Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

942310 regular suspected error

See original GitHub issue

Describe the bug

There may be a problem with [\“'`]\s+and\s*?=\W in the 942310 rule. You can view this part in the /util/regexp-assemble/regexp-942310.data file. By analyzing the regularity, There can only be \s between [\”'`] and and, and \w cannot be after and, such as " and =;, but I check related payloads such as: AND 1=1 AND '%'=' Unable to be hit, more related payloads can refer to: https://github.com/payloadbox/sql-injection-payload-list , https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ . Maybe I didn’t find the corresponding detection payload, let’s take a look at it together~

Steps to reproduce

Expected behaviour

Actual behaviour

Additional context

Your Environment

CRS version v3.4/dev

CRS version (e.g., v3.2.0):
Paranoia level setting:
ModSecurity version (e.g., 2.9.3):
Web Server and version (e.g., apache 2.4.41):
Operating System and version:

Issue Analytics

State:
Created 2 years ago
Comments:21 (21 by maintainers)

Top GitHub Comments

1reaction

theseioncommented, Sep 5, 2021

I just spent some time with this too. The longer I look at it the more it seems to me that the expression contains at least one typo. For the expression to match there must be an engine accepting something like AND = which doesn’t make sense because there is no left hand side to the =. Unless there existed a “boolean compound assignment” somewhere (e.g. x := y AND= z).

While the idea of compound operators sounded promising at first, I haven’t been able to find any operator where the = is the the first of the two characters. In every dialect the = is always the last character of the compound operator. Even if there where such an operator, the observation above still holds: there would be no left hand side to the operator.

In conclusion, I think the odds of opening us up to an attack are slim (even if there were an exploit, it doesn’t seem to be widely known) and I think we should remove the expression.

Thanks @NiceYouKnow, these kinds of issues are so hard to find and we really need the support of CRS users to help us improve the quality of the rules.

1reaction

NiceYouKnowcommented, Aug 17, 2021

I looked up the relevant information and found nothing to match. https://github.com/payloadbox/sql-injection-payload-list https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

Top Results From Across the Web

Monthly Chat Agenda August 2021 (2021-08-02 and 2021-08-16 ...

Issue slot 1: Go Test WAF bypasses #1991 - pending; Issue slot 2: 942310 regular suspected error #2118 - pending; Issue slot 3:...

Errors when using Profile 2 with Date module [#1021512] | Drupal.org

Given the similarity of the error messages, I suspect it's the same problem. ... In short, after #942310: Field form cannot be attached...

Post-glacial reactivation of the Bollnäs fault, central Sweden

Abstract. Glacially induced intraplate faults are conspicu- ous in Fennoscandia where they reach trace lengths of up to 155km with estimated magnitudes up ......

Venson v. Vashaw, 2:20-CV-11865 | Casetext Search + Citator

Hall notified the Sex Crimes Unit about the alleged assault. ... criminal justice systems, not a substitute for ordinary error correction through appeal....

Rhino Screw Together 24:1/48:1 & 32:1/65:1 Pumps

Standard Cast Drum Follower Plate Assembly ... If you are injured or even suspect an injury: ... S Tell the doctor that you...