Hi, I have done the work of backporting the upstream patch which Salvatore Bonaccorso pointed at. The patch is attached to this email.
Please note that I have *not* tested this patch, I just applied manually (because otherwise it would fail) what I could find upstream, and checked that the package was still building (which it does). So the current maintainer of the mod_security package *must* (before upload or requesting for sponsorship): 1/ Check that this patch really addresses CVE-2013-1915 as expected 2/ Check that there is no regression and that mod_security continues to work as expected Note that this work should be done asap, considering how close we are from releasing Wheezy. If nothing is done by the current maintainer, then I hope to find the time to do the above 1/ and 2/, then upload to the delayed queue (though, do not take it as fact, I might be busy doing something else). Please do take care of it, mod_security is a nice software, and it would be a shame not to release Wheezy with it. Cheers, Thomas Goirand (zigo)
Description: CVE-2013-1915: Vulnerable to XXE attacks This upstream patch has been backported to the Wheezy version. Author: Alberto Gonzalez Iniesta <a...@inittab.org> Bug-Debian: http://bugs.debian.org/704625 Origin: upstream, https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe Reviewed-By: Thomas Goirand <z...@debian.org> Last-Update: <YYYY-MM-DD> --- modsecurity-apache-2.6.6.orig/apache2/msc_xml.c +++ modsecurity-apache-2.6.6/apache2/msc_xml.c @@ -14,17 +14,27 @@ #include "msc_xml.h" +static xmlParserInputBufferPtr +xml_unload_external_entity(const char *URI, xmlCharEncoding enc) { + return NULL; +} /** * Initialise XML parser. */ int xml_init(modsec_rec *msr, char **error_msg) { + xmlParserInputBufferCreateFilenameFunc entity; + if (error_msg == NULL) return -1; *error_msg = NULL; msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data)); if (msr->xml == NULL) return -1; + if(msr->txcfg->xml_external_entity == 0) { + entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity); + } + return 1; } --- modsecurity-apache-2.6.6.orig/apache2/apache2_config.c +++ modsecurity-apache-2.6.6/apache2/apache2_config.c @@ -128,6 +128,9 @@ void *create_directory_config(apr_pool_t /* Collection timeout */ dcfg->col_timeout = NOT_SET; + /* xml external entity */ + dcfg->xml_external_entity = NOT_SET; + return dcfg; } @@ -518,6 +521,10 @@ void *merge_directory_configs(apr_pool_t merged->col_timeout = (child->col_timeout == NOT_SET ? parent->col_timeout : child->col_timeout); + /* xml external entity */ + merged->xml_external_entity = (child->xml_external_entity == NOT_SET + ? parent->xml_external_entity : child->xml_external_entity); + return merged; } @@ -615,6 +622,9 @@ void init_directory_config(directory_con if (dcfg->disable_backend_compression == NOT_SET) dcfg->disable_backend_compression = 0; if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600; + + /* xml external entity */ + if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0; } /** @@ -1961,6 +1971,32 @@ static const char *cmd_web_app_id(cmd_pa return NULL; } +/** +* \brief Add SecXmlExternalEntity configuration option +* +* \param cmd Pointer to configuration data +* \param _dcfg Pointer to directory configuration +* \param p1 Pointer to configuration option +* +* \retval NULL On failure +* \retval apr_psprintf On Success +*/ +static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1) +{ + directory_config *dcfg = (directory_config *)_dcfg; + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "on") == 0) { + dcfg->xml_external_entity = 1; + } + else if (strcasecmp(p1, "off") == 0) { + dcfg->xml_external_entity = 0; + } + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1); + + return NULL; +} + /* PCRE Limits */ static const char *cmd_pcre_match_limit(cmd_parms *cmd, @@ -2295,6 +2331,14 @@ const command_rec module_directives[] = "component signature to add to ModSecurity signature." ), + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", + cmd_xml_external_entity, + NULL, + CMD_SCOPE_ANY, + "On or Off" + ), + AP_INIT_FLAG ( "SecContentInjection", cmd_content_injection, --- modsecurity-apache-2.6.6.orig/apache2/modsecurity.h +++ modsecurity-apache-2.6.6/apache2/modsecurity.h @@ -522,6 +522,9 @@ struct directory_config { /* Collection timeout */ int col_timeout; + + /* xml */ + int xml_external_entity; }; struct error_message {
