Hole in Apache/NGINX mod_security firewall
The current version, 2.7.3, of the Apache/NGINX security module
mod_security fixes a security problem in the XML parser of its predecessor versions. Timur Yunusov and Alexey Osipov from Positive Technologies discovered that processing a specially prepared XML document could give access to local files or consume excessive amounts of CPU or memory, crippling the server. The flaw has been given the identifier CVE-2013-1915.
The mod_security module is used as a web application firewall which allows requests to the web server to be filtered according to various criteria.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump