Sonntag, 16. Februar 2014

Ruleset-Update: Tomcat/Apache-Commons File Upload DOS Attempt CVE-2014-0050

#
# sid: 42000342 |  date: 2014-02-16 - 00:54:09 | maker: lazydog
# 
# http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E
# http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
 

MainRule "rx:multipart\/form-data;(\s*)boundary=[a-zA-Z0-9_-]{4000}" "msg:DN APP_SERVER Tomcat/Apache-Commons File Upload DOS Attempt" "mz:$HEADERS_VAR:Content-Type" "s:$ATTACK:8" id:42000342 ;  

---------------- P.S.: Trustwave suggests the following ModSecurity-Rule:
SecRule REQUEST_HEADERS:Content-Type "@rx .{4000}"