6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.153 Low
EPSS
Percentile
95.8%
Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlier
allows remote attackers to bypass request rules via
application/x-www-form-urlencoded POST data that contains an ASCIIZ (0x00)
byte, which mod_security treats as a terminator even though it is still
processed as normal data by some HTTP parsers including PHP 5.2.0, and
possibly parsers in Perl, and Python.
Author | Note |
---|---|
mdeslaur | PoC: http://www.php-security.org/MOPB/BONUS-12-2007.html |