Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAF1aazDWpE1kmRv92N2sGtH_B4OC0cJJVrK8qJfxvXt33s_B5A@mail.gmail.com>
Date: Tue, 17 Aug 2021 18:09:32 -0400
From: Dave <snoopdave@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-33580: Apache Roller: regex injection leading to DoS

Severity: Low: This attack will only work if Banned-words Referrer
processing is turned on in Roller and it is off-by-default.

Description:

User controlled `request.getHeader("Referer")`,
`request.getRequestURL()` and `request.getQueryString()` are used to
build and run a regex expression.

The attacker doesn't have to use a browser and may send a specially
crafted Referer header programmatically. Since the attacker controls
the string and the regex pattern he may cause a ReDoS by regex
catastrophic backtracking on the server side.


Mitigation:

This problem has been fixed in Roller 6.0.2. If you are not able to
upgrade then you can "work around" the problem.

If Banned-Words Referrer processing is enabled and you are concerned
about this type of attack then disable it.

In the Roller properties, set this property
site.bannedwordslist.enable.referrers=false

Credit:

Apache Roller would like to thank Ed Ra (https://github.com/edvraa)
for reporting this.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.