Vulnerabilities > CVE-2013-1915 - XXE vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-641.NASL description - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs : - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling - [bnc#768293] multi-part bypass, minor threat - CVE-2013-1915 [bnc#813190] XML external entity vulnerability - CVE-2012-4528 [bnc#789393] rule bypass - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes : - GPLv2 replaced by Apache License v2 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. - renamed the term last seen 2020-06-05 modified 2014-06-13 plugin id 75113 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75113 title openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2013-641. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75113); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2009-5031", "CVE-2012-2751", "CVE-2012-4528", "CVE-2013-1915", "CVE-2013-2765"); script_name(english:"openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)"); script_summary(english:"Check for the openSUSE-2013-641 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: " - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs : - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling - [bnc#768293] multi-part bypass, minor threat - CVE-2013-1915 [bnc#813190] XML external entity vulnerability - CVE-2012-4528 [bnc#789393] rule bypass - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes : - GPLv2 replaced by Apache License v2 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. - renamed the term 'Encryption' in directives that actually refer to hashes. See CHANGES file for more details. - new directive SecXmlExternalEntity, default off - byte conversion issues on s390x when logging fixed. - many small issues fixed that were discovered by a Coverity scanner - updated reference manual - wrong time calculation when logging for some timezones fixed. - replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.) - cookie parser memory leak fix - parsing of quoted strings in multipart Content-Disposition headers fixed. - SDBM deadlock fix - @rsub memory leak fix - cookie separator code improvements - build failure fixes - compile time option --enable-htaccess-config (set)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=768293" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=789393" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=813190" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=822664" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html" ); script_set_attribute( attribute:"solution", value:"Update the affected apache2-mod_security2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3"); script_set_attribute(attribute:"patch_publication_date", value:"2013/08/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.3", reference:"apache2-mod_security2-2.7.5-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"apache2-mod_security2-debuginfo-2.7.5-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"apache2-mod_security2-debugsource-2.7.5-2.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_security2 / apache2-mod_security2-debuginfo / etc"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-640.NASL description - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs : - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling - [bnc#768293] multi-part bypass, minor threat - CVE-2013-1915 [bnc#813190] XML external entity vulnerability - CVE-2012-4528 [bnc#789393] rule bypass - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes : - GPLv2 replaced by Apache License v2 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. - renamed the term last seen 2020-06-05 modified 2014-06-13 plugin id 75112 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75112 title openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1336-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2013-640. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75112); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2009-5031", "CVE-2012-2751", "CVE-2012-4528", "CVE-2013-1915", "CVE-2013-2765"); script_name(english:"openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1336-1)"); script_summary(english:"Check for the openSUSE-2013-640 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: " - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs : - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling - [bnc#768293] multi-part bypass, minor threat - CVE-2013-1915 [bnc#813190] XML external entity vulnerability - CVE-2012-4528 [bnc#789393] rule bypass - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes : - GPLv2 replaced by Apache License v2 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. - renamed the term 'Encryption' in directives that actually refer to hashes. See CHANGES file for more details. - new directive SecXmlExternalEntity, default off - byte conversion issues on s390x when logging fixed. - many small issues fixed that were discovered by a Coverity scanner - updated reference manual - wrong time calculation when logging for some timezones fixed. - replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.) - cookie parser memory leak fix - parsing of quoted strings in multipart Content-Disposition headers fixed. - SDBM deadlock fix - @rsub memory leak fix - cookie separator code improvements - build failure fixes - compile time option --enable-htaccess-config (set)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=768293" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=789393" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=813190" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=822664" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html" ); script_set_attribute( attribute:"solution", value:"Update the affected apache2-mod_security2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.2"); script_set_attribute(attribute:"patch_publication_date", value:"2013/08/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.2", reference:"apache2-mod_security2-2.7.5-14.4.1") ) flag++; if ( rpm_check(release:"SUSE12.2", reference:"apache2-mod_security2-debuginfo-2.7.5-14.4.1") ) flag++; if ( rpm_check(release:"SUSE12.2", reference:"apache2-mod_security2-debugsource-2.7.5-14.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_security2 / apache2-mod_security2-debuginfo / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2013-4908.NASL description Update to 2.7.3. Upstream changelog: https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-22 plugin id 66162 published 2013-04-22 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66162 title Fedora 19 : mod_security-2.7.3-1.fc19 (2013-4908) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-4908. # include("compat.inc"); if (description) { script_id(66162); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-1915"); script_bugtraq_id(58810); script_xref(name:"FEDORA", value:"2013-4908"); script_name(english:"Fedora 19 : mod_security-2.7.3-1.fc19 (2013-4908)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 2.7.3. Upstream changelog: https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=947842" ); script_set_attribute( attribute:"see_also", value:"https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-April/102616.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?665c0da0" ); script_set_attribute( attribute:"solution", value:"Update the affected mod_security package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_security"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC19", reference:"mod_security-2.7.3-1.fc19")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_security"); }NASL family Firewalls NASL id MODSECURITY_2_7_3.NASL description According to its banner, the version of ModSecurity installed on the remote host is earlier than 2.7.3. It is, therefore, potentially affected by a file disclosure vulnerability. An improperly configured XML parser could allow untrusted XML entities from external sources to be accepted, thus leading to possible arbitrary file disclosure. It could also be possible for internal network servers to receive unauthorized requests. Denial of service conditions are also possible. Note that Nessus has not tested for this issue but has instead relied only on the version in the server last seen 2020-06-01 modified 2020-06-02 plugin id 67127 published 2013-07-02 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67127 title ModSecurity < 2.7.3 XML External Entity (XXE) Data Parsing Arbitrary File Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(67127); script_version("1.8"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2013-1915"); script_bugtraq_id(58810); script_name(english:"ModSecurity < 2.7.3 XML External Entity (XXE) Data Parsing Arbitrary File Disclosure"); script_summary(english:"Checks version in Server response header"); script_set_attribute(attribute:"synopsis", value: "The remote web application firewall may be affected by a file disclosure vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of ModSecurity installed on the remote host is earlier than 2.7.3. It is, therefore, potentially affected by a file disclosure vulnerability. An improperly configured XML parser could allow untrusted XML entities from external sources to be accepted, thus leading to possible arbitrary file disclosure. It could also be possible for internal network servers to receive unauthorized requests. Denial of service conditions are also possible. Note that Nessus has not tested for this issue but has instead relied only on the version in the server's banner."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/oss-sec/2013/q2/5"); script_set_attribute(attribute:"see_also", value:"https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES"); # https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?13229997"); script_set_attribute(attribute:"solution", value:"Upgrade to ModSecurity version 2.7.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2013/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/02"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:modsecurity:modsecurity"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("modsecurity_http_version.nasl"); script_require_keys("www/ModSecurity", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); # Make sure this is ModSecurity get_kb_item_or_exit('www/'+port+'/modsecurity'); version = get_kb_item_or_exit('www/modsecurity/'+port+'/version', exit_code:1); backported = get_kb_item_or_exit('www/modsecurity/'+port+'/backported', exit_code:1); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "ModSecurity"); if (version == 'unknown') audit(AUDIT_UNKNOWN_WEB_SERVER_VER, "ModSecurity", port); fixed_ver = '2.7.3'; if ( version =~ "^[01]\." || version =~ "^2\.