{"id": "OPENVAS:800626", "type": "openvas", "bulletinFamily": "scanner", "title": "ModSecurity Multiple Remote Denial of Service Vulnerabilities", "description": "This host is running ModSecurity and is prone to Denial of Service\n Vulnerabilities.", "published": "2009-06-16T00:00:00", "modified": "2016-12-29T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=800626", "reporter": "Copyright (C) 2009 Greenbone Networks GmbH", "references": ["http://www.vupen.com/english/advisories/2009/0703", "http://secunia.com/advisories/34256", "http://www.milw0rm.com/exploits/8241"], "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "lastseen": "2017-07-02T21:13:49", "viewCount": 0, "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2017-07-02T21:13:49", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-1902", "CVE-2009-1903"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231064365", "OPENVAS:136141256231064527", "OPENVAS:136141256231063592", "OPENVAS:1361412562310800626", "OPENVAS:63590", "OPENVAS:64526", "OPENVAS:64365", "OPENVAS:136141256231063590", "OPENVAS:63592", "OPENVAS:64527"]}, {"type": "nessus", "idList": ["FEDORA_2009-2654.NASL", "FEDORA_2009-2686.NASL", "MODSECURITY_2_5_9.NASL", "GENTOO_GLSA-200907-02.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10033", "SECURITYVULNS:DOC:22112"]}, {"type": "gentoo", "idList": ["GLSA-200907-02"]}, {"type": "exploitdb", "idList": ["EDB-ID:8241"]}], "modified": "2017-07-02T21:13:49", "rev": 2}, "vulnersScore": 7.0}, "pluginID": "800626", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_modesecurity_remote_dos_vuln.nasl 4869 2016-12-29 11:01:45Z teissa $\n#\n# ModSecurity Multiple Remote Denial of Service Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to cause denial of\n service.\";\ntag_affected = \"ModSecurity version prior to 2.5.9 on Linux.\";\ntag_insight = \"The multiple flaws are due to,\n - An error in the PDF XSS protection implementation which can be exploited\n to cause a crash via a specially crafted HTTP request.\n - NULL pointer dereference error when parsing multipart requests can be\n exploited to cause a crash via multipart content with a missing part header\n name.\";\ntag_solution = \"Upgrade to version 2.5.9 or later.\n http://www.modsecurity.org/download/\";\ntag_summary = \"This host is running ModSecurity and is prone to Denial of Service\n Vulnerabilities.\";\n\nif(description)\n{\n script_id(800626);\n script_version(\"$Revision: 4869 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-29 12:01:45 +0100 (Thu, 29 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-16 15:11:01 +0200 (Tue, 16 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_cve_id(\"CVE-2009-1902\", \"CVE-2009-1903\");\n script_bugtraq_id(34096);\n script_name(\"ModSecurity Multiple Remote Denial of Service Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/34256\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8241\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/0703\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_mandatory_keys(\"login/SSH/success\");\n script_dependencies(\"gather-package-list.nasl\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"ssh_func.inc\");\ninclude(\"version_func.inc\");\n\nsock = ssh_login_or_reuse_connection();\nif(!sock){\n exit(0);\n}\n\ngrep = find_bin(prog_name:\"grep\", sock:sock);\ngrep = chomp(grep[0]);\n\ngarg[0] = \"-o\";\ngarg[1] = \"-m1\";\ngarg[2] = \"-a\";\ngarg[3] = string(\"ModSecurity v[0-9]\\\\+.[0-9]\\\\+.[0-9]\\\\+\");\n\nmodName = find_file(file_name:\"mod_security2.so\", file_path:\"/\",\n useregex:TRUE, regexpar:\"$\", sock:sock);\n\nforeach binaryName (modName)\n{\n binaryName = chomp(binaryName);\n if(islocalhost())\n {\n garg[4] = binaryName;\n arg = garg;\n }\n else\n {\n arg = garg[0] + \" \" + garg[1] + \" \" + garg[2] + \" \" + raw_string(0x22) +\n garg[3] + raw_string(0x22) + \" \" + binaryName;\n }\n\n modsecVer = get_bin_version(full_prog_name:grep, version_argv:arg,\n ver_pattern:\"[0-9]+.[0-9]+.[0-9]+\", sock:sock);\n if(modsecVer[0] != NULL)\n {\n if(version_is_less(version:modsecVer[0], test_version:\"2.5.9\")){\n security_message(0);\n }\n ssh_close_connection();\n exit(0);\n }\n}\nssh_close_connection();\n", "naslFamily": "Web Servers"}

{"cve": [{"lastseen": "2021-02-13T13:30:25", "description": "The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.", "edition": 8, "cvss3": {}, "published": "2009-06-03T17:00:00", "title": "CVE-2009-1902", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1902"], "modified": "2021-02-12T17:21:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "cpe:/o:fedoraproject:fedora:9"], "id": "CVE-2009-1902", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1902", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-14T13:29:41", "description": "The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method.", "edition": 8, "cvss3": {}, "published": "2009-06-03T17:00:00", "title": "CVE-2009-1903", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1903"], "modified": "2021-02-14T02:55:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "cpe:/o:fedoraproject:fedora:9"], "id": "CVE-2009-1903", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1903", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-24T12:56:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200907-02.", "modified": "2017-07-07T00:00:00", "published": "2009-07-06T00:00:00", "id": "OPENVAS:64365", "href": "http://plugins.openvas.org/nasl.php?oid=64365", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200907-02 (mod_security)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two vulnerabilities in ModSecurity might lead to a Denial of Service.