[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248038

 
 

909

 
 

194772

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2012-2751Date: (C)2012-07-22   (M)2023-12-22


ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 4.3
Exploit Score: 8.6
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: NONE
Integrity: PARTIAL
Availability: NONE
  
Reference:
SECUNIA-49576
SECUNIA-49782
BID-54156
DSA-2506
MDVSA-2012:118
MDVSA-2013:150
http://www.openwall.com/lists/oss-security/2012/06/22/2
http://www.openwall.com/lists/oss-security/2012/06/22/1
http://blog.ivanristic.com/2012/06/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses.html
http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.6.x/CHANGES
http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/CHANGES?r1=1920&r2=1919&pathrev=1920
http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/apache2/msc_multipart.c?r1=1918&r2=1917&pathrev=1918
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
openSUSE-SU-2013:1331
openSUSE-SU-2013:1336
openSUSE-SU-2013:1342

CPE    5
cpe:/o:opensuse:opensuse:12.2
cpe:/o:opensuse:opensuse:12.3
cpe:/o:opensuse:opensuse:11.4
cpe:/o:debian:debian_linux:6.0
...
OVAL    3
oval:org.secpod.oval:def:600844
oval:org.secpod.oval:def:302987
oval:org.secpod.oval:def:1300101

© SecPod Technologies