[Bug 231728] New: CVE-2007-1359: mod_security <= 2.1.0 request rule bypass

[bugzilla at redhat.com]

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.




https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231728

           Summary: CVE-2007-1359: mod_security <= 2.1.0 request rule bypass
           Product: Fedora Extras
           Version: fc6
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: medium
          Priority: medium
         Component: mod_security
        AssignedTo: mfleming+rpm at enlartenment.com
        ReportedBy: ville.skytta at iki.fi
         QAContact: extras-qa at fedoraproject.org
                CC: fedora-security-list at redhat.com,redhat-
                    bugzilla at linuxnetz.de


http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1359

"Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlier allows
remote attackers to bypass request rules via application/x-www-form-urlencoded
POST data that contains an ASCIIZ (0x00) byte, which mod_security treats as a
terminator even though it is still processed as normal data by some HTTP parsers
including PHP 5.2.0, and possibly parsers in Perl, and Python."

Based on version numbers, all FE releases are affected.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.