\";\ntag_solution = \"All ModSecurity users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apache/mod_security-2.5.9'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200907-02\nhttp://bugs.gentoo.org/show_bug.cgi?id=262302\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200907-02.\";\n\n \n \n\nif(description)\n{\n script_id(64365);\n script_version(\"$Revision: 6595 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:19:55 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-06 20:36:15 +0200 (Mon, 06 Jul 2009)\");\n script_cve_id(\"CVE-2009-1902\", \"CVE-2009-1903\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200907-02 (mod_security)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"www-apache/mod_security\", unaffected: make_list(\"ge 2.5.9\"), vulnerable: make_list(\"lt 2.5.9\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:56:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "The remote host is missing an update to apache-mod_security\nannounced via advisory MDVSA-2009:184.", "modified": "2017-07-07T00:00:00", "published": "2009-08-17T00:00:00", "id": "OPENVAS:64527", "href": "http://plugins.openvas.org/nasl.php?oid=64527", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:184 (apache-mod_security)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_184.nasl 6587 2017-07-07 06:35:35Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:184 (apache-mod_security)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities has been found and corrected in mod_security:\n\nThe multipart processor in ModSecurity before 2.5.9 allows remote\nattackers to cause a denial of service (crash) via a multipart form\ndatapost request with a missing part header name, which triggers a\nNULL pointer dereference (CVE-2009-1902).\n\nThe PDF XSS protection feature in ModSecurity before 2.5.8 allows\nremote attackers to cause a denial of service (Apache httpd crash)\nvia a request for a PDF file that does not use the GET method\n(CVE-2009-1903).\n\nThis update provides mod_security 2.5.9, which is not vulnerable to\nthese issues.\n\nAffected: Enterprise Server 5.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:184\";\ntag_summary = \"The remote host is missing an update to apache-mod_security\nannounced via advisory MDVSA-2009:184.\";\n\n \n\nif(description)\n{\n script_id(64527);\n script_version(\"$Revision: 6587 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 08:35:35 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-17 16:54:45 +0200 (Mon, 17 Aug 2009)\");\n script_cve_id(\"CVE-2009-1902\", \"CVE-2009-1903\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:184 (apache-mod_security)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache-mod_security\", rpm:\"apache-mod_security~2.5.9~0.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"mlogc\", rpm:\"mlogc~2.5.9~0.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:37:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "The remote host is missing an update to mod_security\nannounced via advisory FEDORA-2009-2654.", "modified": "2018-04-06T00:00:00", "published": "2009-03-20T00:00:00", "id": "OPENVAS:136141256231063590", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063590", "type": "openvas", "title": "Fedora Core 9 FEDORA-2009-2654 (mod_security)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_2654.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-2654 (mod_security)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nSecurity fixes for potential denials of service when using PDF XSS protection as\nwell as when parsing multipart requests.\nhttp://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846\n\nChangeLog:\n\n* Thu Mar 12 2009 Michael Fleming 2.5.9-1\n- Update to upstream release 2.5.9\n- Fixes potential DoS' in multipart request and PDF XSS handling\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update mod_security' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-2654\";\ntag_summary = \"The remote host is missing an update to mod_security\nannounced via advisory FEDORA-2009-2654.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63590\");\n script_cve_id(\"CVE-2009-1902\",\"CVE-2009-1903\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-20 00:52:38 +0100 (Fri, 20 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Core 9 FEDORA-2009-2654 (mod_security)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"mod_security\", rpm:\"mod_security~2.5.9~1.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"mod_security-debuginfo\", rpm:\"mod_security-debuginfo~2.5.9~1.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:37:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200907-02.", "modified": "2018-04-06T00:00:00", "published": "2009-07-06T00:00:00", "id": "OPENVAS:136141256231064365", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064365", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200907-02 (mod_security)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two vulnerabilities in ModSecurity might lead to a Denial of Service.