ModSecurity Web Application Firewall Bypass Vulnerability

CVSScvssV3_1: 8.6

ModSecurity is a popular open source web application firewall (WAF) that helps protect websites from malicious attacks. However, a vulnerability was discovered that allows attackers to bypass its protections.

The issue stems from how ModSecurity handles URLs before passing them to backend applications. It decodes encoded characters in the URL path before separating it from the query string. This causes an inconsistency with how backend apps normally interpret URLs.

Attackers can take advantage of this by hiding malicious code in the URL path using encoding. They craft a specially formatted URL that the WAF rules can’t detect as dangerous because the encoded payload isn’t seen as a threat. But when the backend app receives the full URL, it gets decoded and the hidden attack payload is revealed.

This vulnerability could allow attackers to bypass the WAF and carry out attacks like SQL injection on backend databases if they are configured to use URL paths unsafely.

ModSecurity has released an update to fix this problem. If you use this WAF, be sure to upgrade to version 3.0.12 or later as soon as possible to close this security hole. Also make sure your backend apps properly sanitize any inputs from URLs to avoid being vulnerable. Staying on top of patches is key to keeping your site protected from these kinds of technical bypass techniques.