Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Vulnerable regexp in rule 933180 #1357

Closed
s0md3v opened this issue Apr 15, 2019 · 3 comments
Closed

Vulnerable regexp in rule 933180 #1357

s0md3v opened this issue Apr 15, 2019 · 3 comments

Comments

@s0md3v
Copy link

s0md3v commented Apr 15, 2019

The vulnerable regular expression is located in /crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf on line 451. [Link]

The vulnerability is caused by nested repetition operators and can be exploited with the following string

$a##################################################
@theMiddleBlue
Copy link
Contributor

Unlike what you reported on #1359 I'm not able to reproduce the issue. Any help on defining a ReDoS HTTP request that matches 933180?

@dune73
Copy link
Contributor

dune73 commented Apr 28, 2019

This issue is referenced as CVE-2019-11391 by NIST.

This issues is not directly exploitable in CRS / ModSecurity.

Tested against ModSecurity 3.0.3 on Nginx 1.3.12.

curl -v "http://localhost" -d 'x=$a##################################################'

@fgsch fgsch changed the title ReDOS Vulnerability [High] (#3) Vulnerable regexp in rule 933180 Apr 29, 2019
@fgsch
Copy link
Contributor

fgsch commented Oct 21, 2019

Moved to #1495

@fgsch fgsch closed this as completed Oct 21, 2019
@fgsch fgsch removed the PR available this issue is referenced by an active pull request label Oct 21, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants