Информационная безопасность
[RU] switch to English

Обход защиты в Apache mod_security
Опубликовано:9 июля 2012 г.
SecurityVulns ID:12451
Уровень опасности:
Описание:Возможно обойти проверки при одновременном использовании Content-Disposition: attachment и Content-Type: multipart.
Затронутые продукты:APACHE : mod-security 2.6
CVE:CVE-2012-4528 (The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.)
 CVE-2012-2751 (ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2506-1] libapache-mod-security security update (09.07.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород