CVE-2009-1902
Published: 3 June 2009
The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.
Notes
Author | Note |
---|---|
mdeslaur | PoC: http://www.milw0rm.com/exploits/8241 |
Priority
Status
Package | Release | Status |
---|---|---|
libapache-mod-security Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(code not present)
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Ignored
(end of life)
|
|
karmic |
Not vulnerable
(2.5.9-1)
|
|
lucid |
Not vulnerable
(2.5.9-1)
|
|
maverick |
Not vulnerable
(2.5.9-1)
|
|
upstream |
Released
(2.5.9-1)
|
|
Patches: upstream: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/apache2/msc_multipart.c?r1=1272&r2=1271&pathrev=1272 |