NINJA BLOG

T贸th Enik艖 | 2018.01.15. |

Bugs discovered in ModSecurity and MongoDB PHP extension

Bugs are always hunting us. 
Recently we found some bugs during our work, but keep calm, they’re not in the BitNinja agent. 馃槈 Let鈥檚 see what we explored:

ModSecurity bug: empty comment line

In our WAF2.0 (beta will come soon) we implemented ModSecurity as well as the OWASP鈥檚 core ruleset. Recently, our developers found a strange bug in them.
The crs鈥 913100 rule has always caught the Chinese search engine, because of suspicious user agent:

spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm#07);

After checking the code
, we didn鈥檛 understand why it has been triggered because this user agent isn鈥檛 listed as a suspicious one.
That鈥檚 why we started to dig deeper. We tested the user agent with PostMan and got the following results:

spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm#07); 鈫抰rigger 913100
spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm07); 鈫抧ot trigger 913100

So the agent was caught because it contains a # character. In the code, # means a comment line, and @pmFromFile

should ignore them during the examination. We figured out that the problem is with those comment lines, which contain only a # and nothing else.
For solving this issue, we had to remove all the empty comment lines and reload this rule to our WAF2.0. Since then, we don鈥檛 experience any problem with this Chinese search engine.
We鈥檝e been already reported this bug to ModSecurity, but received no reply yet, so we鈥檒l send this bug to OWASP too.

We also found a bug in the MongoDB PHP extension too. 

The MongoDB uses an object for the dates, which is an UTCDateTime class in PHP. During using the ArrayHelper* we experienced the following problem:
The helper recursively explored all the elements of the objects and when the foreach reached the UTCDateTime object, it couldn鈥檛 go over from the 1st item to the next, which resulted an infinite loop in the cycle.
* for converting the documents from MongoDB to multi-array in Yii2 PHP framework

//For example:
$document = $model::findOne(['user_id' => 12]);
foreach($document->date_created as $item){
var_dump($item);
//Infinite loop!!!!!
}

The problem occurred in the following versions of the MongoDB PHP extension: 1.3.x and 1.4.0-beta1. 
The latest version where we didn鈥檛 experience this bug is the 1.2.11.
The bug has been reported and has been fixed very quickly. 
Thanks for it! Hopefully, it鈥檒l be released soon.

BUILD YOUR SECURITY

Start the 7-day free trial with full functionality without spending a cent.

TOP ARTICLES