Too broad regex in gb_liferay_detect.nasl causing version misgrab

In gb_liferay_detect.nasl the version grabbing regex pattern "Liferay-Portal: (Liferay ([^0-9]+)([0-9.]+))( (CE|EE|DE|DXP))?( ([GA0-9]+))?" has trouble parsing Liferay server headers that do not advertise any version (something that can be optionnaly set in a config element https://liferay.dev/forums/-/message_boards/message/68326822).

The current regex causes the grab to wrap over other HTTP headers resulting in the “version” including arbitrary data.

Example of a header causing this:

HTTP/1.1 200
Server: apache
Date: Mon, 22 Jun 2022 20:23:52 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 1234
Connection: keep-alive
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
Liferay-Portal: Liferay Digital Experience Platform
ETag: “0”
Strict-Transport-Security: max-age=3600

This will result in a match up to the "0 from the ETag header, and thus the version grabbed will include HSTS header data (typically here it’ll end up being 3600).

The problematic part in the regex is probably [^0-9]+ that seem to include the newline of HTTP headers (probably because it’s different than the OS POSIX newline?) and results in multiline match.

It probably can be changed for a more restrictive match, for instance [a-zA-Z ]+ that would work equally well for current cases.

1 Like

Hi there,

thanks for reporting this issue! A fix will be provided in the next couple of days.

Cheers,
Ad

2 Likes