ModSecurity: Denial of Service

ModSecurity: Denial of Service Two vulnerabilities in ModSecurity might lead to a Denial of Service. mod_security 2009-07-02 2009-07-02 262302 remote 2.5.9 2.5.9

ModSecurity is a popular web application firewall for the Apache HTTP server.

Multiple vulnerabilities were discovered in ModSecurity:

Juan Galiana Lara of ISecAuditors discovered a NULL pointer dereference when processing multipart requests without a part header name (CVE-2009-1902).
Steve Grubb of Red Hat reported that the "PDF XSS protection" feature does not properly handle HTTP requests to a PDF file that do not use the GET method (CVE-2009-1903).

A remote attacker might send requests containing specially crafted multipart data or send certain requests to access a PDF file, possibly resulting in a Denial of Service (crash) of the Apache HTTP daemon. NOTE: The PDF XSS protection is not enabled by default.

There is no known workaround at this time.

All ModSecurity users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apache/mod_security-2.5.9"

CVE-2009-1902 CVE-2009-1903 craig a3li a3li