ModSecurity Content-Type Override Vulnerability Leading to XSS and Source Code Disclosure

A vulnerability in ModSecurity versions through 2.9.11 allows attackers to manipulate the HTTP response's Content-Type. This could result in various issues, such as cross-site scripting (XSS) and unauthorized disclosure of script source code, depending on the HTTP context. The vulnerability arises because ModSecurity fails to properly handle certain input errors, allowing malicious requests to be processed incorrectly. This issue has been demonstrated in the latest ModSecurity version.

Impact

Exploitation of this vulnerability can lead to cross-site scripting (XSS) and arbitrary script source code disclosure, according to the ModSecurity advisory.

Reproduction

The vulnerability can be reproduced by sending a malformed HTTP request that triggers an 'AP_FILTER_ERROR' response from the Apache server. This can be done by using chunked transfer encoding with an invalid chunk size, or by sending POST data that exceeds the server's configured limits. The double response issue occurs because ModSecurity does not properly handle the error, allowing the request to continue processing and resulting in two HTTP responses being sent.

Remediation

Users are advised to update ModSecurity to version 2.9.12, where this vulnerability has been fixed.