Backports to v3.1/dev from v3.2/dev (incl. ReDoS fixes) and update ve…

…rsion * Backport regex update in regexp-942260.data * Backport rules updates to 942260 and 942490 * Backport regex update in regexp-942490.data * Backporting new regexp-assemble-v2.pl * Describe ReDoS fix backports in CHANGES * Bugfix in 943120 (backport) * Content-Type made case insensitive in 920240, 920400 (backport) * Fix bug in 920470 (backport) * Allow percent encoding in 920240 (backport) * Fix bug in 920440 (backport) * Reduce false positives in 921110 (backport) * Updating version to 3.1.1, copyright year and contributors file
SpiderLabs · Jun 25, 2019 · 607c0f5 · 607c0f5
1 parent a52ddc3
commit 607c0f5
Show file tree

Hide file tree

Showing 42 changed files with 396 additions and 301 deletions.
diff --git a/CHANGES b/CHANGES
@@ -5,6 +5,15 @@
   or the CRS mailinglist at
 * https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
 
+== Version 3.1.1 - 2018-06-26 ==
+ * Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt)
+ * Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt)
+ * Allow % encoding in 920240 (Christoph Hansen)
+ * Fix bug in 920440 (Andrea Menin)
+ * Fix bug in 920470 (Walter Hop)
+ * Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt)
+ * Fix bug in 943120 (XeroChen)
+
 == Version 3.1.0 - 8/7/2018 ==
  * Add Detectify scanner (theMiddle)
  * Renaming matched_var/s (Victor Hora)

diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -12,6 +12,7 @@
 - [Franziska Bühler](https://github.com/franbuehler)
 - [Christoph Hansen](https://github.com/emphazer)
 - [Victor Hora](https://github.com/victorhora)
+- [Andrea Menin](https://github.com/theMiddleBlue)
 - [Federico G. Schwindt](https://github.com/fgsch)
 - [Manuel Spartan](https://github.com/spartantri)
 - [Felipe Zimmerle](https://github.com/zimmerle)
@@ -51,6 +52,8 @@
 - [theMiddle](https://github.com/theMiddleBlue)
 - [Ben Williams](https://github.com/benwilliams)
 - [Greg Wroblewski](https://github.com/gwroblew)
+- [XeroChen](https://github.com/XeroChen)
+- [Yu Yagihashi](https://github.com/yagihash)
 - [ygrek](https://github.com/ygrek)
 - [Zino](https://github.com/zinoe)
 - Josh Zlatin

diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg
 
 ## License
 
-Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 
 The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
 
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -842,4 +842,4 @@ SecAction \
   nolog,\
   pass,\
   t:none,\
-  setvar:tx.crs_setup_version=310"
+  setvar:tx.crs_setup_version=311"
diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -21,11 +21,11 @@
 #
 # Rule version data is added to the "Producer" line of Section H of the Audit log:
 #
-# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
+# - Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.1.
 #
 # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
 #
-SecComponentSignature "OWASP_CRS/3.1.0"
+SecComponentSignature "OWASP_CRS/3.1.1"
 
 #
 # -=[ Default setup values ]=-
@@ -298,7 +298,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
     msg:'Enabling body inspection',\
     tag:'paranoia-level/1',\
     ctl:forceRequestBodyVariable=On,\
-    ver:'OWASP_CRS/3.1.0'"
+    ver:'OWASP_CRS/3.1.1'"
 
 # Force body processor URLENCODED
 SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@@ -309,7 +309,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
     nolog,\
     noauditlog,\
     msg:'Enabling forced body inspection for ASCII content',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     chain"
     SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
         "ctl:requestBodyProcessor=URLENCODED"

diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -296,7 +296,7 @@ SecRule REQUEST_METHOD "@streq POST" \
         "chain"
         SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
             "chain"
-            SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
+	    SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
                 "chain"
                 SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
                     "ctl:requestBodyAccess=Off"

diff --git a/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf b/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

diff --git a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

diff --git a/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf b/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

diff --git a/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

diff --git a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

diff --git a/rules/REQUEST-910-IP-REPUTATION.conf b/rules/REQUEST-910-IP-REPUTATION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

diff --git a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -40,7 +40,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
     tag:'OWASP_AppSensor/RE1',\
     tag:'PCI/12.1',\
     severity:'CRITICAL',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"

diff --git a/rules/REQUEST-912-DOS-PROTECTION.conf b/rules/REQUEST-912-DOS-PROTECTION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -46,7 +46,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -71,7 +71,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -98,7 +98,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -141,7 +141,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
@@ -178,7 +178,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\