Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Draft 3.0.1 release message

Jump to bottom
Chaim Sanders edited this page May 10, 2017 · 7 revisions

The OWASP ModSecurity Core Rule Set team is pleased to announce the immediate availability of CRS release v3.0.1.

This is a maintenance release fixing a minor security issue and multiple false positives. It also clarifies multiple comments in the documentation.

Highlights:

  • SECURITY: Removed insecure handling of X-Forwarded-For header. This request header can easily be faked by clients and is no longer being taken into consideration to define the TX.real_ip variable. It is still used in the generation of REMOTE_ADDR. Apache users may want to configure mod_remoteip. For Nginx and IIS, there are alternative approaches to take X-Forwarded-For into correct consideration.

  • Added support for MIME type application/soap+xml (as defined in RFC 3902) This also means that you'll need to update the ModSecurity recommended rule 200000 if you make use of the XML request body processor: SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

  • Reduced FPs in rules 920120, 932140, 941100, 941120, 942190, 942360, and 942410

  • Extended rule 931000 to support the "file" scheme to fix a false negative

  • Fixed a bug in rule 931150 and moved the rule to PL2

  • Closed multiple @pmf evasions via the lowercase transformation

  • Reduced FPs by adding Wordpress Rule Exclusions

This release incorporates pull requests from 11 different people. The project is also very happy to add Franziska Bühler and Christoph Hansen as new CRS committers in the CONTRIBUTORS file!

In line with the new release policy, minor releases (e.g. 3.0.1), will not add new detection rules or new features. Instead, they are meant as maintenance releases reducing false positives, false negatives, and fixing bugs.

Ideally you should be able to update your 3.0.0 rules with the new 3.0.1 rules without experiencing any problems. However, be aware that the addition of the application/soap+xml content type demands an update of the ModSecurity project recommended rule 200000. Additionally, if you run your ModSecurity behind a proxy that sets the X-Forwarded-For header, your IP collection will probably fail to work properly. You may want to look into mod_remoteip or similar means to fill the variable REMOTE_ADDR correctly.

For a complete list of the changes in this release, see the CHANGES document on GitHub https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/CHANGES

CRS 3.0.1 is the best stable release of the OWASP Core Rule Set. We advise all users and providers of boxed CRS versions to update their setups.

CRS3 requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or higher.

Our GitHub repository is the preferred way to download and update CRS: $> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

For detailed installation instructions, see the INSTALL document. https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/INSTALL

Sincerely,

The OWASP Core Rule Set Team

Clone this wiki locally