Vulnerable regexp in rule 933161 #1356
Comments
|
Hi @theMiddleBlue , The ReDOS vulnerabilty in #1356, #1357 and #1358 is caused by a similar sub-pattern This sub-pattern matches the following strings (anything) /*anything*/(anything) //anything(anything) #anything(anything) But it also matches the following /*anything//anything#anything*/anything/anything(anything) Is it intended behavior? I would like to make this clear before you agree on this fix. Simply, original fix goes for the longest match possible when looking for |
|
If you're talking about 942330 it should be the intended behavior. Unlike what you reported on #1359 I'm not able to reproduce the issue. Any help on defining a ReDoS HTTP request that matches 942330? |
|
@theMiddleBlue It might be due to the different regex engines we are using. There are tons of sub-patterns before To confirm the exploit I submitted works, check out this test Let the |
|
One more thing, I |
|
@spartantri What about this one? |
|
This one is tricky, as mentioned in the comments it aims to match different php injection evasion techniques |
|
Well that means if the attacker entered |
|
Hi @s0md3v,
just FYI, ModSecurity (ModSecurity2 and libmodsecurity3) uses pcre_exec(), which uses https://github.com/SpiderLabs/ModSecurity/blob/b5744183866042ea9a451858a843de3c012f63ef/src/utils/regex.cc#L77-L78 I've checked the patterns you given (not all and not in both cases), but couldn't reproduce it. I'll check them later with configured systems. |
|
@airween |
|
I will update these issues with "working" exploit strings shortly. brb |
|
This issue is referenced as CVE-2019-11389 by NIST. This issues is not directly exploitable in CRS / ModSecurity. Tested against ModSecurity 3.0.3 on Nginx 1.3.12. |
|
Moved to #1493 |

The vulnerable regular expression is located in
/crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.confon line 642. [Link]The vulnerability is caused by nested repetition operators and intersecting alternate patterns. It can be exploited with the following string
The text was updated successfully, but these errors were encountered: