PT-2013-22: XML External Entity Injection in Trustwave ModSecurity

Vulnerable software

Trustwave ModSecurity
Version: 2.7.2 and earlier

Application link:

Severity level

Severity level: High
Impact: Internal Network Resources and File System Access, Denial of Service
Access Vector: Remote

CVSS v2:
Base Score: 10
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE: not assigned

Software description

Trustwave ModSecurity is a web application layer firewall.

Vulnerability description

Positive Research Center experts have discovered "XML External Entity Injection" vulnerability in Trustwave ModSecurity.

If an attacker sends specially crafted request containing malformed XML to server with ModSecurity, the server will automatically send the contents of local or remote resources to the attacker's server. It also makes possible to conduct denial of service attacks.

How to fix

Update your software up to the latest version.

Advisory status

27.02.2013 - Vendor gets vulnerability details
29.03.2013 - Vendor releases fixed version and details
01.04.2013 - Public disclosure


The vulnerability was discovered by Timur Yunusov, Alexey Osipov, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Research: