Bugs discovered in ModSecurity and MongoDB PHP extension
Eniko Toth

Bugs discovered in ModSecurity and MongoDB PHP extension

Eniko Toth

Bugs are always hunting us. 

Recently we found some bugs during our work, but keep calm, they're not in the BitNinja agent. ;) Let’s see what we explored:

ModSecurity bug: empty comment line

In our WAF2.0 (beta will come soon) we implemented ModSecurity as well as the OWASP’s core ruleset. Recently, our developers found a strange bug in them.

The crs’ 913100 rule has always caught the Chinese search engine, because of suspicious user agent:

spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm#07);

After checking the code , we didn’t understand why it has been triggered because this user agent isn’t listed as a suspicious one.

That’s why we started to dig deeper. We tested the user agent with PostMan and got the following results:

spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm#07); →trigger 913100
spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm07); →not trigger 913100


So the agent was caught because it contains a # character. In the code, # means a comment line, and @pmFromFile should ignore them during the examination. We figured out that the problem is with those comment lines, which contain only a # and nothing else.

For solving this issue, we had to remove all the empty comment lines and reload this rule to our WAF2.0. Since then, we don’t experience any problem with this Chinese search engine.

We’ve been already reported this bug to ModSecurity, but received no reply yet, so we’ll send this bug to OWASP too.


We also found a bug in the MongoDB PHP extension too. 

The MongoDB uses an object for the dates, which is an UTCDateTime class in PHP. During using the ArrayHelper* we experienced the following problem:

The helper recursively explored all the elements of the objects and when the foreach reached the UTCDateTime object, it couldn’t go over from the 1st item to the next, which resulted an infinite loop in the cycle.

* for converting the documents from MongoDB to multi-array in Yii2 PHP framework

//For example:

$document = $model::findOne(['user_id' => 12]);
foreach($document->date_created as $item){
var_dump($item);
//Infinite loop!!!!!
}

The problem occurred in the following versions of the MongoDB PHP extension: 1.3.x and 1.4.0-beta1. 

The latest version where we didn’t experience this bug is the 1.2.11.


The bug has been reported and has been fixed very quickly. 

Thanks for it! Hopefully, it’ll be released soon.

Share your ideas with us about this article

Previous posts

Server security on point – 5 +1 best practices for Linux sysadmins
No matter if you’re a Linux security veteran or you’re just about to get your feet wet, you’ll face the same security threats and upcoming attacks forms. Here we come with a security cheat sheet with ultimate checkpoints that no sysadmins should miss. When meeting new company, usually the very first thing I’m asked about is „How should I get rid of hackers? Show me the silver bullet.” But it’s a little bit like asking an economist on „Where to invest my money?”. It depends. To get a grip in the jungle of security recommendations, here I collected some guidelines...
Meltdown and Spectre attacks
A new class of side-channel attacks have been appeared, which exploit the following CPU vulnerabilities: CVE-2017-5715 : branch target injection CVE-2017-5753 : bounds check bypass CVE-2017-5754 : rogue data cache load Meltdown and Spectre rely on them and allow the hackers to read the memory content of other programs, it means they can access the stored sensitive data like passwords, photos, emails, secret documents, etc. The original coordinated disclosure date of this issue was planned for January 9, but the issue became public 6 days earlier....