In association with heise online

28 May 2013, 20:45

DoS vulnerability in ModSecurity fixed - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

ModSecurity logo

The development team behind open source web application firewall ModSecurity has fixed a vulnerability which could be exploited by attackers to crash the firewall. Using a crafted HTTP request to execute the action forceRequestBodyVariable with an unknown content type resulted in a null pointer dereference.

The problem can be fixed by updating to version 2.7.4, which also fixes a number of other bugs and utilises libinjection to identify SQL injection attacks. The developers have also announced that the nginx port has now attained the status of a stable version.

Update 29-05-13 10:19: Younes Jaaidi, the researcher who discovered the vulnerability has posted more details about the exploit, which been allocated the identifier CVE-2013-2765. Jaaidi has also released proof-of-concept code for the exploit on GitHub.

(djwm)

 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit