OWASP Coraza WAF Request Filename Parsing Vulnerability Leading to Rule Bypass
Vulnerability
A vulnerability exists in OWASP Coraza WAF versions through 3.3.2, where requests to URIs beginning with '//' are not correctly parsed. This misconfiguration results in an incorrect 'REQUEST_FILENAME' value, which can lead to a bypass of security rules. For instance, a request to '//bar/uploads/foo.php?a=b' would set 'REQUEST_FILENAME' to '/uploads/foo.php', potentially allowing malicious activity to go undetected.
Impact
This vulnerability could be exploited to bypass specific security rules that rely on the 'REQUEST_FILENAME' variable, creating opportunities for unauthorized actions or access.
Reproduction
The vulnerability can be reproduced by sending a request to an endpoint that includes a URI starting with '//''. Coraza WAF will incorrectly parse the URI, leading to an erroneous 'REQUEST_FILENAME' value. This can be tested using a simple Go program that sets up a Coraza WAF instance, processes a URI with double slashes, and checks the resulting 'REQUEST_FILENAME' variable.
Remediation
Users can upgrade to Coraza WAF version 3.3.3 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.