([0-6]|7\.[0-2])($|[^0-9])" ) { if (report_verbosity > 0) { source = get_kb_item_or_exit('www/modsecurity/'+port+'/source', exit_code:1); report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_ver + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "ModSecurity", port, version);NASL family Fedora Local Security Checks NASL id FEDORA_2013-4831.NASL description Update to 2.7.3. Upstream changelog: https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-14 plugin id 65961 published 2013-04-14 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65961 title Fedora 18 : mod_security-2.7.3-1.fc18 (2013-4831) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-4831. # include("compat.inc"); if (description) { script_id(65961); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-1915"); script_bugtraq_id(58810); script_xref(name:"FEDORA", value:"2013-4831"); script_name(english:"Fedora 18 : mod_security-2.7.3-1.fc18 (2013-4831)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 2.7.3. Upstream changelog: https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=947842" ); script_set_attribute( attribute:"see_also", value:"https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101911.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?75b32461" ); script_set_attribute( attribute:"solution", value:"Update the affected mod_security package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_security"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC18", reference:"mod_security-2.7.3-1.fc18")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_security"); }NASL family Solaris Local Security Checks NASL id SOLARIS11_MODSECURITY_20140731.NASL description The remote Solaris system is missing necessary patches to address security updates : - ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031. (CVE-2012-2751) - ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability. (CVE-2013-1915) last seen 2020-06-01 modified 2020-06-02 plugin id 80704 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80704 title Oracle Solaris Third-Party Patch Update : modsecurity (cve_2012_2751_improper_input) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-156.NASL description A vulnerability has been found and corrected in apache-mod_security : ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability (CVE-2013-1915). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 66266 published 2013-04-30 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66266 title Mandriva Linux Security Advisory : apache-mod_security (MDVSA-2013:156) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_2070C79A8E1E11E2B34D000C2957946C.NASL description Positive Technologies has reported a vulnerability in ModSecurity, which can be exploited by malicious people to disclose potentially sensitive information or cause a DoS (Denial Of Serice). The vulnerability is caused due to an error when parsing external XML entities and can be exploited to e.g. disclose local files or cause excessive memory and CPU consumption. . last seen 2020-06-01 modified 2020-06-02 plugin id 65989 published 2013-04-17 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65989 title FreeBSD : ModSecurity -- XML External Entity Processing Vulnerability (2070c79a-8e1e-11e2-b34d-000c2957946c) NASL family Fedora Local Security Checks NASL id FEDORA_2013-4834.NASL description Update to 2.7.3. Upstream changelog: https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-14 plugin id 65962 published 2013-04-14 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65962 title Fedora 17 : mod_security-2.7.3-1.fc17 (2013-4834) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2659.NASL description Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks. A specially crafted XML file provided by a remote attacker, could lead to local file disclosure or excessive resources (CPU, memory) consumption when processed. This update introduces a SecXmlExternalEntity option which is last seen 2020-03-17 modified 2013-04-11 plugin id 65921 published 2013-04-11 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65921 title Debian DSA-2659-1 : libapache-mod-security - XML external entity processing vulnerability
Seebug
| bulletinFamily | exploit |
| description | Bugtraq ID:58810 CVE ID:CVE-2013-1915 ModSecurity是一个入侵侦测与防护引擎,它主要是用于Web应用程序,所以也被称为Web应用程序防火墙 ModSecurity存在安全漏洞,允许远程攻击者通过XML外部实体声明结合实体引用,可读取任意文件,发送HTTP请求到内网服务器或进行拒绝服务攻击 0 ModSecurity < 2.7.3 厂商解决方案 ModSecurity 2.7.3已经修复此漏洞,建议用户下载更新: http://www.modsecurity.org/ |
| id | SSV:60777 |
| last seen | 2017-11-19 |
| modified | 2013-04-28 |
| published | 2013-04-28 |
| reporter | Root |
| title | ModSecurity XML外部实体信息泄露漏洞(CVE-2013-1915) |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101898.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101911.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102616.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00031.html
- http://secunia.com/advisories/52847
- http://secunia.com/advisories/52977
- http://www.debian.org/security/2013/dsa-2659
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:156
- http://www.openwall.com/lists/oss-security/2013/04/03/7
- http://www.securityfocus.com/bid/58810
- https://bugzilla.redhat.com/show_bug.cgi?id=947842
- https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
- https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe