Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerable regexp in rule 932140

See original GitHub issue

_Issue originally created by user s0md3v on date 2019-04-15 16:03:37. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354._

The vulnerable regular expression is located in /crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf on line 404. [Link]

The vulnerability is caused by nested repetition operators and can be exploited with the following string

for/d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d/ %x in(x) dx

Issue Analytics

State:
Created 3 years ago
Comments:13

Top GitHub Comments

1reaction

CRS-migration-botcommented, May 13, 2020

User fgsch commented on date 2019-05-03 23:07:24:

We should correct the regexp regardless since the parameter can only appear once. I’ve commented on the PR, and hopefully after it’s updated we can merge it if there are no objections.

1reaction

CRS-migration-botcommented, May 13, 2020

User fgsch commented on date 2019-04-26 21:04:41:

From pcre:

  re> "for(?:\/[dflr].*)* %+[^ ]+ in\(.*\)\s?do"
data> for/d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d//d/ %x in(x) dx
Error -8 (match limit exceeded)