Cookie with empty key will crash ModSecurity worker process

[Olament]

Describe the bug

The connection will be closed due to a "string index out of range" error under certain request.

Logs and dumps

modsec_1    | terminate called after throwing an instance of 'std::out_of_range'
modsec_1    |   what():  basic_string::at: __n (which is 0) >= this->size() (which is 0)
modsec_1    | 2021/05/06 02:53:50 [alert] 1#1: worker process 8 exited on signal 6

To Reproduce

echo -e "GET / HTTP/1.0\r\nCookie: =abc\r\n\r\n" | nc MODSECURITY PORT

Server:

ModSecurity v3 on Nginx 1.17 official base image

---

This vulnerability (CVE-2019-25043) is found by Microsoft WAFLab, an open-source web-based testing platform for WAF (Web Application Firewall)'s correctness, especially ModSecurity and Core Rule Set. WAFLab is developed by senior researcher: Yang Luo and his intern: Zixuan Guo, both from Networking Research Group, Microsoft Research Asia.

[Olament]

I just realized the issue is already fixed by 9cac167. However, because I am using the image owasp/modsecurity:latest, which was published 2 yrs ago, the problem is still there. I am wondering if there is any reasons not redirecting the latest tag to v3.04 build?

[fzipi]

Hi @Olament , sorry to learn about you had problems with the docker image. If you take a look at https://github.com/coreruleset/modsecurity-docker, we deprecated that scheme because we have "two" latest, v2 with apache, and v3 with nginx. Feel free to open an issue there if you fell like it helps.

[fzipi]

Proactively, and so others don't have the same problem, I've removed the latest tag. Now you need to choose a newer tag, please read the documentation!

[fzipi]

@zimmerle I guess this one can be closed :)

[Olament]

Thanks!