Interpretation conflict in ModSecurity (mod_security) 2.1.0 and previous versions allows remote malicious users to bypass request rules via application/x-www-form-urlencoded POST data that contains an ASCIIZ (0x00) byte, which mod_security treats as a terminator even though it is still processed as normal data by some HTTP parsers including PHP 5.2.0, and possibly parsers in Perl, and Python.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mod security mod security 1.7.4 |
||
mod security mod security 1.7.5 |
||
mod security mod security 1.7.1 |
||
mod security mod security 1.7.2 |
||
mod security mod security 1.9.4 |
||
mod security mod security 2.1 |
||
mod security mod security 1.7 |