\";\ntag_solution = \"All ModSecurity users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apache/mod_security-2.5.9'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200907-02\nhttp://bugs.gentoo.org/show_bug.cgi?id=262302\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200907-02.\";\n\n \n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64365\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-06 20:36:15 +0200 (Mon, 06 Jul 2009)\");\n script_cve_id(\"CVE-2009-1902\", \"CVE-2009-1903\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200907-02 (mod_security)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"www-apache/mod_security\", unaffected: make_list(\"ge 2.5.9\"), vulnerable: make_list(\"lt 2.5.9\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2020-07-21T22:09:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "This host is running ModSecurity and is prone to Denial of Service\n Vulnerabilities.", "modified": "2020-06-22T00:00:00", "published": "2009-06-16T00:00:00", "id": "OPENVAS:1361412562310800626", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800626", "type": "openvas", "title": "ModSecurity Multiple Remote Denial of Service Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ModSecurity Multiple Remote Denial of Service Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800626\");\n script_version(\"2020-06-22T08:41:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-22 08:41:58 +0000 (Mon, 22 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-06-16 15:11:01 +0200 (Tue, 16 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_cve_id(\"CVE-2009-1902\", \"CVE-2009-1903\");\n script_bugtraq_id(34096);\n script_name(\"ModSecurity Multiple Remote Denial of Service Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_mandatory_keys(\"login/SSH/success\");\n script_dependencies(\"gather-package-list.nasl\");\n script_exclude_keys(\"ssh/no_linux_shell\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/34256\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/8241\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/0703\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to cause denial of\n service.\");\n\n script_tag(name:\"affected\", value:\"ModSecurity version prior to 2.5.9 on Linux.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - An error in the PDF XSS protection implementation which can be exploited\n to cause a crash via a specially crafted HTTP request.\n\n - NULL pointer dereference error when parsing multipart requests can be\n exploited to cause a crash via multipart content with a missing part header\n name.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 2.5.9 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running ModSecurity and is prone to Denial of Service\n Vulnerabilities.\");\n\n script_tag(name:\"qod_type\", value:\"executable_version_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\ninclude(\"version_func.inc\");\n\nsock = ssh_login_or_reuse_connection();\nif(!sock)\n exit(0);\n\ngarg[0] = \"-o\";\ngarg[1] = \"-m1\";\ngarg[2] = \"-a\";\ngarg[3] = string(\"ModSecurity v[0-9]\\\\+.[0-9]\\\\+.[0-9]\\\\+\");\n\nmodName = ssh_find_file(file_name:\"/mod_security2.so\", useregex:TRUE, regexpar:\"$\", sock:sock);\nforeach binaryName (modName) {\n\n binaryName = chomp(binaryName);\n if(!binaryName) continue;\n\n arg = garg[0] + \" \" + garg[1] + \" \" + garg[2] + \" \" + raw_string(0x22) + garg[3] + raw_string(0x22) + \" \" + binaryName;\n\n modsecVer = ssh_get_bin_version(full_prog_name:\"grep\", version_argv:arg, ver_pattern:\"([0-9]+\\.[0-9]+\\.[0-9]+)\", sock:sock);\n if(modsecVer[1]){\n if(version_is_less(version:modsecVer[1], test_version:\"2.5.9\")){\n report = report_fixed_ver(installed_version:modsecVer[1], fixed_version:\"2.5.9\", install_path:binaryName);\n security_message(port:0, data:report);\n ssh_close_connection();\n exit(0);\n }\n }\n}\n\nssh_close_connection();\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2018-04-06T11:39:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "The remote host is missing an update to apache-mod_security\nannounced via advisory MDVSA-2009:184.", "modified": "2018-04-06T00:00:00", "published": "2009-08-17T00:00:00", "id": "OPENVAS:136141256231064527", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064527", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:184 (apache-mod_security)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_184.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:184 (apache-mod_security)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities has been found and corrected in mod_security:\n\nThe multipart processor in ModSecurity before 2.5.9 allows remote\nattackers to cause a denial of service (crash) via a multipart form\ndatapost request with a missing part header name, which triggers a\nNULL pointer dereference (CVE-2009-1902).\n\nThe PDF XSS protection feature in ModSecurity before 2.5.8 allows\nremote attackers to cause a denial of service (Apache httpd crash)\nvia a request for a PDF file that does not use the GET method\n(CVE-2009-1903).\n\nThis update provides mod_security 2.5.9, which is not vulnerable to\nthese issues.\n\nAffected: Enterprise Server 5.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:184\";\ntag_summary = \"The remote host is missing an update to apache-mod_security\nannounced via advisory MDVSA-2009:184.