forked from owasp-modsecurity/ModSecurity
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGES
1347 lines (819 loc) · 45.4 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
10 May 2013 - 2.7.4
-------------------
Improvements:
* Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
* Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
Bug Fixes:
* Fixed SecRulePerfTime storing unnecessary rules performance times.
* Fixed Possible SDBM deadlock condition.
* Fixed Possible @rsub memory leak.
* Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
Security Issues:
* Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).
28 Mar 2013 - 2.7.3
-------------------
* Fixed IIS version race condition when module is initialized.
* Fixed IIS version failing config commands in libapr.
* Nginx version is now RC quality. The rule engine should works for all phases.
We fixed many issues and missing features (for more information please check jira).
Code is running well with latest Nginx 1.2.7 stable.
Thanks chaizhenhua for your help.
* Added MULTIPART_NAME and MULTIPART_FILENAME. Should be used soon by CRS
and will help prevent attacks using multipart data.
* Added --enable-htaccess-config configure option. It will allow the follow directives
to be used into .htaccess files when AllowOverride Options is set:
- SecAction
- SecRule
- SecRuleRemoveByMsg
- SecRuleRemoveByTag
- SecRuleRemoveById
- SecRuleUpdateActionById
- SecRuleUpdateTargetById
- SecRuleUpdateTargetByTag
- SecRuleUpdateTargetByMsg
* Improvements in the ID duplicate code checking. Should be faster now.
* SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable
by default the external entity load task executed by LibXml2. This is a security issue
[CVE-2013-1915] reported by Timur Yunusov, Alexey Osipov (Positive Technologies).
21 Jan 2013 - 2.7.2
-------------------
* IIS version is now stable.
* Fixed IIS version does not pass through POST data to ASP.NET when SecRequestBodyAccess
is set to On (MODSEC-372).
* Fixed IIS version HTTP Request Smuggling protection does not work (MODSEC-344).
* Fixed IIS version PHP Injection Attack (958976) protection does not work (MODSEC-346).
* Fixed IIS version Request limit protections are not working (MODSEC-349).
* Fixed IIS version Outbound protections are not working (MODSEC-350).
* Added IIS version better installer.
* NGINX version removed ModSecurityPassCommand (Thanks chaizhenhua).
* Fixed NGINX version ngx_http_read_client_request_body returned unexpected buffer type (Thanks chaizhenhua).
* Fixed NGINX version INCS config directories on fedora (Thanks chaizhenhua).
* Added NGINX version Added drop action for nginx (Thanks chaizhenhua).
* Fixed bug in cpf_verify operator (Thanks Hideaki Hayashi).
* Fixed build modsecurity under Arch Linux.
* Fixed make test crashing when JIT pcre is enabled.
* Fixed better cookie separator detection code.
* Fixed mod_security displaying wrong ip address in error.log using apache 2.4 and mod_remoteip.
* Fixed mod_security was not compiling when use apr without ipv6 support.
* Fixed mod_security was not compiling when use lua 5.2.
* Fixed issue when execute make install under Solaris.
* Fixed ipmatchf operator was not working as expected.
01 Nov 2012 - 2.7.1
-------------------
* Changed "Encryption" name of directives and options related to hmac feature to "Hash".
SecEncryptionEngine to SecHashEngine
SecEncryptionKey to SecHashKey
SecEncryptionParam to SecHashParam
SecEncryptionMethodRx to SecHashMethodRx
SecEncryptionMethodPm to SecHashMethodPm
@validateEncryption to @validateHash
ctl:EncryptionEnforcement to ctl:HashEnforcement
ctl:EncryptionEngine to ctl:HashEngine
* Added a better random bytes generator using apr_generate_random_bytes() to create
the HMAC key.
* Fixed byte conversion issue during logging under Linux s390x platform.
* Fixed compilation bug with LibXML2 2.9.0 (Thanks Athmane Madjoudj).
* Fixed parsing error with modsecurity-recommended.conf and Apache 2.4.
* Fixed DROP action was disabled for Apache 2 module by mistake.
* Fixed bug when use ctl:ruleRemoveTargetByTag.
* Fixed IIS and NGINX modules bugs.
* Fixed bug when @strmatch patterns use invalid escape sequence (Thanks Hideaki Hayashi).
* Fixed bugs in @verifySSN (Thanks Hideaki Hayashi).
* The doc/ directory now contains the instructions to access online documentation.
15 Oct 2012 - 2.7.0
-------------------
* Fixed Pause action should work as a disruptive action (MODSEC-297).
* Fixed Problem loading mod_env variables in phase 2 (MODSEC-226).
* Fixed Detect cookie v0 separator and use it for parsing (MODSEC-261).
* Fixed Variable REMOTE_ADDR with wrong IP address in NGINX version (MODSEC-337).
* Fixed Errors compiling NGINX version.
* Added Include directive into standalone module. IIS and NGINX module should
support Include directive like Apache2.
* Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict
validation. https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt).
* Updated Reference Manual.
25 Sep 2012 - 2.6.8
-------------------
* Fixed ctl:ruleRemoveTargetByID order issue (MODSEC-333). Thanks to Armadillo Dasypodidae.
* Fixed variable HIGHEST_SEVERITY incorrectly gets reset in a chain rule (MODSEC-315). Thanks to Valery Reznic.
10 Sep 2012 - 2.7.0-rc3
-------------------
* Fixed requests bigger than SecRequestBodyNoFilesLimit were truncated even engine mode was detection only.
* Fixed double close() for multipart temporary files (Thanks Seema Deepak).
* Fixed many small issues reported by Coverity Scanner (Thanks Peter Vrabek).
* Fixed format string issue in ngnix experimental code. (Thanks Eldar Zaitov).
* Added ctl:ruleRemoveTargetByTag/Msg and removed ctl:ruleUpdateTargetByTag/Msg.
* Added IIS and Ngnix platform code.
* Added new transformation utf8toUnicode.
23 Jul 2012 - 2.6.7
-------------------
* Fixed explicit target replacement using SecUpdateTargetById was broken.
* The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since
there is no safe way to use it per-request.
* Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request.
22 Jun 2012 - 2.7.0-rc2
-------------------
* Fixed compilation errors and warnings under Windows platform.
* Fixed SecEncryptionKey was not working as expected.
08 Jun 2012 - 2.7.0-rc1
-------------------
* Added SecEncryptionEngine. Initial crypt engine support, at the momment it will sign some Html
and Response Header options.
* Added SecEncryptionKey to define the a rand or static key for crypt engine.
* Added SecEncryptionParam to define the new parameter name.
* Added SecEncryptionMethodRx used with a regular expression to inspect the html in response
body/header and decide what to protect.
* Added SecEncryptionMethodPm used with multiple or single strings to inspect the html in response
body/header and decide what to protect.
* Added ctl encryptionEngine as a per transaction version of SecEncryptionEgine diretive.
* Added ctl encryptionEnforcement that will allow the engine to sign the data but the enforcement is
disabled.
* Added validateEncryption operator to enforce the signed elements.
* Added rsub operator supports the syntax |hex| allowing users to use special chars like \n \r.
* Added SecRuleUpdateTargetById now supports id range.
* Added SecRuleUpdateTargetByMsg and its ctl version (Thanks Scott Gifford).
* Added SecRuleUpdateTargetByTag and its ctl version (Thanks Scott Gifford).
* Added SecRulePerfTime when greater than zero it will fill rule id's execution time into PERF_RULE
and log id=usec information in the new Perf-rule-info: line in part H.
* Added PERF_RULES variable that contains rule execution time.
* Added Engine-mode: section in part H.
* Added ruleRemoveByMsg ctl version.
* Added removeCommentsChar and removeComments now can work with <!-- --> style.
* Added SecArgumentSeparator and SecCookieFormat can be used in different scope locations.
* Added Rules must have ID action and must be numeric.
* Added The use of tfns are deprecated in SecDefaultAction. Should be forbid in the future.
* Added Macro expansion support to the action pause.
* Added IpmatchFromFile/IpmatchF operator.
* Added New setrsc action, the RESOURCE collection used SecWebAppId Name Space
* Added Configure option --enable-cache-lua that allows reuse of Lua VM per transaction.
It will only take any effect when ModSecurity has multiple scripts to run per transaction.
* Added Configure option --enable-pcre-jit that allows ModSecurity regex engine to use PCRE Jit support.
* Added Configure option --enable-request-early that allows ModSecurity run phase 1 in post_read_request hook.
* Added RBL operator now support the httpBl api (http://www.projecthoneypot.org/httpbl_api.php).
* Added SecHttpBlKey to be used with httpBl api.
* Added SecSensorId will specify the modsecurity sensor name into audit log part H.
* Added aliases to phase:2 (phase:request), phase:4 (phase:response) and phase:5 (phase:logging).
* Added USERAGENT_IP variable. Created when Apache24 is used with mod_remoteip to know the real
client ip address.
^ Added new rule metadata actions ver, maturity and accuracy. Also included into RULE collection.
* Updated Reference manual into doc/ directory.
* Fixed Variable DURATION contains the elapsed time in microseconds for compatible reasons with apache and
other variables.
* Fixed Preserve names/identity of the variables going into MATCHED_VARS.
* Fixed Redirect macro expansion does not work in SecDefaultAction when SecRule uses block action.
* Fixed rsub operator does not work as expect if regex contains parentheses (Thanks Jerome Freilinger).
* Current Google Safe Browsing implementation is deprecated. Google changed the API and does not allow
anymore the malware database for download.
08 Jun 2012 - 2.6.6
-------------------
* Added build system support for KfreeBSD and HURD.
* Fixed a multipart bypass issue related to quote parsing
Credits to Qualys Vulnerability & Malware Research Labs (VMRL).
20 Mar 2012 - 2.6.5
-------------------
* Fixed increased a specific message debug level in SBDM code (MODSEC-293).
* Cleanup build system.
09 Mar 2012 - 2.6.4
-------------------
* Fixed Mlogc 100% CPU consume (Thanks Klaubert Herr and Ebrahim Khalilzadeh).
* Fixed ModSecurity cannot load session and user sdbm data.
* Fixed updateTargetById was creating rule unparsed content making apache memory grow.
* Code cleanup.
23 Feb 2012 - 2.6.4-rc1
-------------------
* Fixed @rsub adding garbage data into stream variables.
* Fixed regex for section A into mlogc-batch-load.pl (Thanks Ebrahim Khalilzadeh).
* Fixed logdata cuts message without closing it with final chars.
* Added sanitizeMatchedBytes support to verifyCPF, verifyCC and verifySSN.
06 Dec 2011 - 2.6.3-rc1
-------------------
* Fixed MATCHED_VARS does not correctly handle multiple VARS with the same name.
* Fixed SDBM garbage collection was not working as expected, increasing the size of files.
* Fixed wrong timestamp calculation for some time zones in log files.
* Fixed SecUpdateTargetById failed to load multiple VARS (MODSEC-270).
* Fixed Reverted hexDecode for hexEncode compatibility reason.
* Added SecCollectionTimeout to set collection timeout, default is 3600.
* Added sqlHexDecode transformation to decode sql hex data. Thanks Marc Stern.
30 Sep 2011 - 2.6.2
-------------------
* Fixed hexDecode test during make.
* Updated the reference manual into doc/ directory.
5 Sep 2011 - 2.6.2-rc1
-------------------
* Added support to macro expansion for rx operator.
* Added new transformations removeComments and removeCommentsChars
* Fixed colletion names are not case-sensitive anymore.
* Fixed compilation errors with apache 2.0.
* Fixed build system was not using some libraries CFLAGS.
* Fixed check for valid hex values into hexDecode transformation.
* Fixed ctl:ruleUpdateTargetById appending multiple targets.
