J-Security Center

Title: Mod_Security ASCIIZ Byte POST Bypass Vulnerability

Severity: MODERATE

Description:

Mod_security is a web application firewall implemented as an Apache HTTP server module.

Mod_Security is prone to a POST-parsing-bypass vulnerability. Successful attacks could allow an attacker to bypass mod_security restrictions and successfully submit malicious input to mod_security-protected sites.

The issue derives from a difference in the way the mod_security HTTP request parser and protected backend web-scripting languages process incoming data following ASCIIZ bytes. Specifically, mod_security parses incoming HTTP requests according to the guidance set forth in Internet RFCs. Mod_security handles 'application/x-www-form-urlencoded content-type' POST data following an ASCIIZ byte as a C string; per RFC specifications. The module passes input trailing ASCIIZ bytes without restriction, while many backend web-scripting languages ignore ASCIIZ bytes and parse such data normally.

This enables an attacker to bypass mod_security's HTTP post restrictions by encoding malicious data in POST requests behind a single ASCIIZ byte. This vulnerability also allows an attacker to evade mod_security logging, since malicious data preceded by an ASCIIZ byte is not recognized by the module and bypasses logging mechanisms.

Exploiting this issue may aid an attacker in carrying out common web-application attacks (such as cross-site scripting, HTML-injection, SQL-injection, and others) while evading detection.

This issue is reported to affect all iterations of mod_security below 2.1.0.

Affected Products:

  • Gentoo Linux
  • Oracle Application Server 10g 10.1.2
  • Oracle Application Server Release 2 10.1.2 .0.0
  • Oracle Oracle10g Application Server 10.1.2
  • Oracle Oracle10g Application Server 10.1.2 .2.0
  • Oracle Oracle10g Application Server 10.1.2.3.0
  • Oracle Oracle10g Application Server 10.1.3 .0.0
  • Oracle Oracle10g Application Server 10.1.3 .1.0
  • Oracle Oracle10g Application Server 10.1.3 .2.0
  • Oracle Oracle10g Application Server 10.1.3 .3.0
  • mod_security mod_security 1.7.0
  • mod_security mod_security 1.7.1
  • mod_security mod_security 1.7.2
  • mod_security mod_security 1.7.4
  • mod_security mod_security 1.7.5
  • mod_security mod_security 1.9.4
  • mod_security mod_security 2.1.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.