Headline
CVE-2023-24021: Fix: FILES_TMP_CONTENT may sometimes lack complete content by martinhsv · Pull Request #2857 · SpiderLabs/ModSecurity
In ModSecurity before 2.9.7, FILES_TMP_CONTENT sometimes lacked the complete content. This can lead to a Web Application Firewall bypass.
@@ -1173,6 +1173,7 @@ static int var_files_tmp_contents_generate(modsec_rec *msr, msre_var *var, FILE *file; size_t nread; char *full_content = NULL; char *full_content_tmp_ptr = NULL; size_t total_lenght = 0; msre_var *rvar = NULL;
@@ -1182,19 +1183,23 @@ static int var_files_tmp_contents_generate(modsec_rec *msr, msre_var *var, continue; }
full_content = (char *)apr_pcalloc(mptmp, (sizeof(char)*parts[i]->length) + 1); if (full_content == NULL) { if (msr->txcfg->debuglog_level >= 3) { msr_log(msr, 3, "Variable FILES_TMP_CONTENT will not be created, not " \ “enough memory available.”); } goto files_tmp_content_not_enough_mem; } full_content_tmp_ptr = full_content;
while ((nread = fread(buf, 1, 1023, file)) > 0) { total_lenght += nread; buf[nread] = '\0’; if (full_content == NULL) { full_content = apr_psprintf(mptmp, "%s", buf); } else { full_content = apr_psprintf(mptmp, "%s%s", full_content, buf); } full_content_tmp_ptr = memcpy(full_content_tmp_ptr, buf, nread); full_content_tmp_ptr += nread; total_lenght += nread; } full_content_tmp_ptr[total_lenght] = '\0’; fclose(file);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); @@ -1209,6 +1214,7 @@ static int var_files_tmp_contents_generate(modsec_rec *msr, msre_var *var, } }
files_tmp_content_not_enough_mem: return count; }
Related news
Ubuntu Security Notice 6370-1 - It was discovered that ModSecurity incorrectly handled certain nested JSON objects. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that ModSecurity incorrectly handled certain HTTP multipart requests. A remote attacker could possibly use this issue to bypass ModSecurity restrictions.
Red Hat Security Advisory 2023-4628-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP response splitting, bypass, integer overflow, out of bounds write, and use-after-free vulnerabilities.
Red Hat Security Advisory 2023-4629-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References section. Issues addressed include HTTP response splitting, bypass, integer overflow, and use-after-free vulnerabilities.
An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24963: A flaw was found in Apache Portable Runtime (APR). This issue may allow a malicious attacker to write beyond the bounds of a buffer. * CVE-2022-36760: A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid Transfer-Encoding header, allowing an attacker to smuggle requests to the AJP server, where it forw...
Red Hat JBoss Core Services Apache HTTP Server 2.4.57 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24963: A flaw was found in Apache Portable Runtime (APR). This issue may allow a malicious attacker to write beyond the bounds of a buffer. * CVE-2022-28331: A flaw was found in Apache Portable Runtime, affecting versions <= 1.7.0. This issue may allow a malicious user to write beyond the end of a stack buffer and cause an integer overflow. This affect...