Hi, I’m busy on testing the PHP rules in CRS 3 in detail. Currently the PHP rules are only activated for some extensions, e.g. .php, so it doesn’t scan “pretty URLs". I think this is unsafe and we should change this.
I’ve just created the following issue with a fix, but it might be controversial, so I would like your opinions about it. Should we run the PHP checks on other URLs? Please comment on the issue if you can! https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/310 Thanks! WH _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
