[FALSE-POSITIVE] CVE-2021-35042

[Xitro01]

Template IDs or paths

- dast/cves/2021/CVE-2021-35042.yaml

Environment

- OS: Linux kali 6.8.11-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.8.11-1kali2 (2024-05-30) x86_64 GNU/Linux
- Nuclei: Nuclei Engine Version: v3.6.2
- Go: go version go1.22.6 linux/amd64

Steps To Reproduce

nuclei -dast -u

Relevant dumped responses

The view-source of a triggered URL:
<!doctype html><html lang=en><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=theme-color content=#000><title>500: INTERNAL_SERVER_ERROR</title><style>html{font-size:62.5%;box-sizing:border-box;height:-webkit-fill-available}*,::after,::before{box-sizing:inherit}body{font-family:sf pro text,sf pro icons,helvetica neue,helvetica,arial,sans-serif;font-size:1.6rem;line-height:1.65;word-break:break-word;font-kerning:auto;font-variant:normal;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;text-rendering:optimizeLegibility;hyphens:auto;height:100vh;height:-webkit-fill-available;max-height:100vh;max-height:-webkit-fill-available;margin:0}::selection{background:#79ffe1}::-moz-selection{background:#79ffe1}a{cursor:pointer;color:#0070f3;text-decoration:none;transition:all .2s ease;border-bottom:1px solid #0000}a:hover{border-bottom:1px solid #0070f3}ul{padding:0;margin-left:1.5em;list-style-type:none}li{margin-bottom:10px}ul li:before{content:'\02013'}li:before{display:inline-block;color:#ccc;position:absolute;margin-left:-18px;transition:color .2s ease}code{font-family:Menlo,Monaco,Lucida Console,Liberation Mono,DejaVu Sans Mono,Bitstream Vera Sans Mono,Courier New,monospace,serif;font-size:.92em}code:after,code:before{content:'`'}.container{display:flex;justify-content:center;flex-direction:column;min-height:100%}main{max-width:80rem;padding:4rem 6rem;margin:auto}ul{margin-bottom:32px}.error-title{font-size:2rem;padding-left:22px;line-height:1.5;margin-bottom:24px}.error-title-guilty{border-left:2px solid #ed367f}.error-title-innocent{border-left:2px solid #59b89c}@media(max-width:500px){.owner-error{display:none}}main p{color:#333}.devinfo-container{border:1px solid #ddd;border-radius:4px;padding:2rem;display:flex;flex-direction:column;margin-bottom:32px}.error-code{margin:0;font-size:1.6rem;color:#000;margin-bottom:1.6rem}.devinfo-line{color:#333}.devinfo-line code,code,li{color:#000}.devinfo-line:not(:last-child){margin-bottom:8px}.docs-link,.contact-link{font-weight:500}header,footer,footer a{display:flex;justify-content:center;align-items:center}header,footer{min-height:100px;height:100px}header{border-bottom:1px solid #eaeaea}header h1{font-size:1.8rem;margin:0;font-weight:500}header p{font-size:1.3rem;margin:0;font-weight:500}.header-item{display:flex;padding:0 2rem;margin:2rem 0;text-decoration:line-through;color:#999}.header-item.active{color:#ff0080;text-decoration:none}.header-item.first{border-right:1px solid #eaeaea}.header-item-content{display:flex;flex-direction:column}.header-item-icon{margin-right:1rem;margin-top:.6rem}footer{border-top:1px solid #eaeaea}footer a{color:#000}footer a:hover{border-bottom-color:#0000}footer svg{margin-left:.8rem}.note{padding:8pt 16pt;border-radius:5px;border:1px solid #0070f3;font-size:14px;line-height:1.8;color:#0070f3}@media(max-width:500px){.devinfo-container .devinfo-line code{margin-top:.4rem}.devinfo-container .devinfo-line:not(:last-child){margin-bottom:1.6rem}.devinfo-container{margin-bottom:0}header{flex-direction:column;height:auto;min-height:auto;align-items:flex-start}.header-item.first{border-right:none;margin-bottom:0}main{padding:1rem 2rem}body{font-size:1.4rem;line-height:1.55}footer{display:none}.note{margin-top:16px}}</style><div class=container><main><p class=devinfo-container><span class=error-code><strong>500</strong>: INTERNAL_SERVER_ERROR</span>
<span class=devinfo-line>Code: <code>MIDDLEWARE_INVOCATION_FAILED</code></span>
<span class=devinfo-line>ID: <code><REDACTED></code></p></main></div>

Anything else?

I have seen this template trigger many times on different scopes, somehow it triggers on URLs that always answer with an error 500. Strangely enough it isn't containing any of these strings:
- 'contains_all(body, "ORDER BY", "ProgrammingError") || contains_all(body, "ORDER BY", "DatabaseError")'
- 'contains_any(body, "psycopg2", "MySQLdb", "sqlite3", "cx_Oracle")'
So I have no idea why this triggers.

Might be a good idea to have a look at this template and analyse why this is falsely triggering.

[Kylianghd]

I was able to reproduce the false positive and pinpoint the root cause.

the template uses a single type: dsl matcher with multiple DSL expressions but no explicit condition, so the DSL list defaults to OR. That means status_code == 500 alone is enough to match, which explains why it triggers on any generic 500 page even when ORDER BY / ProgrammingError|DatabaseError / DB driver strings are absent.

Fix: add condition: and inside the DSL matcher so all checks must be satisfied.

Reproduction (local lab):

Old template: a generic 500 endpoint without ORDER BY/ProgrammingError/DB driver strings still triggered.

After the change: the same generic 500 no longer matches.

A Django-like 500 response containing ORDER BY + ProgrammingError + sqlite3 still matches.

PR: #15250

[theamanrawat]

Closing this issue as the PR is merged.