PT-2013-22: XML External Entity Injection in Trustwave ModSecurity
Version: 2.7.2 and earlier
Severity level: High
Impact: Internal Network Resources and File System Access, Denial of Service
Access Vector: Remote
Base Score: 10
CVE: not assigned
Trustwave ModSecurity is a web application layer firewall.
Positive Research Center experts have discovered "XML External Entity Injection" vulnerability in Trustwave ModSecurity.
If an attacker sends specially crafted request containing malformed XML to server with ModSecurity, the server will automatically send the contents of local or remote resources to the attacker's server. It also makes possible to conduct denial of service attacks.
How to fix
Update your software up to the latest version.
27.02.2013 - Vendor gets vulnerability details
29.03.2013 - Vendor releases fixed version and details
01.04.2013 - Public disclosure
The vulnerability was discovered by Timur Yunusov, Alexey Osipov, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Research: