=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN404
_____________________________________________________________________

DATE                : 19/08/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Roller versions prior to
                                            6.0.2.

=====================================================================
http://mail-archives.apache.org/mod_mbox/roller-user/202108.mbox/%3cCAF1aazDhX_-7tEyBSLgPGcWkSZYAmM_gOaKTtiLSY0MDKdBMJg@mail.gmail.com%3e
_____________________________________________________________________

Severity: Low: This attack will only work if Banned-words Referrer
processing is turned on in Roller and it is off-by-default.

Description:

User controlled `request.getHeader("Referer")`,
`request.getRequestURL()` and `request.getQueryString()` are used to
build and run a regex expression.

The attacker doesn't have to use a browser and may send a specially
crafted Referer header programmatically. Since the attacker controls
the string and the regex pattern he may cause a ReDoS by regex
catastrophic backtracking on the server side.


Mitigation:

This problem has been fixed in Roller 6.0.2. If you are not able to
upgrade then you can "work around" the problem.

If Banned-Words Referrer processing is enabled and you are concerned
about this type of attack then disable it.

In the Roller properties, set this property
site.bannedwordslist.enable.referrers=false

Credit:

Apache Roller would like to thank Ed Ra (https://github.com/edvraa)
for reporting this.

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================