ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard
verified publisher icon owasp-modsecurity

Stack overflow in pcre.dll

Open skvoboo-gh opened this issue 4 months ago • 10 comments

Describe the bug

Log Name:      Application
Source:        Application Error
Date:          20/08/2025 7:23:13 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      dev.synrg.com.au
Description:
Faulting application name: w3wp.exe, version: 10.0.17763.1, time stamp: 0xcfdb13d8
Faulting module name: pcre.dll, version: 0.0.0.0, time stamp: 0x6853c858
Exception code: 0xc00000fd
Fault offset: 0x000000000001102e
Faulting process id: 0xa38
Faulting application start time: 0x01dc11b408a9a638
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: C:\Program Files\IIS\ModSecurity\pcre.dll
Report Id: 1a12a21f-9522-430e-be5a-427c0732b1db
Faulting package full name: 
Faulting package-relative application ID:

Logs and dumps

Stack overflow exception Image

Call stack Image

PCRE version: 8.45

To Reproduce

Log in to Umbarco Backoffice: https://example.com/umbraco.

Expected behavior

There are no Application errors.

Server (please complete the following information):

  • ModSecurity version (and connector): ModSecurity v2.9.12
  • WebServer: IIS
  • OS (and distro): Windows

Rule Set (please complete the following information): OWASP CRS 4.14.0

skvoboo-gh avatar Aug 22 '25 04:08 skvoboo-gh

The issue appears to be caused by an outdated version of PCRE 8.45 used when building ModSecurity v2 on Windows.

skvoboo-gh avatar Aug 22 '25 05:08 skvoboo-gh

Hi @skvoboo-gh,

do you see anything else in any log? If yes, please share that with us in e-mail ([email protected]) and not here.

airween avatar Aug 22 '25 09:08 airween

do you see anything else in any log?

Nothing.

I see interesting PR But nothing changed in the Windows build system:

  1. build_dependencies.bat
  2. Makefile.win

skvoboo-gh avatar Aug 22 '25 10:08 skvoboo-gh

Could you try to add an extra argument to this line, so the line should be like this:

DEFS = /nologo /O2 /LD /W3 /wd4244 /wd4018 -DWITH_YAJL -DWIN32 -DWINNT -Dinline=APR_INLINE -DAP_DECLARE_STATIC -D_MBCS -D$(VERSION) -DWITH_PCRE

or optionally:

DEFS = /nologo /O2 /LD /W3 /wd4244 /wd4018 -DWITH_YAJL -DWIN32 -DWINNT -Dinline=APR_INLINE -DAP_DECLARE_STATIC -D_MBCS -D$(VERSION) -DWITH_PCRE -DWITH_PCRE_JIT -DWITH_PCRE_STUDY

airween avatar Aug 22 '25 11:08 airween

-DWITH_PCRE forces the use of PCRE1

skvoboo-gh avatar Aug 22 '25 11:08 skvoboo-gh

Yes. But all occurrences use old PCRE, eg this, this and this.

airween avatar Aug 22 '25 12:08 airween

The issue will not be solved until you change the PCRE version required to build ModSecurity v2 on Windows.

skvoboo-gh avatar Aug 22 '25 12:08 skvoboo-gh

The issue will not be solved until you change the PCRE version required to build ModSecurity v2 on Windows.

Yes, I know - but for that I think we need to change some other things too.

If you could send a PR, that would be a huge help (I don't have any Windows at all).

airween avatar Aug 22 '25 12:08 airween

I need to know which version of PCRE should I use to build ModSecurity v2 on Windows.

skvoboo-gh avatar Aug 22 '25 12:08 skvoboo-gh

I need to know which version of PCRE should I use to build ModSecurity v2 on Windows.

Seems like the latest release is 10.45, but the package name is PCRE2, not PCRE.

airween avatar Aug 22 '25 13:08 airween