The current version, 2.7.3, of the Apache/NGINX security module mod_security fixes a security problem in the XML parser of its predecessor versions. Timur Yunusov and Alexey Osipov from Positive Technologies discovered that processing a specially prepared XML document could give access to local files or consume excessive amounts of CPU or memory, crippling the server. The flaw has been given the identifier CVE-2013-1915.

The mod_security module is used as a web application firewall which allows requests to the web server to be filtered according to various criteria. The change log lists the fix as an additional switch, SecXmlExternalEntity which controls whether the libxml2 library that is used by mod_security will load external entities when parsing XML files. This new switch is set to off by default so that the parser will not attempt to retrieve files from other locations when parsing a document that refers to external entities.

Linux distributors such as Red Hat and Debian have already addressed the issue. The discoverers have yet to release their own advisory on the problem; only advisories for other manufacturers can be found on the advisory pages of mod_security owner Trustware SpiderLabs.

(djwm)