Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Vulnerable regexp in rule 942260, 942490 (was: 942330) #1359
The vulnerable regular expression is located in
The vulnerability is caused by nested repetition operators and can be exploited with the following string
Thank you so much for reporting this! I'm testing it on my nginx + modsec3 and I confirm that it takes a lot of time to process a request like:
I'm creating a rule that drop a request if it contains repeating multiple characters. Based on your experience, what do you think about something like
Hi @theMiddleBlue ,
I would like to patch all the 5 issues I have reported. I have opened a PR for the most critical one already.
There are two problems,
Intersecting alternate patterns
Both alternate patterns start with
In the second alternate pattern, the tokens
Nested repetition operators
The structure of the this sub-pattern is
I will open a pull request to resolve this and the other issues shortly.
This was referenced
Apr 16, 2019
referenced this issue
Apr 16, 2019
This issue is referenced as CVE-2019-11387 by NIST.
This issues is directly exploitable in CRS / ModSecurity with Paranoia Level 2 on ModSecurity 3 on NGINX (Tested against ModSecurity 3.0.3 on Nginx 1.3.12).
The issue is not directly exploitable on ModSecurity 2 thanks to PCRE match limit settings, that are very low by default.
The rule affected is
[EDIT: Updated comment from unconfirmed to confirmed.]
Reproduction with pcre2test based on known payload and the regex from 942490.
referenced a pull request that will
Apr 29, 2019
Sources before regexp::assemble: