denial of service (DoS)공격을 일으킬 수 있는 취약점 2개가 수정되었고 가장 좋은 방법은 2.5.9버전으로 업그레이드 
하는것 이지만 업그레이드가 여의치 않다면 아래 두가지 설정으로 문제가 부분을 수정할 수 있습니다.

PDF XSS protection engine off
SecPdfProtect Off

또 한가지 multipart request parser 취약점
# Force URLENCODED processing so that the vulnerability is bypassed
# and the REQUEST_BODY target variable is populated, but at the
# expense of no longer being able to parse multipart form arguments.
SecRule REQUEST_HEADERS:Content-Type "multipart/form-data"
# Deny any multipart requests with a zero length header name
SecRule REQUEST_HEADERS:Content-Type "multipart/form-data"
"chain,phase:2,t:none,t:lowercase,deny,msg:'ModSecurity DoS attempt - NULL part header name'"
SecRule REQUEST_BODY "(?m:^--.*\x0d\x0a?:.*\x0d\x0a?--)" "t:none"

이하 원문 입니다.

fixes a potential DoS vulnerability discovered by "Internet Security Auditors" when parsing multipart
requests as well as a potential DoS vulnerability discovered in the PDF XSS protection engine (fixed in 2.5.8). Additionally, 2.5.9 cleans up the build process and adds a few features, including atomic updates of persistent
counters and macro expansion of the append/prepend actions. It is highly recommended to upgrade to this 2.5.9

Please see the blog post for more information on the vulnerabilities fixed in this release:



* Fixed parsing multipart content with a missing part header name which would crash Apache.
Discovered by "Internet Security Auditors" (

* Added ability to specify the config script directly using --with-apr and --with-apu.

* Updated copyright year to 2009.

* Added macro expansion for append/prepend action.

* Fixed race condition in concurrent updates of persistent counters. Updates are now atomic.

* Cleaned up build, adding an option for verbose configure output and making the mlogc build more portable.


* Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process.
Discovered by Steve Grubb at Red Hat.

* Removed an invalid "Internal error: Issuing "%s" for unspecified error." message that was logged when
denying with nolog/noauditlog set and causing the request to be audited.

관련링크 :

'News' 카테고리의 다른 글

CentOS-5.3 Release  (8) 2009.04.01
ProFTPD 1.3.2-2 kr version release  (0) 2009.03.29
Samba 3.3.1 Release  (1) 2009.02.25
ProFTPD 1.3.2 release  (0) 2009.02.09
XpressEngine 1.1.0 배포  (1) 2008.11.20

+ Recent posts