CVE-2018-13065 : ModSecurity 3.0.0 has XSS via an onError attribute of an IMG element.

After doing an intense source code analysis of ModSecurity Web Application Firewall 3.0.0 , which is one of the most popular open source Web Application Firewalls, I found that the web filter could be bypassed by using certain commands. I will contact the required authorities to get it fixed, but until then I cannot as such publicly disclose the tags that I have used. But I can guarantee that the process is replicable and I have tried it on multiple machines. And I intend to publish it in its totality as soon as it is resolved. And will guide you through the process. 

Comments

  1. When you performed your tests, did you use any rulesets? I use the ModSecurity Core RuleSet (as will most who use ModSecurity), and both of the attacks that you specified (on exploitdb) are blocked by my configuration. What configuration of ModSecurity did you use? Could you publish your modsec and include files, as well as your CRS-setup files? Methinks that your configuration may have been wrong. Did you specify a paranoia level?

    ReplyDelete
  2. Maybe you got a little over-excited about this issue? The "finding" is very much disputed: https://github.com/SpiderLabs/ModSecurity/issues/1829
    In the absence of further evidence it should be regarded as a non-finding.

    ReplyDelete

Post a Comment