CSF 2.67 - LF_MODSEC insecure regexp



DESCRIPTION


See issue 04 above for a complete explanation of this issue. The regexp for this issue looks similar to the following:


 638     if ( $log_line =~ /\[client (.*)\] mod_security: Access denied with code/ ) {
 639         return ( 'modsec from', $1, 'modsec' );
 640     }



IMPACT


Remote, unauthenticated command execution as root. LF_MODSEC is disabled by default.

This bug was not reported because it was not discovered until after it had been fixed. I believe this bug was fixed in the release that followed 2.76 as a result of reporting issue #08 (remotely block any IP address, pure-ftpd regexp).