DSA-2659-1 libapache-mod-security -- XML external entity processing vulnerabilityID: oval:org.secpod.oval:def:601004 | Date: (C)2013-04-15 (M)2022-10-10 |
Class: PATCH | Family: unix |
Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks. A specially-crafted XML file provided by a remote attacker, could lead to local file disclosure or excessive resources consumption when processed. This update introduces a SecXmlExternalEntity option which is "Off" by default. This will disable the ability of libxml2 to load external entities.
Product: |
libapache-mod-security |