GLSA-200705-17 : Apache mod_security: Rule bypass

2007-05-21T00:00:00
ID GENTOO_GLSA-200705-17.NASL
Type nessus
Reporter Tenable
Modified 2015-04-13T00:00:00

Description

The remote host is affected by the vulnerability described in GLSA-200705-17 (Apache mod_security: Rule bypass)

Stefan Esser discovered that mod_security processes NULL characters as     terminators in POST requests using the     application/x-www-form-urlencoded encoding type, while other parsers     used in web applications do not.

Impact :

A remote attacker could send a specially crafted POST request, possibly     bypassing the module ruleset and leading to the execution of arbitrary     code in the scope of the web server with the rights of the user running     the web server.

Workaround :

There is no known workaround at this time.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200705-17.
#
# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(25288);
  script_version("$Revision: 1.14 $");
  script_cvs_date("$Date: 2015/04/13 13:56:53 $");

  script_cve_id("CVE-2007-1359");
  script_osvdb_id(32778);
  script_xref(name:"GLSA", value:"200705-17");

  script_name(english:"GLSA-200705-17 : Apache mod_security: Rule bypass");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200705-17
(Apache mod_security: Rule bypass)

    Stefan Esser discovered that mod_security processes NULL characters as
    terminators in POST requests using the
    application/x-www-form-urlencoded encoding type, while other parsers
    used in web applications do not.
  
Impact :

    A remote attacker could send a specially crafted POST request, possibly
    bypassing the module ruleset and leading to the execution of arbitrary
    code in the scope of the web server with the rights of the user running
    the web server.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200705-17"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All mod_security users should upgrade to the latest version:
    # emerge --sync
    # emerge --ask --oneshot --verbose '>=www-apache/mod_security-2.1.1'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mod_security");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2007/05/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/21");
  script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/06");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2015 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"www-apache/mod_security", unaffected:make_list("ge 2.1.1"), vulnerable:make_list("lt 2.1.1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Apache mod_security");
}