[Bug 231728] New: CVE-2007-1359: mod_security <= 2.1.0 request rule bypass
bugzilla at redhat.com
bugzilla at redhat.com
Sat Mar 10 21:36:54 UTC 2007
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231728
Summary: CVE-2007-1359: mod_security <= 2.1.0 request rule bypass
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: medium
Component: mod_security
AssignedTo: mfleming+rpm at enlartenment.com
ReportedBy: ville.skytta at iki.fi
QAContact: extras-qa at fedoraproject.org
CC: fedora-security-list at redhat.com,redhat-
bugzilla at linuxnetz.de
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1359
"Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlier allows
remote attackers to bypass request rules via application/x-www-form-urlencoded
POST data that contains an ASCIIZ (0x00) byte, which mod_security treats as a
terminator even though it is still processed as normal data by some HTTP parsers
including PHP 5.2.0, and possibly parsers in Perl, and Python."
Based on version numbers, all FE releases are affected.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the Fedora-security-list
mailing list