CVE-2009-1902
Published: 3 June 2009
The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.
Notes
| Author | Note |
|---|---|
| mdeslaur | PoC: http://www.milw0rm.com/exploits/8241 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libapache-mod-security Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(code not present)
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Ignored
(end of life)
|
|
| karmic |
Not vulnerable
(2.5.9-1)
|
|
| lucid |
Not vulnerable
(2.5.9-1)
|
|
| maverick |
Not vulnerable
(2.5.9-1)
|
|
| upstream |
Released
(2.5.9-1)
|
|
|
Patches: upstream: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/apache2/msc_multipart.c?r1=1272&r2=1271&pathrev=1272 |
||