New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie with empty key will crash ModSecurity worker process #2566
Comments
I just realized the issue is already fixed by 9cac167. However, because I am using the image |
Hi @Olament , sorry to learn about you had problems with the docker image. If you take a look at https://github.com/coreruleset/modsecurity-docker, we deprecated that scheme because we have "two" latest, v2 with apache, and v3 with nginx. Feel free to open an issue there if you fell like it helps. |
Proactively, and so others don't have the same problem, I've removed the latest tag. Now you need to choose a newer tag, please read the documentation! |
@zimmerle I guess this one can be closed :) |
Thanks! |
Describe the bug
The connection will be closed due to a "string index out of range" error under certain request.
Logs and dumps
To Reproduce
Server:
ModSecurity v3 on Nginx 1.17 official base image
This vulnerability (CVE-2019-25043) is found by Microsoft WAFLab, an open-source web-based testing platform for WAF (Web Application Firewall)'s correctness, especially ModSecurity and Core Rule Set. WAFLab is developed by senior researcher: Yang Luo and his intern: Zixuan Guo, both from Networking Research Group, Microsoft Research Asia.
The text was updated successfully, but these errors were encountered: