Bugs discovered in ModSecurity and MongoDB PHP extension

Bugs are always hunting us. 

Recently we found some bugs during our work, but keep calm, they’re not in the BitNinja agent. 😉 Let’s see what we explored:

ModSecurity bug: empty comment line

In our WAF2.0 (beta will come soon) we implemented ModSecurity as well as the OWASP’s core ruleset. Recently, our developers found a strange bug in them.

The crs’ 913100 rule has always caught the Chinese search engine, because of suspicious user agent:

spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm#07);

After checking the code
, we didn’t understand why it has been triggered because this user agent isn’t listed as a suspicious one.

That’s why we started to dig deeper. We tested the user agent with PostMan and got the following results:

spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm#07); →trigger 913100
spider/4.0(+ http://www.sogou.com/docs/help/webmasters.htm07); →not trigger 913100

So the agent was caught because it contains a # character. In the code, # means a comment line, and @pmFromFile

should ignore them during the examination. We figured out that the problem is with those comment lines, which contain only a # and nothing else.

For solving this issue, we had to remove all the empty comment lines and reload this rule to our WAF2.0. Since then, we don’t experience any problem with this Chinese search engine.

We’ve been already reported this bug to ModSecurity, but received no reply yet, so we’ll send this bug to OWASP too.

We also found a bug in the MongoDB PHP extension too. 

The MongoDB uses an object for the dates, which is an UTCDateTime class in PHP. During using the ArrayHelper* we experienced the following problem:

The helper recursively explored all the elements of the objects and when the foreach reached the UTCDateTime object, it couldn’t go over from the 1st item to the next, which resulted an infinite loop in the cycle.

* for converting the documents from MongoDB to multi-array in Yii2 PHP framework

//For example:

$document = $model::findOne(['user_id' => 12]);
foreach($document->date_created as $item){
var_dump($item);
//Infinite loop!!!!!
}

The problem occurred in the following versions of the MongoDB PHP extension: 1.3.x and 1.4.0-beta1. 

The latest version where we didn’t experience this bug is the 1.2.11.

The bug has been reported and has been fixed very quickly. 

Thanks for it! Hopefully, it’ll be released soon.