Impact
This issue can occur in mod_security2, version >= 2.9.9, with support of SecParseXmlIntoArgs feature.
If this variable (SecParseXmlIntoArgs) is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs.
Note, that the default value of SecParseXmlIntoArgs is Off.
Patches
Path is available, we will apply it soon.
Workarounds
Set SecParseXmlIntoArgs to Off.
Reporter
The issue was reported by Andrew Howe (@RedXanadu).
RedXanadu Reporter
Impact
This issue can occur in mod_security2, version >= 2.9.9, with support of
SecParseXmlIntoArgsfeature.If this variable (
SecParseXmlIntoArgs) is set toOnorOnlyArgs, and the request type isapplication/xml, and at least one XML tag is empty (eg<foo></foo>), then a segmentation fault occurs.Note, that the default value of
SecParseXmlIntoArgsisOff.Patches
Path is available, we will apply it soon.
Workarounds
Set
SecParseXmlIntoArgstoOff.Reporter
The issue was reported by Andrew Howe (@RedXanadu).