Move 941310 from PL1 to PL2 #2014

franbuehler · 2021-02-18T08:46:55Z

This PR is a proposal for issue #1942. We can discuss there if this is the correct solution.
This PR moves rule 941310 from PL1 to PL2, because it has a lot of false positives with Russian letters and German Umlaute.

franbuehler · 2021-03-01T20:38:50Z

Meeting decision March: #2008 (comment):
@airween volunteers to review this PR after @franbuehler provided a curl example.

dune73 · 2021-04-02T16:14:50Z

@franbuehler did you send the curl example to @airween directly or did this get lost?

franbuehler · 2021-04-02T16:35:14Z

@dune73, I was not able to find a curl example. I tried to reproduce it in the browser with the application where I found the false positives in the log. I also tried with Max explanation but it does not work for me. My environment seems to encode the correct way.
See the linked issue.

dune73 · 2021-04-02T17:03:56Z

Thank you. I propose we leave this PR open for a bit longer until your discussion with @thesion is over in issue #1942.

dune73 · 2021-06-06T19:17:33Z

Time to put this back on the table?

franbuehler · 2021-06-07T19:58:24Z

Meeting decision June (#2074 (comment)):
@franbuehler and @theseion will discuss on their call if this PR should still be merged

franbuehler · 2021-07-05T15:51:29Z

I would close this PR here for 2 reasons:

We have the new chained rule from PR Use chained end tag detection for rule 941310 #2107 at PL1 (PL1 is my proposal), which also has a good coverage of the attack.
The vulnerability is rare because it only appears on an incorrectly configured Tomcat. I would not risk a possible FP at PL2 for this rare vulnerability.

As always: other opinions welcome.

franbuehler · 2021-07-05T19:28:09Z

We agree on closing this PR here. PR #2107 solves the problem.
Monthly chat meeting July:
#2141 (comment)

franbuehler added 2 commits February 18, 2021 08:44

Move 941310 from PL1 to PL2

d675fb3

Move 941310 from PL1 to PL2

a828456

franbuehler linked an issue Feb 18, 2021 that may be closed by this pull request

Rule 941310: false positive for Russian letters "м" and "о" #1942

Closed

dune73 mentioned this pull request Mar 1, 2021

Monthly Chat Agendas March (2021-03-01 and 2021-02-15) Meeting Agenda #2008

Closed

franbuehler self-assigned this Mar 1, 2021

dune73 mentioned this pull request Apr 2, 2021

Monthly Chat Agendas April (2021-04-05 and 2021-04-19) Meeting Agenda #2051

Closed

dune73 marked this pull request as draft April 2, 2021 17:04

dune73 mentioned this pull request May 3, 2021

Monthly Chat Agendas May (2021-05-03 and 2021-05-17) Meeting Agenda #2053

Closed

franbuehler marked this pull request as ready for review May 3, 2021 20:03

dune73 mentioned this pull request Jun 3, 2021

Monthly Chat Agenda June (2021-06-07 and 2021-06-21) #2074

Closed

dune73 added the 👀 Needs action label Jun 6, 2021

dune73 mentioned this pull request Jul 2, 2021

Monthly Chat Agenda July (2021-07-05 and 2021-07-19) #2141

Closed

franbuehler closed this Jul 5, 2021

franbuehler deleted the fix-fp-941310 branch July 31, 2023 13:29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Move 941310 from PL1 to PL2 #2014

Move 941310 from PL1 to PL2 #2014

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Move 941310 from PL1 to PL2 #2014

Move 941310 from PL1 to PL2 #2014

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!