Vulnerabilities > CVE-2012-4528

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
trustwave
opensuse
fedoraproject
nessus
exploit available

Summary

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.

Exploit-Db

descriptionModSecurity POST Parameters Security Bypass Vulnerability. CVE-2012-4528. Remote exploit for linux platform
idEDB-ID:37949
last seen2016-02-04
modified2012-10-17
published2012-10-17
reporterBernhard Mueller
sourcehttps://www.exploit-db.com/download/37949/
titleModSecurity POST Parameters Security Bypass Vulnerability

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-641.NASL
    description - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs : - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling - [bnc#768293] multi-part bypass, minor threat - CVE-2013-1915 [bnc#813190] XML external entity vulnerability - CVE-2012-4528 [bnc#789393] rule bypass - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes : - GPLv2 replaced by Apache License v2 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. - renamed the term
    last seen2020-06-05
    modified2014-06-13
    plugin id75113
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75113
    titleopenSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2013-641.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75113);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2009-5031", "CVE-2012-2751", "CVE-2012-4528", "CVE-2013-1915", "CVE-2013-2765");
    
      script_name(english:"openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)");
      script_summary(english:"Check for the openSUSE-2013-641 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - complete overhaul of this package, with update to 2.7.5.
    
      - ruleset update to 2.2.8-0-g0f07cbb.
    
      - new configuration framework private to mod_security2:
        /etc/apache2/conf.d/mod_security2.conf loads
        /usr/share/apache2-mod_security2/rules/modsecurity_crs_1
        0_setup.conf, then /etc/apache2/mod_security2.d/*.conf ,
        as set up based on advice in
        /etc/apache2/conf.d/mod_security2.conf Your
        configuration starting point is
        /etc/apache2/conf.d/mod_security2.conf
    
      - !!! Please note that mod_unique_id is needed for
        mod_security2 to run!
    
      - modsecurity-apache_2.7.5-build_fix_pcre.diff changes
        erroneaous linker parameter, preventing rpath in shared
        object.
    
      - fixes contained for the following bugs :
    
      - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request
        parameter handling
    
      - [bnc#768293] multi-part bypass, minor threat
    
      - CVE-2013-1915 [bnc#813190] XML external entity
        vulnerability
    
      - CVE-2012-4528 [bnc#789393] rule bypass
    
      - CVE-2013-2765 [bnc#822664] NULL pointer dereference
        crash
    
      - new from 2.5.9 to 2.7.5, only major changes :
    
      - GPLv2 replaced by Apache License v2
    
      - rules are not part of the source tarball any longer, but
        maintaned upstream externally, and included in this
        package.
    
      - documentation was externalized to a wiki. Package
        contains the FAQ and the reference manual in html form.
    
      - renamed the term 'Encryption' in directives that
        actually refer to hashes. See CHANGES file for more
        details.
    
      - new directive SecXmlExternalEntity, default off
    
      - byte conversion issues on s390x when logging fixed.
    
      - many small issues fixed that were discovered by a
        Coverity scanner
    
      - updated reference manual
    
      - wrong time calculation when logging for some timezones
        fixed.
    
      - replaced time-measuring mechanism with finer granularity
        for measured request/answer phases. (Stopwatch remains
        for compat.)
    
      - cookie parser memory leak fix
    
      - parsing of quoted strings in multipart
        Content-Disposition headers fixed.
    
      - SDBM deadlock fix
    
      - @rsub memory leak fix
    
      - cookie separator code improvements
    
      - build failure fixes
    
      - compile time option --enable-htaccess-config (set)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=768293"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=789393"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=813190"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=822664"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected apache2-mod_security2 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/08/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE12\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE12.3", reference:"apache2-mod_security2-2.7.5-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE12.3", reference:"apache2-mod_security2-debuginfo-2.7.5-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE12.3", reference:"apache2-mod_security2-debugsource-2.7.5-2.4.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_security2 / apache2-mod_security2-debuginfo / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-18278.NASL
    description - Update to 2.7.1 - Update Core rules set to 2.2.6 - Fix build against libxml2 >= 2.9 (upstreamed) - Add some missing directives RHBZ #569360 - Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528) (RHBZ #867424, #867773, #867774) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-11-26
    plugin id63037
    published2012-11-26
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63037
    titleFedora 18 : mod_security-2.7.1-3.fc18 / mod_security_crs-2.2.6-3.fc18 (2012-18278)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2013-029.NASL
    descriptionA vulnerability has been discovered and corrected in apache-mod_security : ModSecurity <= 2.6.8 is vulnerable to multipart/invalid part ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16) (CVE-2012-4528). The updated packages have been patched to correct this issue. NOTE: This advisory was previousely given the MDVSA-2013:016 identifier by mistake.
    last seen2020-06-01
    modified2020-06-02
    plugin id66043
    published2013-04-20
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/66043
    titleMandriva Linux Security Advisory : apache-mod_security (MDVSA-2013:029)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-640.NASL
    description - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs : - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling - [bnc#768293] multi-part bypass, minor threat - CVE-2013-1915 [bnc#813190] XML external entity vulnerability - CVE-2012-4528 [bnc#789393] rule bypass - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes : - GPLv2 replaced by Apache License v2 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. - renamed the term
    last seen2020-06-05
    modified2014-06-13
    plugin id75112
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75112
    titleopenSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1336-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-18315.NASL
    description - Update to 2.7.1 - Update Core rules set to 2.2.6 - Fix build against libxml2 >= 2.9 (upstreamed) - Add some missing directives RHBZ #569360 - Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528) (RHBZ #867424, #867773, #867774) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-12-03
    plugin id63127
    published2012-12-03
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63127
    titleFedora 17 : mod_security-2.7.1-3.fc17 / mod_security_crs-2.2.6-3.fc17 (2012-18315)
  • NASL familyFirewalls
    NASL idMODSECURITY_2_7_0.NASL
    descriptionAccording to its banner, the version of ModSecurity installed on the remote host is earlier than 2.7.0. It is, therefore, potentially affected by a security bypass vulnerability. An error exists related to HTTP POST requests and
    last seen2020-06-01
    modified2020-06-02
    plugin id67126
    published2013-07-02
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67126
    titleModSecurity < 2.7.0 Multipart Request Parsing Filter Bypass
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2012-182.NASL
    descriptionMultiple vulnerabilities has been discovered and corrected in apache-mod_security : ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031 (CVE-2012-2751). ModSecurity <= 2.6.8 is vulnerable to multipart/invalid part ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16) (CVE-2012-4528). The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id63331
    published2012-12-24
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63331
    titleMandriva Linux Security Advisory : apache-mod_security (MDVSA-2012:182)