Vigil@nce: ModSecurity Core Rule Set, bypassing rules with MIME
June 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a special HTTP MIME query, in order to bypass
security rules of ModSecurity Core Rule Set.
– Severity: 1/4
– Creation date: 18/06/2012
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The ModSecurity administrator can chose to install his own rules,
or the ModSecurity CRS (Core Rule Set) rules.
CRS contains a rule which blocks unknown MIME types (variable
"tx.allowed_request_content_type" set in modsecurity_crs_10_config.conf
and used in modsecurity_crs_30_http_policy.conf).
This rule checks if the type belongs to the string
"application/x-www-form-urlencoded multipart/form-data text/xml
application/xml application/x-amf". However, an attacker can use a
MIME type which is a substring (for example "application/x"). This
MIME type is then accepted as valid.
An attacker can therefore use a special HTTP MIME query, in order
to bypass security rules of ModSecurity Core Rule Set.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ModSecurity-Core-Rule-Set-bypassing-rules-with-MIME-11720