\";\n\n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64527\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-17 16:54:45 +0200 (Mon, 17 Aug 2009)\");\n script_cve_id(\"CVE-2009-1902\", \"CVE-2009-1903\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:184 (apache-mod_security)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache-mod_security\", rpm:\"apache-mod_security~2.5.9~0.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"mlogc\", rpm:\"mlogc~2.5.9~0.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "The remote host is missing an update to mod_security\nannounced via advisory FEDORA-2009-2654.", "modified": "2017-07-10T00:00:00", "published": "2009-03-20T00:00:00", "id": "OPENVAS:63590", "href": "http://plugins.openvas.org/nasl.php?oid=63590", "type": "openvas", "title": "Fedora Core 9 FEDORA-2009-2654 (mod_security)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_2654.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-2654 (mod_security)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nSecurity fixes for potential denials of service when using PDF XSS protection as\nwell as when parsing multipart requests.\nhttp://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846\n\nChangeLog:\n\n* Thu Mar 12 2009 Michael Fleming 2.5.9-1\n- Update to upstream release 2.5.9\n- Fixes potential DoS' in multipart request and PDF XSS handling\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update mod_security' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-2654\";\ntag_summary = \"The remote host is missing an update to mod_security\nannounced via advisory FEDORA-2009-2654.\";\n\n\n\nif(description)\n{\n script_id(63590);\n script_cve_id(\"CVE-2009-1902\",\"CVE-2009-1903\");\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-20 00:52:38 +0100 (Fri, 20 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Core 9 FEDORA-2009-2654 (mod_security)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"mod_security\", rpm:\"mod_security~2.5.9~1.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"mod_security-debuginfo\", rpm:\"mod_security-debuginfo~2.5.9~1.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "The remote host is missing an update to mod_security\nannounced via advisory FEDORA-2009-2686.", "modified": "2017-07-10T00:00:00", "published": "2009-03-20T00:00:00", "id": "OPENVAS:63592", "href": "http://plugins.openvas.org/nasl.php?oid=63592", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-2686 (mod_security)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_2686.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-2686 (mod_security)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nSecurity fixes for potential denials of service when using PDF XSS protection as\nwell as when parsing multipart requests.\nhttp://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846\n\nChangeLog:\n\n* Thu Mar 12 2009 Michael Fleming 2.5.9-1\n- Update to upstream release 2.5.9\n- Fixes potential DoS' in multipart request and PDF XSS handling\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update mod_security' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-2686\";\ntag_summary = \"The remote host is missing an update to mod_security\nannounced via advisory FEDORA-2009-2686.\";\n\n\n\nif(description)\n{\n script_id(63592);\n script_cve_id(\"CVE-2009-1902\",\"CVE-2009-1903\");\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-20 00:52:38 +0100 (Fri, 20 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Core 10 FEDORA-2009-2686 (mod_security)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"mod_security\", rpm:\"mod_security~2.5.9~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"mod_security-debuginfo\", rpm:\"mod_security-debuginfo~2.5.9~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "The remote host is missing an update to mod_security\nannounced via advisory FEDORA-2009-2686.", "modified": "2018-04-06T00:00:00", "published": "2009-03-20T00:00:00", "id": "OPENVAS:136141256231063592", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063592", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-2686 (mod_security)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_2686.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-2686 (mod_security)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nSecurity fixes for potential denials of service when using PDF XSS protection as\nwell as when parsing multipart requests.\nhttp://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846\n\nChangeLog:\n\n* Thu Mar 12 2009 Michael Fleming 2.5.9-1\n- Update to upstream release 2.5.9\n- Fixes potential DoS' in multipart request and PDF XSS handling\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update mod_security' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-2686\";\ntag_summary = \"The remote host is missing an update to mod_security\nannounced via advisory FEDORA-2009-2686.