Vulnerable regexp in rule 933160

[s0md3v]

The vulnerable regular expression is located in /crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf on line 337. [Link]

The vulnerability is caused by nested repetition operators and can be exploited with the following string

set_error_handler########################################################

PS: For some reason, I was unable to reproduce it in Python engine but it works perfectly with PHP (Tested via RegexBuddy) and gives a complexity of about 2*n.

[theMiddleBlue]

Unlike what you reported on #1359 I'm not able to reproduce the issue. Any help on defining a ReDoS HTTP request that matches 933160?

[dune73]

This issue is referenced as CVE-2019-11390 by NIST.

This issues is not directly exploitable in CRS / ModSecurity.

Tested against ModSecurity 3.0.3 on Nginx 1.3.12.

curl -v "http://localhost" -d "x=set_error_handler########################################################"

[fgsch]

Moved to #1494