[mod-security-packagers] CVE-2013-5705 - Chunked string case sensitive issue
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-packagers] CVE-2013-5705 - Chunked string case sensitive issue
|
From: Felipe C. <FC...@tr...> - 2014-04-03 20:43:38
|
Hi, Marin Holst Swende (@mhswende) reported a security issue in ModSecurity related to way that it recognize a chunked transfer encoding. ModSecurity was just detecting a chunked transfer if it was informed in lower case, apparently Apache is more permissive. The rfc2616 describes the chunk encode. A fix was made by Breno Silva, and it was distributed altogether with other improvements on 2.7.6. However, the patch to older versions was not available to that list until now, we sorry for that. The patch is available at: http://www.modsecurity.org/fix-CVE-2013-570.patch Signature of the patch: http://www.modsecurity.org/fix-CVE-2013-570.patch.asc This patch is suitable to versions 2.7.2 until 2.7.6. If you have a live package that is providing a ModSecurity version older than 2.7.2, please let me know. Just to confirm 2.7.6 and newer don't need the patch. Thanks, Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
