PT-2013-22: XML External Entity Injection in Trustwave ModSecurity
Vulnerable software
Trustwave ModSecurity
Version: 2.7.2 and earlier
Application link:
http://www.modsecurity.org
Severity level
Severity level: High
Impact: Internal Network Resources and File System Access, Denial of Service
Access Vector: Remote
CVSS v2:
Base Score: 10
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE: not assigned
Software description
Trustwave ModSecurity is a web application layer firewall.
Vulnerability description
Positive Research Center experts have discovered "XML External Entity Injection" vulnerability in Trustwave ModSecurity.
If an attacker sends specially crafted request containing malformed XML to server with ModSecurity, the server will automatically send the contents of local or remote resources to the attacker's server. It also makes possible to conduct denial of service attacks.
How to fix
Update your software up to the latest version.
Advisory status
27.02.2013 - Vendor gets vulnerability details
29.03.2013 - Vendor releases fixed version and details
01.04.2013 - Public disclosure
Credits
The vulnerability was discovered by Timur Yunusov, Alexey Osipov, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2013-22
Reports on the vulnerabilities previously discovered by Positive Research:
http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/