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63592\");\n script_cve_id(\"CVE-2009-1902\",\"CVE-2009-1903\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-20 00:52:38 +0100 (Fri, 20 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Core 10 FEDORA-2009-2686 (mod_security)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"mod_security\", rpm:\"mod_security~2.5.9~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"mod_security-debuginfo\", rpm:\"mod_security-debuginfo~2.5.9~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:56:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2008-5676", "CVE-2009-1903"], "description": "The remote host is missing an update to apache-mod_security\nannounced via advisory MDVSA-2009:183.", "modified": "2017-07-07T00:00:00", "published": "2009-08-17T00:00:00", "id": "OPENVAS:64526", "href": "http://plugins.openvas.org/nasl.php?oid=64526", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:183 (apache-mod_security)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_183.nasl 6587 2017-07-07 06:35:35Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:183 (apache-mod_security)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities has been found and corrected in mod_security:\n\nMultiple unspecified vulnerabilities in the ModSecurity (aka\nmod_security) module 2.5.0 through 2.5.5 for the Apache HTTP Server,\nwhen SecCacheTransformations is enabled, allow remote attackers to\ncause a denial of service (daemon crash) or bypass the product's\nfunctionality via unknown vectors related to transformation\ncaching. (CVE-2008-5676)\n\nThe multipart processor in ModSecurity before 2.5.9 allows remote\nattackers to cause a denial of service (crash) via a multipart form\ndatapost request with a missing part header name, which triggers a\nNULL pointer dereference (CVE-2009-1902).\n\nThe PDF XSS protection feature in ModSecurity before 2.5.8 allows\nremote attackers to cause a denial of service (Apache httpd crash)\nvia a request for a PDF file that does not use the GET method\n(CVE-2009-1903).\n\nThis update provides mod_security 2.5.9, which is not vulnerable to\nthese issues.\n\nAffected: Corporate 4.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:183\";\ntag_summary = \"The remote host is missing an update to apache-mod_security\nannounced via advisory MDVSA-2009:183.\";\n\n \n\nif(description)\n{\n script_id(64526);\n script_version(\"$Revision: 6587 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 08:35:35 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-17 16:54:45 +0200 (Mon, 17 Aug 2009)\");\n script_cve_id(\"CVE-2008-5676\", \"CVE-2009-1902\", \"CVE-2009-1903\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:183 (apache-mod_security)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache-mod_security\", rpm:\"apache-mod_security~2.5.9~0.1.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"mlogc\", rpm:\"mlogc~2.5.9~0.1.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "edition": 1, "description": "### Background\n\nModSecurity is a popular web application firewall for the Apache HTTP server. \n\n### Description\n\nMultiple vulnerabilities were discovered in ModSecurity: \n\n * Juan Galiana Lara of ISecAuditors discovered a NULL pointer dereference when processing multipart requests without a part header name (CVE-2009-1902).\n * Steve Grubb of Red Hat reported that the \"PDF XSS protection\" feature does not properly handle HTTP requests to a PDF file that do not use the GET method (CVE-2009-1903).\n\n### Impact\n\nA remote attacker might send requests containing specially crafted multipart data or send certain requests to access a PDF file, possibly resulting in a Denial of Service (crash) of the Apache HTTP daemon. NOTE: The PDF XSS protection is not enabled by default. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll ModSecurity users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apache/mod_security-2.5.9\"", "modified": "2009-07-02T00:00:00", "published": "2009-07-02T00:00:00", "id": "GLSA-200907-02", "href": "https://security.gentoo.org/glsa/200907-02", "type": "gentoo", "title": "ModSecurity: Denial of Service", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-07T10:52:32", "description": "The remote host is affected by the vulnerability described in GLSA-200907-02\n(ModSecurity: Denial of Service)\n\n Multiple vulnerabilities were discovered in ModSecurity:\n Juan Galiana Lara of ISecAuditors discovered a NULL pointer\n dereference when processing multipart requests without a part header\n name (CVE-2009-1902).\n Steve Grubb of Red Hat reported that the\n 'PDF XSS protection' feature does not properly handle HTTP requests to\n a PDF file that do not use the GET method (CVE-2009-1903).\n \nImpact :\n\n A remote attacker might send requests containing specially crafted\n multipart data or send certain requests to access a PDF file, possibly\n resulting in a Denial of Service (crash) of the Apache HTTP daemon.\n NOTE: The PDF XSS protection is not enabled by default.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "published": "2009-07-03T00:00:00", "title": "GLSA-200907-02 : ModSecurity: Denial of Service", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "modified": "2009-07-03T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:mod_security", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200907-02.NASL", "href": "https://www.tenable.com/plugins/nessus/39596", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200907-02.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39596);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-1902\", \"CVE-2009-1903\");\n script_bugtraq_id(34096);\n script_xref(name:\"GLSA\", value:\"200907-02\");\n\n script_name(english:\"GLSA-200907-02 : ModSecurity: Denial of Service\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200907-02\n(ModSecurity: Denial of Service)\n\n Multiple vulnerabilities were discovered in ModSecurity:\n Juan Galiana Lara of ISecAuditors discovered a NULL pointer\n dereference when processing multipart requests without a part header\n name (CVE-2009-1902).\n Steve Grubb of Red Hat reported that the\n 'PDF XSS protection' feature does not properly handle HTTP requests to\n a PDF file that do not use the GET method (CVE-2009-1903).\n \nImpact :\n\n A remote attacker might send requests containing specially crafted\n multipart data or send certain requests to access a PDF file, possibly\n resulting in a Denial of Service (crash) of the Apache HTTP daemon.\n NOTE: The PDF XSS protection is not enabled by default.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200907-02\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All ModSecurity users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apache/mod_security-2.5.9'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mod_security\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-apache/mod_security\", unaffected:make_list(\"ge 2.5.9\"), vulnerable:make_list(\"lt 2.5.9\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ModSecurity\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-12T10:07:09", "description": "Security fixes for potential denials of service when using PDF XSS\nprotection as well as when parsing multipart requests.\nhttp://sourceforge.net/project/shownotes.php?release_id=667542&group_i\nd=68846\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2009-04-23T00:00:00", "title": "Fedora 10 : mod_security-2.5.9-1.fc10 (2009-2686)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "modified": "2009-04-23T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "p-cpe:/a:fedoraproject:fedora:mod_security"], "id": "FEDORA_2009-2686.NASL", "href": "https://www.tenable.com/plugins/nessus/37482", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-2686.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(37482);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-1902\", \"CVE-2009-1903\");\n script_bugtraq_id(34096);\n script_xref(name:\"FEDORA\", value:\"2009-2686\");\n\n script_name(english:\"Fedora 10 : mod_security-2.5.9-1.fc10 (2009-2686)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fixes for potential denials of service when using PDF XSS\nprotection as well as when parsing multipart requests.\nhttp://sourceforge.net/project/shownotes.php?release_id=667542&group_i\nd=68846\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?af255791\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-March/021322.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?123f8bb6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mod_security package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mod_security\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"mod_security-2.5.9-1.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mod_security\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-12T10:07:09", "description": "Security fixes for potential denials of service when using PDF XSS\nprotection as well as when parsing multipart requests.\nhttp://sourceforge.net/project/shownotes.php?release_id=667542&group_i\nd=68846\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2009-03-16T00:00:00", "title": "Fedora 9 : mod_security-2.5.9-1.fc9 (2009-2654)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "modified": "2009-03-16T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:9", "p-cpe:/a:fedoraproject:fedora:mod_security"], "id": "FEDORA_2009-2654.NASL", "href": "https://www.tenable.com/plugins/nessus/35926", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-2654.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(35926);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-1902\", \"CVE-2009-1903\");\n script_bugtraq_id(34096);\n script_xref(name:\"FEDORA\", value:\"2009-2654\");\n\n script_name(english:\"Fedora 9 : mod_security-2.5.9-1.fc9 (2009-2654)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fixes for potential denials of service when using PDF XSS\nprotection as well as when parsing multipart requests.\nhttp://sourceforge.net/project/shownotes.php?release_id=667542&group_i\nd=68846\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?af255791\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-March/021280.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e8f46f13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mod_security package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mod_security\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/03/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 9.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC9\", reference:\"mod_security-2.5.9-1.fc9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mod_security\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-03-01T04:07:57", "description": "According to its banner, the version of ModSecurity installed on the\nremote host is earlier than 2.5.9. It is, therefore, potentially\naffected by a denial of service vulnerability. An error exists related\nto multipart form HTTP POST requests with a missing part header name\nthat could allow an attacker to crash the application.