ModSecurity v3 affected by DoS (CVE-2020-15598)

Posted by Christian Folini on Sep 15

ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the
global matching of regular expressions. The combination of a non-anchored
regular expression and the ModSecurity “capture” action can be exploited via a
specially crafted payload.

While ModSecurity v2.x used to quit the execution of a regular expression
after the first match. ModSecurity v3.0.x silently changed the behavior to
global matching. This results in a…

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Patreon

Original Source