search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.44k stars 725 forks source link

Vulnerable Regular Expressions in 942200 #1715

Closed DragonRegex closed 4 years ago

DragonRegex commented 4 years ago

Type of Issue

Potential Regex Denial of Service (ReDoS)

Description

  1. The vulnerable regular expression ,.*?[)\da-f\"'`][\"'`][\"'`].*?[\"'`] is located in util/regexp-assemble/regexp-942200.data on line 1 (Link). The ReDOS vulnerability of the regular expression is due to the sub-pattern .*?[)\da-f\"'`][\"'`][\"'`].*? and can be exploited with the following string ,'''''''''''''''''''''''''''''''''''''''''''''''''''!

  2. The vulnerable regular expression \Wselect.+\W*?from is located in util/regexp-assemble/regexp-942200.data on line 4 (Link) and rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf on line 730 (link). The ReDOS vulnerability of the regular expressions is due to the sub-pattern .+\W*? and can be exploited with the following string #select##############################################!

dune73 commented 4 years ago

Thank you for reporting.

We can either (a) not reproduce your findings, or (b) they are prevented by the PCRE match limits, namely on ModSecurity 2.

While there are rules with severe ReDoS issues in CRS, the ones your report do not fall into this category from our point of view. We get reports like your's from time to time. Usually people just look at the regular expression and do not try it out on a real CRS installation. ModSec has prevention mechanisms and not everything that kills the PCRE engine is also killing ModSec.

If you are able to proof that you can DoS a real CRS installation with the payload above, then please report it via the channel described in our SECURITY.md file (DoS is security relevant and we would prefer to keep it private while we work on a fix).