modsecurity hack
Stefen Esser is has been credited in discovering a serious vulnerability in the popular open source web application firewall software, modsecurity.
When mod_security receives a request it parses it into web application parameters in a way it believes is correct. Because the way it parses the incoming data follows the rules defined in RFCs and not the reality of how the HTTP request parsers are implemented in Perl, Python, Java, PHP there are a number of bypass vulnerabilities when the RFC and reality mismatch.
Alot of legacy web applications are in it now. Thats what Ivan Ristic gets for following the RFCs, I mean who does that? :)
From what I can tell the latest version is affected and I do not know of any fix. In fact, I think it will be quite difficult to patch this as its a human weakness problem rather then a programmatical error.
Ivan addressed this in the ModSec blog and presented a workaround on Sunday:
http://www.modsecurity.org/blog/archives/2007/03/modsecurity_asc.html
Ivan Ristic seems a little peeved in that blog entry that the vulnerability was not disclosed “responsibly”. I have noticed a movement toward full disclosure for web app vulnerabilities - see sla.ckers.org.