Your submission was sent successfully! Close

CVE-2009-5031

Published: 22 July 2012

ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header.

From the Ubuntu security team

ModSecurity Multipart Quote Parsing Security Bypass Vulnerability

Priority

Medium

Status

Package Release Status
libapache-mod-security
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (2.5.11-1)
natty Ignored
(reached end-of-life)
oneiric Not vulnerable
(2.5.12-1+squeeze1build0.11.10.1)
precise Does not exist

quantal Does not exist

raring Does not exist

upstream
Released (2.5.11)
modsecurity-apache
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

natty Does not exist

oneiric Not vulnerable
(2.6.0-1)
precise Not vulnerable
(2.6.3-1ubuntu0.2)
quantal Not vulnerable
(2.6.6-1)
raring Not vulnerable
(2.6.6-1)
upstream
Released (2.5.11)