Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.

The concept here is simple the REQUEST_FILENAME variables normally should contain the entirety of the request path from the first / and ending with the start of the url parameters as designated by the ? character. For example /api/v3/example/endpoint?param=1 the REQUEST_FILENAME is /api/v3/example/endpoint

The problem is that it will attempt to decode any URL-encoded sequences in the path before it parses out the start of the parameters. So if a path were to include a %3F (the url-encoded format of ?). Any data after%3F would not be included in the REQUEST_FILENAMEvariable, even though the actual backend server is very likely to include it in the path. Creating room to easily smuggle in bits that would usually get blocked by a WAF/. the REQUEST_BASENAME and PATH_INFO variables are both impacted by this issue also.