081
http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=date&revision=2081
http://seclists.org/fulldisclosure/2012/Oct/113
http://www.openwall.com/lists/oss-security/2012/10/18/14
http://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.