Hi list, While playing with requests that used chunked encoding, I found one way to sneak headers through Apache mod_headers removal mechanism. I also found a way to sneak pretty much anything through ModSecurity. More details here: http://martin.swende.se/blog/HTTPChunked.html ## Timeline * 2013-09-05 Notified ModSecurity (security@modsecurity.org) about the problem. * 2013-09-05 ModSecurity responded; will investigate/patch. * 2013-09-06 Notified Apache Software Foundation about the problem. * 2013-09-08 Apache responded; confirmed and looking into the issue. * 2013-09-09 ModSecurity responded with patch. * 2013-10-19 Apache security raised the issue on dev@httpd instead, it was "languishing on the private list". [Mail](http://marc.info/?l=apache-httpd-dev&m=138219203120175&w=2) * 2013-12-16 ModSecurity released version 2.7.6, with [patch](https://github.com/SpiderLabs/ModSecurity/commit/f8d441cd25172fdfe5b613442fedfc0da3cc333d). Uncredited. * 2014-03-31 Published details ### Status as of february 2014 The Ubuntu-packaged version of Modsecurity is 2.7.4, both for 13.10 and earlier. This version is vulnerable. The latest LTS server version - Ubuntu 12.04 uses Apache 2.2.22, which *is* vulnerable. Ubuntu 13.10 repositories contains Apache 2.4.6, which was found *not* to be vulnerable. Regards, Martin Holst Swende (and thanks to Fyodor!)