Your submission was sent successfully! Close

CVE-2012-2751

Published: 22 July 2012

ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031.

From the Ubuntu security team

ModSecurity Multipart Quote Parsing Security Bypass Vulnerability

Priority

Medium

Status

Package Release Status
libapache-mod-security
Launchpad, Ubuntu, Debian
artful Does not exist

hardy Does not exist

lucid
Released (2.5.11-1ubuntu0.1)
natty
Released (2.5.12-1+squeeze1build0.11.04.1)
oneiric
Released (2.5.12-1+squeeze1build0.11.10.1)
precise Does not exist

quantal Does not exist

raring Does not exist

saucy Does not exist

trusty Does not exist

upstream
Released (2.5.12-1+squeeze1)
utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

modsecurity-apache
Launchpad, Ubuntu, Debian
artful Not vulnerable
(2.6.6-1)
hardy Does not exist

lucid Does not exist

natty Does not exist

oneiric Ignored
(reached end-of-life)
precise Does not exist
(precise was needed)
quantal Not vulnerable
(2.6.6-1)
raring Not vulnerable
(2.6.6-1)
saucy Not vulnerable
(2.6.6-1)
trusty Not vulnerable
(2.6.6-1)
upstream
Released (2.6.6)
utopic Not vulnerable
(2.6.6-1)
vivid Does not exist

wily Not vulnerable
(2.6.6-1)
xenial Not vulnerable
(2.6.6-1)
yakkety Not vulnerable
(2.6.6-1)
zesty Not vulnerable
(2.6.6-1)