Potential code vulnerabilities

Daretary · December 15, 2023, 06:26:45 PM

I ran the SMF code through the new scanner.

And here's what I've found so far:

The Regular expression Denial of Service attack takes advantage of the fact that most regular expression implementations can reach extreme values that cause them to run very slowly (exponentially with the size of the input data).

Possible risk
An attacker could cause a program using a regular expression (Regex) to enter these extreme conditions and then hang for a very long time. The CVSS severity level of ReDoS is Medium.

https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

Daretary · December 15, 2023, 06:40:29 PM

I don't think you should open the thread for public review.
If you want, I will continue. Let only moderators see.
I'll wait for the answer.

Aleksi "Lex" Kilpinen · December 15, 2023, 06:57:25 PM

Thank you for reporting your findings. This has been hidden from public until the devs have had a chance to evaluate this.

In the future I would ask that you use the private reporting options either here https://www.simplemachines.org/about/smf/security.php or on Github.

Sesquipedalian · December 15, 2023, 07:55:33 PM

This warning is bogus. That regular expression is a very simple one. It has no branches, recursion, or any of the other ways that regular expressions can possibly hang. This scanner that you are using appears to be simultaneously dumb and paranoid.

Daretary · December 15, 2023, 07:58:05 PM

Okay, I won't post any other items.

m4z · December 17, 2023, 05:26:58 AM

What is the name/origin of "the new scanner"?

News:

Potential code vulnerabilities

Daretary

Daretary

Aleksi "Lex" Kilpinen

Sesquipedalian

Daretary

m4z