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the version in the server's banner.", "edition": 28, "published": "2013-07-02T00:00:00", "title": "ModSecurity < 2.5.9 Multipart Request Header Name DoS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1902"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:modsecurity:modsecurity"], "id": "MODSECURITY_2_5_9.NASL", "href": "https://www.tenable.com/plugins/nessus/67125", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67125);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2009-1902\");\n script_bugtraq_id(34096);\n script_xref(name:\"EDB-ID\", value:\"8241\");\n\n script_name(english:\"ModSecurity < 2.5.9 Multipart Request Header Name DoS\");\n script_summary(english:\"Checks version in Server response header\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application firewall may be affected by a denial of\nservice vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of ModSecurity installed on the\nremote host is earlier than 2.5.9. It is, therefore, potentially\naffected by a denial of service vulnerability. An error exists related\nto multipart form HTTP POST requests with a missing part header name\nthat could allow an attacker to crash the application.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the version in the server's banner.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2009/Mar/187\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ModSecurity version 2.5.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/03/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:modsecurity:modsecurity\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"modsecurity_http_version.nasl\");\n script_require_keys(\"www/ModSecurity\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\n# Make sure this is ModSecurity\nget_kb_item_or_exit('www/'+port+'/modsecurity');\nversion = get_kb_item_or_exit('www/modsecurity/'+port+'/version', exit_code:1);\nbackported = get_kb_item_or_exit('www/modsecurity/'+port+'/backported', exit_code:1);\n\nif (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, \"ModSecurity\");\n\nif (version == 'unknown') audit(AUDIT_UNKNOWN_WEB_SERVER_VER, \"ModSecurity\", port);\n\nfixed_ver = '2.5.9';\nif (\n version =~ \"^[01]\\.\" ||\n version =~ \"^2\\.([0-4]|5\\.[0-8])($|[^0-9])\"\n)\n{\n if (report_verbosity > 0)\n {\n source = get_kb_item_or_exit('www/modsecurity/'+port+'/source', exit_code:1);\n report =\n '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_ver + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"ModSecurity\", port, version);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:30", "bulletinFamily": "software", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\nGentoo Linux Security Advisory GLSA 200907-02\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n http://security.gentoo.org/\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n Severity: Normal\r\n Title: ModSecurity: Denial of Service\r\n Date: July 02, 2009\r\n Bugs: #262302\r\n ID: 200907-02\r\n\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\nSynopsis\r\n========\r\n\r\nTwo vulnerabilities in ModSecurity might lead to a Denial of Service.\r\n\r\nBackground\r\n==========\r\n\r\nModSecurity is a popular web application firewall for the Apache HTTP\r\nserver.\r\n\r\nAffected packages\r\n=================\r\n\r\n -------------------------------------------------------------------\r\n Package / Vulnerable / Unaffected\r\n -------------------------------------------------------------------\r\n 1 www-apache/mod_security &lt; 2.5.9 &gt;= 2.5.9\r\n\r\nDescription\r\n===========\r\n\r\nMultiple vulnerabilities were discovered in ModSecurity:\r\n\r\n* Juan Galiana Lara of ISecAuditors discovered a NULL pointer\r\n dereference when processing multipart requests without a part header\r\n name &#40;CVE-2009-1902&#41;.\r\n\r\n* Steve Grubb of Red Hat reported that the &quot;PDF XSS protection&quot;\r\n feature does not properly handle HTTP requests to a PDF file that do\r\n not use the GET method &#40;CVE-2009-1903&#41;.\r\n\r\nImpact\r\n======\r\n\r\nA remote attacker might send requests containing specially crafted\r\nmultipart data or send certain requests to access a PDF file, possibly\r\nresulting in a Denial of Service &#40;crash&#41; of the Apache HTTP daemon.\r\nNOTE: The PDF XSS protection is not enabled by default.\r\n\r\nWorkaround\r\n==========\r\n\r\nThere is no known workaround at this time.\r\n\r\nResolution\r\n==========\r\n\r\nAll ModSecurity users should upgrade to the latest version:\r\n\r\n # emerge --sync\r\n # emerge --ask --oneshot --verbose &quot;&gt;=www-apache/mod_security-2.5.9&quot;\r\n\r\nReferences\r\n==========\r\n\r\n [ 1 ] CVE-2009-1902\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1902\r\n [ 2 ] CVE-2009-1903\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1903\r\n\r\nAvailability\r\n============\r\n\r\nThis GLSA and any updates to it are available for viewing at\r\nthe Gentoo Security Website:\r\n\r\n http://security.gentoo.org/glsa/glsa-200907-02.xml\r\n\r\nConcerns?\r\n=========\r\n\r\nSecurity is a primary focus of Gentoo Linux and ensuring the\r\nconfidentiality and security of our users machines is of utmost\r\nimportance to us. Any security concerns should be addressed to\r\nsecurity@gentoo.org or alternatively, you may file a bug at\r\nhttp://bugs.gentoo.org.\r\n\r\nLicense\r\n=======\r\n\r\nCopyright 2009 Gentoo Foundation, Inc; referenced text\r\nbelongs to its owner&#40;s&#41;.