Dear community members,
The OWASP Core Rule Set team is pleased to announce the immediate
availability of CRS release v3.0.1 (
https://github.com/SpiderLabs/owasp-modsecurity-crs/releases/tag/v3.0.1).
This is a maintenance release fixing a minor security issue and multiple
false positives. It also clarifies multiple comments in the documentation.
Highlights:
- SECURITY: Removed insecure handling of X-Forwarded-For header. This
request header can easily be faked by clients and is no longer being taken
into consideration to define the TX.real_ip variable. It is still used in
the generation of REMOTE_ADDR. Apache users may want to configure
mod_remoteip. For Nginx and IIS, there are alternative approaches to take
X-Forwarded-For into correct consideration.
- Added support for MIME type application/soap+xml (as defined in RFC
3902) This also means that you'll need to update the ModSecurity
recommended rule 200000 if you make use of the XML request body processor:
SecRule REQUEST_HEADERS:Content-Type
"(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
- Reduced FPs in rules 920120, 932140, 941100, 941120, 942190,
942360, and 942410
- Extended rule 931000 to support the "file" scheme to fix a false
negative
- Fixed a bug in rule 931150 and moved the rule to PL2
- Closed multiple @pmf evasions via the lowercase transformation
- Reduced FPs by adding Wordpress Rule Exclusions
This release incorporates pull requests from 11 different people. The
project is also very happy to add Franziska Bühler and Christoph Hansen as
new CRS committers in the CONTRIBUTORS file!
In line with the new release policy, minor releases (e.g. 3.0.1), will not
add new detection rules or new features. Instead, they are meant as
maintenance releases reducing false positives, false negatives, and fixing
bugs.
Ideally you should be able to update your 3.0.0 rules with the new 3.0.1
rules without experiencing any problems. However, be aware that the
addition of the application/soap+xml content type demands an update of the
ModSecurity project recommended rule 200000. Additionally, if you run your
ModSecurity behind a proxy that sets the X-Forwarded-For header, your IP
collection will probably fail to work properly. You may want to look into
mod_remoteip or similar means to fill the variable REMOTE_ADDR correctly.
For a complete list of the changes in this release, see the CHANGES
document on GitHub
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/CHANGES
CRS 3.0.1 is the best stable release of the OWASP Core Rule Set. We advise
all users and providers of boxed CRS versions to update their setups.
CRS3 requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or
higher.
Our GitHub repository is the preferred way to download and update CRS: $>
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
For detailed installation instructions, see the INSTALL document.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/INSTALL
Sincerely,
The OWASP Core Rule Set Team
--
--
Chaim Sanders
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
