Incomplete JSON parsing => security vulnerability

[marcstern]

** Content was removed by @zimmerle on 2017-Sep-27

[zimmerle]

Dear @marcstern,

Regardless of the content, do you really think that it is a good idea to publish a possible security bypass on GitHub ?

[marcstern]

In this case, there is very few information an attacker can use.
In case you have a vulnerability in your application in a JSON request without JSON object, then ModSecurity doesn't protect you. Point There is no way to use that info to tweak an attack to bypass ModSecurity.
This disclosure doesn't introduce an additional risk

[marcstern]

I created a (one line) pull request for this: #1577

[marcstern]

Remark: In my patch, I used an empty ARG name. This looks the most logical approach; however, in a strict environment, you should have a rule forbidding (for non-JSON requests) an empty ARG name.
You obviously have the possibility to fine-tune your rule to not apply it to JSON requests but, if this syntax is totoally usual (but is it really?), then we may use a non-empty name (ex: "unnamed") to not trigger that kind of problem.
Any experience with this syntax (in any direction)?

[marcstern]

This patch is trivial and has a high value, why not adding it in the 2.9 trunk?

[zimmerle]

I think you meant to make this comment on the related pull request, not in this issue. The pull request can be found at #1577. The pull request is under review, it will be merged once the review is done.

[zimmerle]

This is already fixed in v3.0. The solution adopted is different from the ticket #1577. In v3 the json parser understands the array structures into array_n format, where "n" is the position of the element. Also, we moved from string concatenation to a stack structure making the implementation more robust. Fix is still pending for v2.

[zimmerle]

Thanks @marcstern.

Merged as part of: 9b6d4b2 and 25e5543.