CRS version 4.24.0 released
The OWASP CRS team is pleased to announce the release of CRS v4.24.0. For downloads and installation instructions, please refer to the Installation page. This is a regular minor release with no breaking changes or security fixes. It includes new detection capabilities, important bug fixes, false positive reductions, and a significant modernization effort converting rules to regex-assembly format. New detections Smarty template PHP tag detection (rule 933100): Added detection for Smarty template engine PHP tags, expanding protection against Server-Side Template Injection (SSTI) attacks targeting PHP applications using the Smarty templating engine, by @touchweb-vincent (#4447) Bug fixes Lazy regex for RCE rule 932130: Changed regex semantics from . (match anything) to [^\(\)] for better performance and specificity, preventing potential backtracking issues, by @fzipi (#3730) Method override false blocking (rule 920650): Fixed the rule to not block requests when the _method override parameter matches the actual HTTP method being used. Applications like GitLab sometimes set _method=post in POST request bodies that were triggering false blocks, by @EsadCetiner (#4455) Multi-byte UTF-8 handling in SQL special character detection (rules 942420-942432): Extracted multi-byte UTF-8 characters (acute accent U+00B4, left single quote U+2018, right single quote U+2019) from regex character classes into alternations. Previously, byte-by-byte matching caused false positives with non-Latin scripts including Chinese, Japanese, Arabic, Korean, and Hebrew. This closes the longstanding issue #3325, by @fzipi (#4458) False positive fixes Restricted files FP reduction (rule 930130): Removed .pac from the restricted files dataset because it was also matching legitimate files containing .pack in the name (e.g., jquery.nivo.slider.pack.js). Also mitigated FP on .history pattern matching files like jquery.history.min.js, by @touchweb-vincent (#4451) UNIX command FP reduction (rule 932340): Added prefix requirements for shell evasion detection, as two-letter UNIX commands were causing FPs when users entered initials into form fields, by @ssigwart (#4454) XMP metadata and XSL stylesheet FP (rule 933100): Reduced false positives caused by Adobe XMP metadata packets and XSL stylesheet declarations, which were being flagged as PHP injection attempts, by @touchweb-vincent (#4445) JSON variable name “profile” FP: When sending JSON data to libModSecurity3 or Coraza, a variable named profile becomes ARGS_NAMES:json.profile, which matched an entry in lfi-os-files.data (the .profile file). Added a configure-time rule exclusion to resolve this, by @EsadCetiner (#4477) French addresses FP (rule 942200): Fixed false positives triggered by French addresses containing comma and single quote patterns like 999, rue d'Arlon, by @theseion (#4476) Google Funding Choices cookie exclusions: Added more exclusions for Google Funding Choices cookies that were triggering false positives, by @azurit (#4484) Regex assembly conversions A major theme of this release is the conversion of rules to regex-assembly format. This enables management by the crs-toolchain, allows optimized regex generation with common prefix factoring, and makes rules easier to maintain. In this release, 12 rules were converted:
CRS version 4.1.0 released
Last week, we have released CRS v4.1.0. The new release is the first according to the new monthly release schedule and brings a couple of new features and fixes. It includes quality improvements via better rule linting and fixes for false positives across a handful of rules. And: new developer Esad Cetiner has joined the team intime for the 4.1 release. Read the changelog here.
Let CRS 4 be your valentine!
What a Valentine’s Day present we have got for you: today, the Core Rule Set project is releasing CRS 4! Finally, you may say – and would be absolutely right: it took us a long time to get there. But we wanted to do it right, especially after the bug bounty program we took part in left us with over 500 individual findings in roughly 180 reports. Fixing all these needed more time than we originally thought. But the result is a CRS that has never been more secure.
CVE-2021-35368 - CRS Request Body Bypass (Update)
There is a severe security issue in our rule set. It has been present since the release of CRS 3.1.0 and was recently brought to our attention. Here is the official advisory that we are also publishing as CVE-2021-35368 via MITRE (as usual, MITRE will take a few days until they publish this). Offical Advisory for CVE-2021-35368 The OWASP ModSecurity Core Rule Set (CRS) is affected by a request body bypass that abuses trailing pathname information. A backend vulnerability can thus be exploited despite being protected with the CRS Web Application Firewall rule set when an application server accepts additional path info as part of the request URI. All known CRS installations that offer the predefined CRS rule exclusion packages are affected. This applies to end-of-life CRS versions 3.0.x, 3.1.0, 3.1.1 as well as the currently supported versions 3.2.0 and 3.3.0. Integrators and users are advised to upgrade to 3.1.2, 3.2.1 and 3.3.2 respectively.
OWASP ModSecurity Core Rule Set v3.3.0 available
The OWASP ModSecurity Core Rule Set team is proud to announce the final release for CRS v3.3.0. For downloads and installation instructions, please see the Installation page. This release packages many changes, such as: Block backup files ending with ~ in filename (Andrea Menin) Detect ffuf vuln scanner (Will Woodson) Detect Nuclei vuln scanner (azurit) Detect SemrushBot crawler (Christian Folini) Detect WFuzz vuln scanner (azurit) New LDAP injection rule (Christian Folini) New HTTP Splitting rule (Andrea Menin) Add .swp to restricted extensions (Andrea Menin) Allow CloudEvents content types (Bobby Earl) Add CAPEC tags for attack classification (Fernando Outeda, Christian Folini) Detect Unix RCE bypass techniques via uninitialized variables, string concatenations and globbing patterns (Andrea Menin) Many improvements to lower the number of false positives and improve attack detections Important upgrade notes:
OWASP ModSecurity Core Rule Set v3.3.0 Release Candidate 1 available
The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 1 for the upcoming CRS v3.3.0 release. The release candidate is available at: https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.tar.gz https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.zip This release packages many changes, such as: New rule to detect LDAP injection New HTTP Splitting rule Block backup files ending with ~ in filename Detect ffuf, Semrush and WFuzz scanners Updated exclusion profiles for Nextcloud, WordPress and XenForo Improvements to many patterns to improve detection and lower false alarms Important note: The format of configuration setting allowed_request_content_type has been changed to be more in line with other variables. If you had manually changed this setting, then you need to update this configuration setting. Please see the example rule 900220 in crs-setup.conf.example. If you didn’t change this setting, you don’t need to do anything.
Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0-RC2
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 2 for the upcoming CRS v3.2.0. The new release is available at https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.zip https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.tar.gz This release represents a very big step forward in terms of both capabilities and protections including: Improved compatibility with ModSecurity 3.x Improved CRS docker container that is fully configureable at creation Expanded Java RCE blacklist Expanded unix shell RCE blacklist Improved PHP RCE detection New javascript/Node.js RCE detection Expanded LFI blacklists Added XenForo rule exclusion profile Fixes for many false positives and bypasses Detection of more security scanners Regexp performance improvements preventing ReDoS in most cases Please see the CHANGES document with around 150 entries for a detailed list of new features and improvements. https://github.com/coreruleset/coreruleset/blob/v3.2.0-rc2/CHANGES