This repository has been archived by the owner on May 14, 2020. It is now read-only.
Vulnerable regexp in rule 933180 #1357
Comments
|
Unlike what you reported on #1359 I'm not able to reproduce the issue. Any help on defining a ReDoS HTTP request that matches 933180? |
|
This issue is referenced as CVE-2019-11391 by NIST. This issues is not directly exploitable in CRS / ModSecurity. Tested against ModSecurity 3.0.3 on Nginx 1.3.12. |
|
Moved to #1495 |
This was referenced May 13, 2020
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The vulnerable regular expression is located in
/crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.confon line 451. [Link]The vulnerability is caused by nested repetition operators and can be exploited with the following string
The text was updated successfully, but these errors were encountered: