Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Commit

Permalink
Backports to v3.1/dev from v3.2/dev (incl. ReDoS fixes) and update ve…
Browse files Browse the repository at this point in the history
…rsion

* Backport regex update in regexp-942260.data
* Backport rules updates to 942260 and 942490
* Backport regex update in regexp-942490.data
* Backporting new regexp-assemble-v2.pl
* Describe ReDoS fix backports in CHANGES
* Bugfix in 943120 (backport)
* Content-Type made case insensitive in 920240, 920400 (backport)
* Fix bug in 920470 (backport)
* Allow percent encoding in 920240 (backport)
* Fix bug in 920440 (backport)
* Reduce false positives in 921110 (backport)
* Updating version to 3.1.1, copyright year and contributors file
  • Loading branch information
dune73 authored Jun 25, 2019
1 parent a52ddc3 commit 607c0f5
Show file tree
Hide file tree
Showing 42 changed files with 396 additions and 301 deletions.
9 changes: 9 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,15 @@
or the CRS mailinglist at
* https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

== Version 3.1.1 - 2018-06-26 ==
* Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt)
* Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt)
* Allow % encoding in 920240 (Christoph Hansen)
* Fix bug in 920440 (Andrea Menin)
* Fix bug in 920470 (Walter Hop)
* Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt)
* Fix bug in 943120 (XeroChen)

== Version 3.1.0 - 8/7/2018 ==
* Add Detectify scanner (theMiddle)
* Renaming matched_var/s (Victor Hora)
Expand Down
3 changes: 3 additions & 0 deletions CONTRIBUTORS.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
- [Franziska Bühler](https://github.com/franbuehler)
- [Christoph Hansen](https://github.com/emphazer)
- [Victor Hora](https://github.com/victorhora)
- [Andrea Menin](https://github.com/theMiddleBlue)
- [Federico G. Schwindt](https://github.com/fgsch)
- [Manuel Spartan](https://github.com/spartantri)
- [Felipe Zimmerle](https://github.com/zimmerle)
Expand Down Expand Up @@ -51,6 +52,8 @@
- [theMiddle](https://github.com/theMiddleBlue)
- [Ben Williams](https://github.com/benwilliams)
- [Greg Wroblewski](https://github.com/gwroblew)
- [XeroChen](https://github.com/XeroChen)
- [Yu Yagihashi](https://github.com/yagihash)
- [ygrek](https://github.com/ygrek)
- [Zino](https://github.com/zinoe)
- Josh Zlatin
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg

## License

Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.

The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.

6 changes: 3 additions & 3 deletions crs-setup.conf.example
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down Expand Up @@ -842,4 +842,4 @@ SecAction \
nolog,\
pass,\
t:none,\
setvar:tx.crs_setup_version=310"
setvar:tx.crs_setup_version=311"
4 changes: 2 additions & 2 deletions rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down
12 changes: 6 additions & 6 deletions rules/REQUEST-901-INITIALIZATION.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand All @@ -21,11 +21,11 @@
#
# Rule version data is added to the "Producer" line of Section H of the Audit log:
#
# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
# - Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.1.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
#
SecComponentSignature "OWASP_CRS/3.1.0"
SecComponentSignature "OWASP_CRS/3.1.1"

#
# -=[ Default setup values ]=-
Expand Down Expand Up @@ -298,7 +298,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
msg:'Enabling body inspection',\
tag:'paranoia-level/1',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/3.1.0'"
ver:'OWASP_CRS/3.1.1'"

# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
Expand All @@ -309,7 +309,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
nolog,\
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
ver:'OWASP_CRS/3.1.0',\
ver:'OWASP_CRS/3.1.1',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
Expand Down
6 changes: 3 additions & 3 deletions rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down Expand Up @@ -296,7 +296,7 @@ SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
"chain"
SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
"chain"
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
"ctl:requestBodyAccess=Off"
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-910-IP-REPUTATION.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down
6 changes: 3 additions & 3 deletions rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down Expand Up @@ -40,7 +40,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
tag:'OWASP_AppSensor/RE1',\
tag:'PCI/12.1',\
severity:'CRITICAL',\
ver:'OWASP_CRS/3.1.0',\
ver:'OWASP_CRS/3.1.1',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-912-DOS-PROTECTION.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down
14 changes: 7 additions & 7 deletions rules/REQUEST-913-SCANNER-DETECTION.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.0
# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
Expand Down Expand Up @@ -46,7 +46,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.1.0',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
Expand All @@ -71,7 +71,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.1.0',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
Expand All @@ -98,7 +98,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.1.0',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
Expand Down Expand Up @@ -141,7 +141,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.0',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
Expand Down Expand Up @@ -178,7 +178,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.0',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
Expand Down
Loading

0 comments on commit 607c0f5

Please sign in to comment.