Impact

After discovering the GHSA-859r-vvv8-rm8r vulnerability, we reviewed and investigated other activities to uncover similar opportunities.

During this code review we found a similar issue: the sanitiseArg (and sanitizeArg - this is the same action but an alias) action's behavior is the same - except in case of this action the rule writer must pass an argument to the action, eg.

SecRule ... "...,sanitiseArg:password..."

where only the passed argument will be sanitized. See the reference:

https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearg

Patches

Patch is available and will be applied soon. The new version (2.9.10) will contain it.

Workarounds

If none of the rules contain sanitiseArg (or sanitizeArg) action, then the engine does not affected. Otherwise no workaround known.

References

Not yet.

How to reproduce

Consider a rule:

SecRule ARGS "@rx \d{3,6}" "phase:2,id:1,log,capture,block,sanitiseArg:password"

and a request:

curl -v -X POST -d "password=12345&password=12345&password=12345" http://localhost:80/

For example, if the number of arguments named password is 500, the engine will store their names in memory 500 * 500 times, which is 250 000 copies.