https://0d2d0d50.website-1u6.pages.dev/tags/security/Recent content in CRS Projecthttps://0d2d0d50.website-1u6.pages.dev/20230717/cve-2023-38199-multiple-content-type-headers/Mon, 17 Jul 2023 10:57:39 +0200<p>The OWASP ModSecurity Core Rule Set (CRS) v3.3.4 does not detect the presence of multiple HTTP &ldquo;Content-Type&rdquo; header fields. As a result, on some platforms, it is possible to cause a CRS installation to process an HTTP request body differently (because of the different Content-Type) to how it would be processed by a backend web application.</p> <p>See the advisory at <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-38199">https://nvd.nist.gov/vuln/detail/CVE-2023-38199</a>.</p> <p><strong>Update:</strong> <a href="https://coreruleset.org/20230724/crs-version-3-3-5-released/">CRS version 3.3.5 has now been released</a> to address this vulnerability.</p>https://0d2d0d50.website-1u6.pages.dev/20210302/disabling-request-body-access-in-modsecurity-3-leads-to-complete-bypass/Tue, 02 Mar 2021 12:22:10 +0100<p>If you are running ModSecurity 3 with request body access disabled, then I have some bad news. Please sit down, this will be a while. If you are running ModSecurity 2, or you give the engine access to the request body, then you are not affected. But maybe you want to read this post nevertheless. I&rsquo;ll be discussing a new ModSec3 vulnerability an upcoming new CRS feature and some fundamental problems affecting existing ModSecurity rule sets.</p>https://0d2d0d50.website-1u6.pages.dev/20200118/cve-2019-19886-high-dos-against-libmodsecurity-3/Sat, 18 Jan 2020 08:32:00 +0100<p>The ModSecurity 3.0.x release line suffers from a Denial of Service vulnerability after triggering a segmentation fault on the webserver when parsing a malformed cookie header.</p> <p><strong>All users of ModSecurity 3.0.0 - 3.0.3 should update to ModSecurity 3.0.4 as soon as possible.</strong></p> <p>ModSecurity 2.x is not affected.</p> <p>The <a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:W/RC:C/AR:H/MAV:N/MA:H">CVSS</a> score for the vulnerability is 7.5 (HIGH). MITRE lists the vulnerability as <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19886">CVE-2019-19886</a> (but as of this writing, it is only reserved).</p> <p>The OWASP ModSecurity Core Rule Set (CRS) project makes heavy use of unit tests. One of the goals is making sure that all our rules behave as intended on the underlying ModSecurity engine. ModSecurity 2.9 on Apache is our reference platform that passes our expanding list of over 2300 tests.</p>https://0d2d0d50.website-1u6.pages.dev/20190425/regular-expression-dos-weaknesses-in-crs/Thu, 25 Apr 2019 15:29:15 +0200<p>Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs:</p> <ul> <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11387">CVE-2019–11387</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11388">CVE-2019–11388</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11389">CVE-2019–11389</a></li> <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11390">CVE-2019–11390</a></li> <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11391">CVE-2019–11391</a></li> </ul> <p>The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We just have not solved it yet - or have not been able to solve it yet.</p>