[Owasp-modsecurity-core-rule-set] 950901 - false positive

[Václav Ovsík]

Hi,
I've got false positive with 950901, because the regexp lacks word
boundary marks. I have prepared a little test suite for this (files
attached).

pcre.orig   - contains an original regexp of 950901
pcre        - contains a fixed regexp of 950901
data.*      - some test data

zito@bobek:~/pokusy/mod_security/bug-950901$ for x in *; do printf "%10s: %s\n" 
$x "$(cat $x)"; done
data.fail1: 
SID=875708633+FID=20+OP=DISPLAY_FORM+HTMPL=role_main.htmpl+prop.role_menubar=menubar_sd.htmpl
data.fail2: xxx1=1ffff
data.fail3: 1=1ffff
data.fail4: xxx1=1
   data.ok: foo yes=yes bar
      pcre: 
(?i:([\s'\"`´’‘\(\)]*?)\b([\d\w]++)([\s'\"`´’‘\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*?)\2\b|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*?)(?!\2)([\d\w]+)\b))
 pcre.orig: 
(?i:([\s'\"`´’‘\(\)]*?)([\d\w]++)([\s'\"`´’‘\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*?)\2|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*?)(?!\2)([\d\w]+)))

zito@bobek:~/pokusy/mod_security/bug-950901$ pcregrep --color -f pcre.orig 
data.*
data.fail1:SID=875708633+FID=20+OP=DISPLAY_FORM+HTMPL=role_main.htmpl+prop.role_menubar=menubar_sd.htmpl
data.fail2:xxx1=1ffff
data.fail3:1=1ffff
data.fail4:xxx1=1
data.ok:foo yes=yes bar

zito@bobek:~/pokusy/mod_security/bug-950901$ pcregrep --color -f pcre data.*
data.ok:foo yes=yes bar

My attempt to fix the problem on github and pull request:
https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/48

Cheers
-- 
Zito

bug-950901-tests.tar.bz2
Description: Binary data

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set