\r\n\r\nThe contents of this document are licensed under the\r\nCreative Commons - Attribution / Share Alike license.\r\n\r\nhttp://creativecommons.org/licenses/by-sa/2.5", "edition": 1, "modified": "2009-07-03T00:00:00", "published": "2009-07-03T00:00:00", "id": "SECURITYVULNS:DOC:22112", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22112", "title": "[ GLSA 200907-02 ] ModSecurity: Denial of Service", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:33", "bulletinFamily": "software", "cvelist": ["CVE-2009-1902", "CVE-2009-1903"], "description": "Few denial of service conditions.", "edition": 1, "modified": "2009-07-03T00:00:00", "published": "2009-07-03T00:00:00", "id": "SECURITYVULNS:VULN:10033", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10033", "title": "ModSecurity multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T04:02:41", "description": "ModSecurity < 2.5.9 Remote Denial of Service Vulnerability. CVE-2009-1902. Dos exploits for multiple platform", "published": "2009-03-19T00:00:00", "type": "exploitdb", "title": "ModSecurity < 2.5.9 - Remote Denial of Service Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1902"], "modified": "2009-03-19T00:00:00", "id": "EDB-ID:8241", "href": "https://www.exploit-db.com/exploits/8241/", "sourceData": "=============================================\nINTERNET SECURITY AUDITORS ALERT 2009-001\n- Original release date: February 25th, 2009\n- Last revised: March 19th, 2009\n- Discovered by: Juan Galiana Lara\n- Severity: 7.8/10 (CVSS Base Scored)\n=============================================\n\nI. VULNERABILITY\n-------------------------\nModSecurity < 2.5.9 is vulnerable to a remote Denial of Service (DoS)\n\nII. BACKGROUND\n-------------------------\nModSecurity is the most widely-deployed web application firewall in\nthe world, with more than 15,000 users. It runs as a Apache web server\nmodule and is developed by Breach Security [ http://www.breach.com ],\nit's avaliable with GNU GPL and many other comercial licenses.\n\nIII. DESCRIPTION\n-------------------------\nThe multipart processor of modsecurity does not sanitize the user\nsupplied input sufficiently. Therefore, an attacker can send a crafted\npost request of type multipart/form-data which will lead in a remote\ndenial of service.\n\nThe snippet of vulnerable code:\n\nin file msc_multipart.c\n\n1256 int multipart_get_arguments(modsec_rec *msr, char *origin,\napr_table_t *arguments) {\n1257 multipart_part **parts;\n1258 int i;\n1259\n1260 parts = (multipart_part **)msr->mpd->parts->elts;\n1261 for(i = 0; i < msr->mpd->parts->nelts; i++) {\n1262 if (parts[i]->type == MULTIPART_FORMDATA) {\n1263 msc_arg *arg = (msc_arg *)apr_pcalloc(msr->mp,\nsizeof(msc_arg));\n1264 if (arg == NULL) return -1;\n1265\n1266 arg->name = parts[i]->name;\n1267 arg->name_len = strlen(parts[i]->name);\n\nOn line 1267, due to the pointer parts[i]->name is not properly\nsanitized the parameter of strlen function takes the value NULL,\ngetting a segmentation fault and resulting in a crash of the apache\nprocess that handle the request.\n\nIV. PROOF OF CONCEPT\n-------------------------\nThe process could be crashed remotely by sending:\n\nPOST / HTTP/1.0\nContent-Type: multipart/form-data;\nboundary=---------------------------xxxxxxxxxxxxxx\nContent-Length: 91\n\n-----------------------------xxxxxxxxxxxxxx\n:\n-----------------------------xxxxxxxxxxxxxx--\n\nIn order to send a correct HTTP/1.1 request you must add a valid Host\nheader.\n\nWith the configuration directives:\n\n SecAuditEngine On\n SecDebugLogLevel 9\n\nAfter the attack, the last line of the debug logfile is:\n\n[25/Feb/2009:09:51:18 +0100] [vhost/sid#884348][rid#aaf0d8][/][9]\nMultipart: Added part abe458 to the list: name \"(null)\" (offset 0,\nlength 0)\n\nV. BUSINESS IMPACT\n-------------------------\nAn attacker could cause a remote denial of service to an Apache\ninstallation with modsecurity 2 module.\n\nVI. SYSTEMS AFFECTED\n-------------------------\nModSecurity between 2.5.5 and 2.5.8 are vulnerable, other versions may\nbe affected.\n\nTested with Apache httpd 2.2.11.\n\nVII. SOLUTION\n-------------------------\nUpgrade to version 2.5.9 of ModSecurity. It can be downloaded from\nhttp://modsecurity.org/download/\n\nVIII. REFERENCES\n-------------------------\nhttp://www.modsecurity.org\nhttp://www.isecauditors.com\n\nIX. CREDITS\n-------------------------\nThis vulnerability has been discovered\nby Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).\nThanks to Jordi Rubi\u0102\u0083\u00c2\u0142 Romero (jrubio (at) isecauditorts (dot) com).\n\nX. REVISION HISTORY\n-------------------------\nFebruary 25, 2009: Initial release\nMarch 19, 2009: Revision.\n\nXI. DISCLOSURE TIMELINE\n-------------------------\nFebraury 25, 2009: Vulnerability acquired by\n Internet Security Auditors (www.isecauditors.com)\nMarch 02, 2009: ModSecurity contacted.\nMarch 02, 2009: Response about remediation plan.\nMarch 11, 2009: Path released\nMarch 19, 2009: Published.\n\nXII. LEGAL NOTICES\n-------------------------\nThe information contained within this advisory is supplied \"as-is\"\nwith no warranties or guarantees of fitness of use or otherwise.\nInternet Security Auditors, S.L. accepts no responsibility for any\ndamage caused by the use or misuse of this information.\n\n# milw0rm.com [2009-03-19]\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/8241/"}]}