DoS vulnerability in ModSecurity fixed - Update
The development team behind open source web application firewall ModSecurity has fixed a vulnerability which could be exploited by attackers to crash the firewall. Using a crafted HTTP request to execute the action
forceRequestBodyVariable with an unknown content type resulted in a null pointer dereference.
The problem can be fixed by updating to version 2.7.4, which also fixes a number of other bugs and utilises libinjection to identify SQL injection attacks. The developers have also announced that the nginx port has now attained the status of a stable version.
Update 29-05-13 10:19: Younes Jaaidi, the researcher who discovered the vulnerability has posted more details about the exploit, which been allocated the identifier CVE-2013-2765. Jaaidi has also released proof-of-concept code for the exploit on GitHub.