CVE-2024-1019: Exposing ModSecurity’s Critical WAF Bypass Flaw

In the world of web application security, ModSecurity has long been a good choice against cyber threats. Developed by Trustwave’s SpiderLabs, this open-source web application firewall (WAF) engine supports Apache, IIS, and Nginx. It’s known for its potent event-based programming language, adept at protecting web applications from a myriad of attacks. It also excels in HTTP traffic monitoring, logging, and real-time analysis.

Recently, a significant vulnerability in ModSecurity versions 3.0.0 to 3.0.11, identified as CVE-2024-1019, has surfaced. This flaw, with a CVSS score of 8.6, poses a serious risk by allowing a WAF bypass for path-based payloads in request URLs. The core of the issue lies in ModSecurity’s handling of URL decoding, specifically how it decodes percent-encoded characters in URLs before separating the URL path from the query string. This process diverges from the practices of RFC-compliant back-end applications, creating an impedance mismatch.

Attackers can exploit CVE-2024-1019 by crafting request URLs with percent-encoded question marks (“%3F”). When ModSecurity decodes these URLs, it mistakenly identifies the position of the query component, thus allowing the attacker to strategically place a payload in the URL path to evade ModSecurity’s rules designed for path component inspection.

This issue notably affects the ModSecurity variables REQUEST_FILENAME and REQUEST_BASENAME, which are used for path inspection. Consequently, rules relying on these variables may be rendered ineffective against this exploit.

Users and integrators of ModSecurity are strongly advised to upgrade to version 3.0.12, which addresses this vulnerability. It’s important to note that the ModSecurity v2 release line, specifically v2.9.x, remains unaffected by this flaw.