Vulnerable regexp in rule 942260, 942490 (was: 942330) #1359
Comments
|
User theMiddleBlue commented on date 2019-04-16 08:02:56: Hi s0md3v Thank you so much for reporting this! I'm testing it on my nginx + modsec3 and I confirm that it takes a lot of time to process a request like: I'm creating a rule that drop a request if it contains repeating multiple characters. Based on your experience, what do you think about something like thanks! |
|
User s0md3v commented on date 2019-04-16 08:24:37: Hi theMiddleBlue , I would like to patch all the 5 issues I have reported. I have opened a PR for the most critical one already. There are two problems, Intersecting alternate patternsBoth alternate patterns start with In the second alternate pattern, the tokens Nested repetition operatorsThe structure of the this sub-pattern is I will open a pull request to resolve this and the other issues shortly. |
|
User theMiddleBlue commented on date 2019-04-16 08:26:27: Oh didn't see the PR sorry! That's really great! I'm testing your changes right now |
|
User theMiddleBlue commented on date 2019-04-16 08:28:18: are your planning to fix all 5 issues in a single PR? |
|
User s0md3v commented on date 2019-04-16 08:32:03: Do you want me to include all the fixes in one PR? Yeah sure, we can do that. |
|
User theMiddleBlue commented on date 2019-04-16 08:36:16: Maybe to have it in a single PR can help us to talk about it (and test your changes quickly). But this is only my opinion, let's see what others say ;) |
|
User s0md3v commented on date 2019-04-16 08:40:36: I thought it would be better to keep them separate so we can talk about different ways to tackle them and regression testing without getting things mixed up. |
|
User theMiddleBlue commented on date 2019-04-16 08:41:10: ok, no problem for me! |
|
User dune73 commented on date 2019-04-28 05:11:56: This issue is referenced as CVE-2019-11387 by NIST. This issues is directly exploitable in CRS / ModSecurity with Paranoia Level 2 on ModSecurity 3 on NGINX (Tested against ModSecurity 3.0.3 on Nginx 1.3.12). The issue is not directly exploitable on ModSecurity 2 thanks to PCRE match limit settings, that are very low by default. The rule affected is Reproduction: [EDIT: Updated comment from unconfirmed to confirmed.] |
|
User dune73 commented on date 2019-04-29 11:32:23: Reproduction with pcre2test based on known payload and the regex from 942490. |
|
User dune73 commented on date 2019-04-29 14:01:14: Rule Regex: Sources before regexp::assemble: |
|
User hlef commented on date 2019-05-19 12:18:30: emphazer : Has this been fixed by #1379? |
|
User emphazer commented on date 2019-05-20 14:44:00: hlef the ddos possibility in rule 942490 has been fixed for dev/3.2 branch, yes. |
|
User hlef commented on date 2019-05-21 07:00:33:
Alright, and 942260 is not fixed yet. Thanks! |
|
User dune73 commented on date 2019-05-21 07:17:41: 942260 is almost fixed. PR is ready: SpiderLabs/owasp-modsecurity-crs#1417 |
This was referenced May 13, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue originally created by user s0md3v on date 2019-04-15 17:25:57.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#1359.
The vulnerable regular expression is located in
/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.confon line 913. [Link]The vulnerability is caused by nested repetition operators and can be exploited with the following string
The text was updated successfully, but these errors were encountered: