[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-33580: Apache Roller: regex injection leading to DoS
From:       Dave <snoopdave () gmail ! com>
Date:       2021-08-17 22:09:32
Message-ID: CAF1aazDWpE1kmRv92N2sGtH_B4OC0cJJVrK8qJfxvXt33s_B5A () mail ! gmail ! com
[Download RAW message or body]


Severity: Low: This attack will only work if Banned-words Referrer
processing is turned on in Roller and it is off-by-default.

Description:

User controlled `request.getHeader("Referer")`,
`request.getRequestURL()` and `request.getQueryString()` are used to
build and run a regex expression.

The attacker doesn't have to use a browser and may send a specially
crafted Referer header programmatically. Since the attacker controls
the string and the regex pattern he may cause a ReDoS by regex
catastrophic backtracking on the server side.


Mitigation:

This problem has been fixed in Roller 6.0.2. If you are not able to
upgrade then you can "work around" the problem.

If Banned-Words Referrer processing is enabled and you are concerned
about this type of attack then disable it.

In the Roller properties, set this property
site.bannedwordslist.enable.referrers=false

Credit:

Apache Roller would like to thank Ed Ra (https://github.com/edvraa)
for reporting this.


[prev in list] [next in list] [prev in thread] [next in thread]