just to inform you that yesterday (3rd July 2018) was published a presumptive vulnerability on "ModSecurity 3.0.0" (?!). The author writes that using the following two payloads, inside an argument on the request querystring, he was able to elude XSS filters: <img src=x onError=prompt(3)> and <img src=x onError=prompt(document.cookie)>.
First: the author of the CVE has not included information about the ruleset that he used during his test.
Second: if he used the CRS3, obviously both payloads are detected by the rule 941100 (XSS Attack Detected via libinjection) with a Paranoia Level set to 1.
I've written to cve.mitre.org including all these information and asking for tag this CVE as DISPUTED until the author gives more information (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13065). Based on what he has written on exploit-db (https://www.exploit-db.com/exploits/44970/) it seems that he hasn't used any ruleset... otherwise he needs to specify it. Anyway, IMHO, the CVE description is wrong because identifies as vulnerable libModSecurity instead a rule or a ruleset.
What do you think about?
The text was updated successfully, but these errors were encountered:
I've just received an answer from exploit-db.com that, after reading all the information on this issue, he decided to remove the published exploit from their database:
@theMiddleBlue now that the assessment is clarified and the entry has been removed from the EDB as well, can you request by MITRE a proper REJECT? Thanks a lot already.
Hi,
just to inform you that yesterday (3rd July 2018) was published a presumptive vulnerability on "ModSecurity 3.0.0" (?!). The author writes that using the following two payloads, inside an argument on the request querystring, he was able to elude XSS filters:
<img src=x onError=prompt(3)>and<img src=x onError=prompt(document.cookie)>.First: the author of the CVE has not included information about the ruleset that he used during his test.
Second: if he used the CRS3, obviously both payloads are detected by the rule
941100(XSS Attack Detected via libinjection) with a Paranoia Level set to 1.I've written to cve.mitre.org including all these information and asking for tag this CVE as DISPUTED until the author gives more information (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13065). Based on what he has written on exploit-db (https://www.exploit-db.com/exploits/44970/) it seems that he hasn't used any ruleset... otherwise he needs to specify it. Anyway, IMHO, the CVE description is wrong because identifies as vulnerable libModSecurity instead a rule or a ruleset.
What do you think about?
The text was updated successfully, but these errors were encountered: