Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.

Draft 3.0.1 release message

Jump to bottom
Christian Folini edited this page May 9, 2017 · 7 revisions

The OWASP ModSecurity Core Rule Set team is pleased to announce the CRS release v3.0.1.

This is a maintenance release fixing a minor security issue and multiple false positives. It also clarifies multiple comments in the documentation.

Highlights:

  • SECURITY: Removed insecure handling of X-Forwarded-For header. This request header that can easily be faked by clients is no longer being taken into consideration to define the TX.real_ip variable. Only the remote_addr Apache users may want to configure mod_remoteip. For Nginx and IIS, there are alternative approaches to take X-Forwarded-For into correct consideration.

  • Added support for mime type application/soap+xml (as defined in RFC 3902) This also means that you need to update the ModSecurity recommended rule 200000 if you make use of the XML request body processor: SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap+|/)|text/)xml"
    "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

  • Reduced FPs in rules 920120, 932140, 941100, 941120, 942190, 942360, 942410

  • Extended 931000 with scheme "file" to fix false negative

  • Fixed bug in 931150 and moved rule to PL2

  • Closed multiple @pmf evasions via lowercase transformation

  • Reduced FPs via Wordpress Rule Exclusions

This release incorporates pull requests from 11 different people. The project is very happy list Franziska Bühler and Christoph Hansen as new CRS committers.

In line with the new release policy, the releases in the 3.0 release line are not adding new detection rules or new features. Instead, they are meant as maintenance releases reducing false positives, false negatives and fixing bugs.

Ideally you should be able to update your 3.0.0 rules with the new 3.0.1 rules without experiencing any problems. However, be aware that the addition of the application/soap+xml content type demands an update of the ModSecurity project recommended rule 200,000. And if you run your ModSecurity behind a proxy that sets the X-Forwarded-For header, your IP collection will probably fail to work properly. You may want to look into mod_remoteip or a similar means to fill the variable REMOTE_ADDR correctly.

For a complete list of the changes in this release, see the CHANGES document on github https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/CHANGES

CRS 3.0.1 is the best stable release of the OWASP ModSecurity Core Rule Set. We advise all users and providers of boxed CRS versions to update their setups.

CRS3 requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or higher.

Our GitHub repository is the preferred way to download and update CRS: $> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

For detailed installation instructions, see the INSTALL document. https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/INSTALL

Sincerely,

FIXME

Clone this wiki locally