Unrated severityNVD Advisory· Published Apr 25, 2013· Updated Apr 29, 2026
CVE-2013-1915
CVE-2013-1915
Description
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.
Affected products
9cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Patches
1d4d80b38aa85Added SecXmlExternalEntity
3 files changed · +60 −2
apache2/apache2_config.c+46 −2 modified@@ -156,6 +156,9 @@ void *create_directory_config(apr_pool_t *mp, char *path) dcfg->crypto_hash_framesrc_pm = NOT_SET; + /* xml external entity */ + dcfg->xml_external_entity = NOT_SET; + return dcfg; } @@ -591,6 +594,10 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child) merged->crypto_hash_framesrc_pm = (child->crypto_hash_framesrc_pm == NOT_SET ? parent->crypto_hash_framesrc_pm : child->crypto_hash_framesrc_pm); + /* xml external entity */ + merged->xml_external_entity = (child->xml_external_entity == NOT_SET + ? parent->xml_external_entity : child->xml_external_entity); + return merged; } @@ -711,6 +718,9 @@ void init_directory_config(directory_config *dcfg) if (dcfg->crypto_hash_iframesrc_pm == NOT_SET) dcfg->crypto_hash_iframesrc_pm = 0; if (dcfg->crypto_hash_framesrc_pm == NOT_SET) dcfg->crypto_hash_framesrc_pm = 0; + /* xml external entity */ + if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0; + } /** @@ -2282,9 +2292,35 @@ static const char *cmd_sensor_id(cmd_parms *cmd, void *_dcfg, const char *p1) return NULL; } +/** +* \brief Add SecXmlExternalEntity configuration option +* +* \param cmd Pointer to configuration data +* \param _dcfg Pointer to directory configuration +* \param p1 Pointer to configuration option +* +* \retval NULL On failure +* \retval apr_psprintf On Success +*/ +static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1) +{ + directory_config *dcfg = (directory_config *)_dcfg; + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "on") == 0) { + dcfg->xml_external_entity = 1; + } + else if (strcasecmp(p1, "off") == 0) { + dcfg->xml_external_entity = 0; + } + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1); + + return NULL; +} + /** -* \brief Add SecHash configuration option +* \brief Add SecHashEngine configuration option * * \param cmd Pointer to configuration data * \param _dcfg Pointer to directory configuration @@ -2306,7 +2342,7 @@ static const char *cmd_hash_engine(cmd_parms *cmd, void *_dcfg, const char *p1) dcfg->hash_is_enabled = HASH_DISABLED; dcfg->hash_enforcement = HASH_DISABLED; } - else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1); + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SexHashEngine: %s", p1); return NULL; } @@ -3223,6 +3259,14 @@ const command_rec module_directives[] = { "On or Off" ), + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", + cmd_xml_external_entity, + NULL, + CMD_SCOPE_ANY, + "On or Off" + ), + AP_INIT_FLAG ( "SecRuleInheritance", cmd_rule_inheritance,
apache2/modsecurity.h+3 −0 modified@@ -595,6 +595,9 @@ struct directory_config { int crypto_hash_location_pm; int crypto_hash_iframesrc_pm; int crypto_hash_framesrc_pm; + + /* xml */ + int xml_external_entity; }; struct error_message_t {
apache2/msc_xml.c+11 −0 modified@@ -14,17 +14,28 @@ #include "msc_xml.h" +static xmlParserInputBufferPtr +xml_unload_external_entity(const char *URI, xmlCharEncoding enc) { + return NULL; +} + /** * Initialise XML parser. */ int xml_init(modsec_rec *msr, char **error_msg) { + xmlParserInputBufferCreateFilenameFunc entity; + if (error_msg == NULL) return -1; *error_msg = NULL; msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data)); if (msr->xml == NULL) return -1; + if(msr->txcfg->xml_external_entity == 0) { + entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity); + } + return 1; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- www.openwall.com/lists/oss-security/2013/04/03/7nvdMailing ListPatchThird Party Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party Advisory
- github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fenvdPatchThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2013-April/101898.htmlnvdThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2013-April/101911.htmlnvdThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2013-April/102616.htmlnvdThird Party Advisory
- lists.opensuse.org/opensuse-updates/2013-08/msg00020.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-updates/2013-08/msg00025.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-updates/2013-08/msg00031.htmlnvdMailing ListThird Party Advisory
- secunia.com/advisories/52847nvdThird Party Advisory
- secunia.com/advisories/52977nvdThird Party Advisory
- www.debian.org/security/2013/dsa-2659nvdThird Party Advisory
- www.mandriva.com/security/advisoriesnvdThird Party Advisory
- www.securityfocus.com/bid/58810nvdThird Party AdvisoryVDB Entry
- github.com/SpiderLabs/ModSecurity/blob/master/CHANGESnvdRelease NotesThird Party Advisory
News mentions
0No linked articles in our index yet.