Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Information about new CVE-2018-13065 (Author: Adipta Basu) #1829

Closed
theMiddleBlue opened this issue Jul 4, 2018 · 5 comments
Closed

Information about new CVE-2018-13065 (Author: Adipta Basu) #1829

theMiddleBlue opened this issue Jul 4, 2018 · 5 comments
Assignees
Labels
3.x Related to ModSecurity version 3.x

Comments

@theMiddleBlue
Copy link

theMiddleBlue commented Jul 4, 2018

Hi,

just to inform you that yesterday (3rd July 2018) was published a presumptive vulnerability on "ModSecurity 3.0.0" (?!). The author writes that using the following two payloads, inside an argument on the request querystring, he was able to elude XSS filters: <img src=x onError=prompt(3)> and <img src=x onError=prompt(document.cookie)>.

First: the author of the CVE has not included information about the ruleset that he used during his test.

Second: if he used the CRS3, obviously both payloads are detected by the rule 941100 (XSS Attack Detected via libinjection) with a Paranoia Level set to 1.

I've written to cve.mitre.org including all these information and asking for tag this CVE as DISPUTED until the author gives more information (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13065). Based on what he has written on exploit-db (https://www.exploit-db.com/exploits/44970/) it seems that he hasn't used any ruleset... otherwise he needs to specify it. Anyway, IMHO, the CVE description is wrong because identifies as vulnerable libModSecurity instead a rule or a ruleset.

What do you think about?

@zimmerle
Copy link
Contributor

zimmerle commented Jul 4, 2018

Hi @theMiddleBlue

I complete agree with your words. Thank you for the initiative. It seems to me that not rule set was loaded at all.

I will keep this issue open to keep track of it.

@zimmerle zimmerle added the 3.x Related to ModSecurity version 3.x label Jul 4, 2018
@csanders-git
Copy link

I made a post to the CRS mailing list, I got the same results.

@theMiddleBlue
Copy link
Author

Hi guys,

I've just received an answer from exploit-db.com that, after reading all the information on this issue, he decided to remove the published exploit from their database:

image

✌️

@zimmerle
Copy link
Contributor

Thank you @theMiddleBlue :)

@carnil
Copy link

carnil commented Aug 13, 2018

@theMiddleBlue now that the assessment is clarified and the entry has been removed from the EDB as well, can you request by MITRE a proper REJECT? Thanks a lot already.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Development

No branches or pull requests

4 participants