lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 31 Mar 2014 21:10:39 +0200
From: Martin Holst Swende <>
Subject: [FD] Chunked requests to bypass ModSecurity and mod_headers

Hi list,

While playing with requests that used chunked encoding, I found one way 
to sneak headers through Apache mod_headers removal mechanism. I also 
found a way to sneak pretty much anything through ModSecurity.

More details here:

## Timeline

* 2013-09-05 Notified ModSecurity ( about the 
* 2013-09-05 ModSecurity responded; will investigate/patch.
* 2013-09-06 Notified Apache Software Foundation about the problem.
* 2013-09-08 Apache responded; confirmed and looking into the issue.
* 2013-09-09 ModSecurity responded with patch.
* 2013-10-19 Apache security raised the issue on dev@...pd instead, it 
was "languishing on the private list". 
* 2013-12-16 ModSecurity released version 2.7.6, with 
* 2014-03-31 Published details

### Status as of february 2014

The Ubuntu-packaged version of Modsecurity is 2.7.4, both for 13.10 and 
earlier. This version is vulnerable.

The latest LTS server version - Ubuntu 12.04 uses Apache 2.2.22, which 
*is* vulnerable.
Ubuntu 13.10 repositories contains Apache 2.4.6, which was found *not* 
to be vulnerable.

Martin Holst Swende (and thanks to Fyodor!)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists