Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks. A specially crafted XML file provided by a remote attacker, could lead to local file disclosure or excessive resources (CPU, memory) consumption when processed.

This update introduces a SecXmlExternalEntity option which is 'Off'by default. This will disable the ability of libxml2 to load external entities.

Update to 2.7.3. Upstream changelog:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been found and corrected in apache-mod_security :

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability (CVE-2013-1915).

The updated packages have been patched to correct this issue.

According to its banner, the version of ModSecurity installed on the remote host is earlier than 2.7.3. It is, therefore, potentially affected by a file disclosure vulnerability. An improperly configured XML parser could allow untrusted XML entities from external sources to be accepted, thus leading to possible arbitrary file disclosure.

It could also be possible for internal network servers to receive unauthorized requests. Denial of service conditions are also possible.

Note that Nessus has not tested for this issue but has instead relied only on the version in the server's banner.

- complete overhaul of this package, with update to 2.7.5.

  - ruleset update to 2.2.8-0-g0f07cbb. 

  - new configuration framework private to mod_security2:
    /etc/apache2/conf.d/mod_security2.conf loads     /usr/share/apache2-mod_security2/rules/modsecurity_crs_1     0_setup.conf, then /etc/apache2/mod_security2.d/*.conf ,     as set up based on advice in     /etc/apache2/conf.d/mod_security2.conf Your     configuration starting point is     /etc/apache2/conf.d/mod_security2.conf

  - !!! Please note that mod_unique_id is needed for     mod_security2 to run!

  - modsecurity-apache_2.7.5-build_fix_pcre.diff changes     erroneaous linker parameter, preventing rpath in shared     object.

  - fixes contained for the following bugs :

  - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request     parameter handling

  - [bnc#768293] multi-part bypass, minor threat

  - CVE-2013-1915 [bnc#813190] XML external entity     vulnerability

  - CVE-2012-4528 [bnc#789393] rule bypass

  - CVE-2013-2765 [bnc#822664] NULL pointer dereference     crash

  - new from 2.5.9 to 2.7.5, only major changes :

  - GPLv2 replaced by Apache License v2

  - rules are not part of the source tarball any longer, but     maintaned upstream externally, and included in this     package.

  - documentation was externalized to a wiki. Package     contains the FAQ and the reference manual in html form.

  - renamed the term 'Encryption' in directives that     actually refer to hashes. See CHANGES file for more     details.

  - new directive SecXmlExternalEntity, default off

  - byte conversion issues on s390x when logging fixed.

  - many small issues fixed that were discovered by a     Coverity scanner

  - updated reference manual

  - wrong time calculation when logging for some timezones     fixed.

  - replaced time-measuring mechanism with finer granularity     for measured request/answer phases. (Stopwatch remains     for compat.)

  - cookie parser memory leak fix

  - parsing of quoted strings in multipart     Content-Disposition headers fixed.

  - SDBM deadlock fix

  - @rsub memory leak fix

  - cookie separator code improvements

  - build failure fixes

  - compile time option --enable-htaccess-config (set)

The remote Solaris system is missing necessary patches to address security updates :

  - ModSecurity before 2.6.6, when used with PHP, does not     properly handle single quotes not at the beginning of a     request parameter value in the Content-Disposition field     of a request with a multipart/form-data Content-Type     header, which allows remote attackers to bypass     filtering rules and perform other attacks such as     cross-site scripting (XSS) attacks. NOTE: this     vulnerability exists because of an incomplete fix for     CVE-2009-5031. (CVE-2012-2751)

  - ModSecurity before 2.7.3 allows remote attackers to read     arbitrary files, send HTTP requests to intranet servers,     or cause a denial of service (CPU and memory     consumption) via an XML external entity declaration in     conjunction with an entity reference, aka an XML     External Entity (XXE) vulnerability. (CVE-2013-1915)

- complete overhaul of this package, with update to 2.7.5.

  - ruleset update to 2.2.8-0-g0f07cbb.

  - new configuration framework private to mod_security2:
    /etc/apache2/conf.d/mod_security2.conf loads     /usr/share/apache2-mod_security2/rules/modsecurity_crs_1     0_setup.conf, then /etc/apache2/mod_security2.d/*.conf ,     as set up based on advice in     /etc/apache2/conf.d/mod_security2.conf Your     configuration starting point is     /etc/apache2/conf.d/mod_security2.conf

  - !!! Please note that mod_unique_id is needed for     mod_security2 to run!

  - modsecurity-apache_2.7.5-build_fix_pcre.diff changes     erroneaous linker parameter, preventing rpath in shared     object.

  - fixes contained for the following bugs :

  - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request     parameter handling

  - [bnc#768293] multi-part bypass, minor threat

  - CVE-2013-1915 [bnc#813190] XML external entity     vulnerability

  - CVE-2012-4528 [bnc#789393] rule bypass

  - CVE-2013-2765 [bnc#822664] NULL pointer dereference     crash

  - new from 2.5.9 to 2.7.5, only major changes :

  - GPLv2 replaced by Apache License v2

  - rules are not part of the source tarball any longer, but     maintaned upstream externally, and included in this     package.

  - documentation was externalized to a wiki. Package     contains the FAQ and the reference manual in html form.

  - renamed the term 'Encryption' in directives that     actually refer to hashes. See CHANGES file for more     details.

  - new directive SecXmlExternalEntity, default off

  - byte conversion issues on s390x when logging fixed.

  - many small issues fixed that were discovered by a     Coverity scanner

  - updated reference manual

  - wrong time calculation when logging for some timezones     fixed.

  - replaced time-measuring mechanism with finer granularity     for measured request/answer phases. (Stopwatch remains     for compat.)

  - cookie parser memory leak fix

  - parsing of quoted strings in multipart     Content-Disposition headers fixed.

  - SDBM deadlock fix

  - @rsub memory leak fix

  - cookie separator code improvements

  - build failure fixes

  - compile time option --enable-htaccess-config (set)

Positive Technologies has reported a vulnerability in ModSecurity, which can be exploited by malicious people to disclose potentially sensitive information or cause a DoS (Denial Of Serice).

The vulnerability is caused due to an error when parsing external XML entities and can be exploited to e.g. disclose local files or cause excessive memory and CPU consumption.

.

According to its banner, the version of ModSecurity installed on the remote host is earlier than 2.7.3.  It is, therefore, potentially affected by a file disclosure vulnerability.  An improperly configured XML parser could allow untrusted XML entities from external sources to be accepted, thus leading to possible arbitrary file disclosure. 

ID	Name	Product	Family	Published	Updated	Severity
65921	Debian DSA-2659-1 : libapache-mod-security - XML external entity processing vulnerability	Nessus	Debian Local Security Checks	4/11/2013	1/11/2021	high
66162	Fedora 19 : mod_security-2.7.3-1.fc19 (2013-4908)	Nessus	Fedora Local Security Checks	4/22/2013	1/11/2021	high
66266	Mandriva Linux Security Advisory : apache-mod_security (MDVSA-2013:156)	Nessus	Mandriva Local Security Checks	4/30/2013	1/6/2021	high
67127	ModSecurity < 2.7.3 XML External Entity (XXE) Data Parsing Arbitrary File Disclosure	Nessus	Firewalls	7/2/2013	4/11/2022	high
75112	openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1336-1)	Nessus	SuSE Local Security Checks	6/13/2014	1/19/2021	high
65962	Fedora 17 : mod_security-2.7.3-1.fc17 (2013-4834)	Nessus	Fedora Local Security Checks	4/14/2013	1/11/2021	high
80704	Oracle Solaris Third-Party Patch Update : modsecurity (cve_2012_2751_improper_input)	Nessus	Solaris Local Security Checks	1/19/2015	1/14/2021	high
75113	openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)	Nessus	SuSE Local Security Checks	6/13/2014	1/19/2021	high
65961	Fedora 18 : mod_security-2.7.3-1.fc18 (2013-4831)	Nessus	Fedora Local Security Checks	4/14/2013	1/11/2021	high
65989	FreeBSD : ModSecurity -- XML External Entity Processing Vulnerability (2070c79a-8e1e-11e2-b34d-000c2957946c)	Nessus	FreeBSD Local Security Checks	4/17/2013	1/6/2021	high
6991	ModSecurity < 2.7.3 XML External Entity (XXE) Data Parsing Arbitrary File Disclosure	Nessus Network Monitor	Web Servers	8/16/2013	3/6/2019	high

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high

high

high

high