18 Jun 2011 - 2.6.1
-------------------
* Updated the reference manual into doc/ directory.
11 Jul 2011 - trunk
-------------------
* Add HttpBl support to rbl operator.
30 Jun 2011 - 2.6.1-rc1
-------------------
* Fixed SecUploadFileMode doesn't work with the new build system.
* Fixed building with Lua library (Thanks Diego Elio).
* Fixed some ./configure --enable* features not being enabled in compilation time.
* Improvements on GSB database add/search operations.
* Log part K was removed from modsecurity.conf-recommended.
* Added SecUnicodeMapFile directive. Must be use to load the unicode.mapping file.
* Added SecUnicodeCodePage directive. Used to define the unicode code page. There are a few already available:
1250 (ANSI - Central Europe)
1251 (ANSI - Cyrillic)
1252 (ANSI - Latin I)
1253 (ANSI - Greek)
1254 (ANSI - Turkish)
1255 (ANSI - Hebrew)
1256 (ANSI - Arabic)
1257 (ANSI - Baltic)
1258 (ANSI/OEM - Viet Nam)
20127 (US-ASCII)
20261 (T.61)
20866 (Russian - KOI8)
28591 (ISO 8859-1 Latin I)
28592 (ISO 8859-2 Central Europe)
28605 (ISO 8859-15 Latin 9)
37 (IBM EBCDIC - U.S./Canada)
437 (OEM - United States)
500 (IBM EBCDIC - International)
850 (OEM - Multilingual Latin I)
860 (OEM - Portuguese)
861 (OEM - Icelandic)
863 (OEM - Canadian French)
865 (OEM - Nordic)
874 (ANSI/OEM - Thai)
932 (ANSI/OEM - Japanese Shift-JIS)
936 (ANSI/OEM - Simplified Chinese GBK)
949 (ANSI/OEM - Korean)
950 (ANSI/OEM - Traditional Chinese Big5)
Also mapping some extra unicode chars defined at http://tools.ietf.org/html/rfc3490#section-3.1
* Fixed SecRequestBodyLimit was truncating the real request body.
18 May 2011 - 2.6.0
-------------------
* Added SecWriteStateLimit for Slow Post DoS mitigation.
* Fix problem when buffering in input filter.
* Fix memory leak when use MATCHED_VAR_NAMES.
2 May 2011 - 2.6.0-rc2
-------------------
* Added code optimizations - thanks Diego Elio.
* Added support to AIX and HPUX in the build system (untested).
* Renamed decodeBase64Ext to base64DecodeExt.
* Build system improvements - thanks Diego Elio.
* Improvements on gsblookup parser.
* Fixed input filter bug when upload files and SecStreamInBodyInspect is enabled.
* Logging improvements and bug fix.
* Remove extra useless files when make clean and maintainer-clean
18 Apr 2011 - 2.6.0-rc1
-------------------
* Replaced previous GPLv2 License to Apachev2.
* Added Google Safe Browsing lookups operator and directive. It should be
used to extract and lookup urls from http packets.
* Added Data Modification operator. It must be used with STREAM_* variables
to replace/add/edit any data from http bodies.
* Added STREAM_OUPUT_BODY and STREAM_INPUT_BODY variables to work with data
modification operators.
* Added fast ip address operator. It supports partial ip address, cidr for
IPv4 and IPv6. Thanks Tom Donovan.
* Added new sensitive data tracking verifyCPF and verifySSN.
* Added MATCHED_VARS and MATCHED_VARS_NAMES. It is similiar to MATCHED_VAR,
but now we should see all matched variables.
* Added UNIQUE_ID variable. It holds the data created my mod_unique_id.
* Added new tranformation cmdline. Thanks Marc Stern.
* Added new exception handling operators and directives. It should help users
reduce FN and FPs. The directives SecRuleUpdateTargetById, SecRuleRemoveByTag
and its ctl actions were included.
* Added SecStreamOutBodyInspection and SecStreamInBodyInspection to enable STREAM_*
variables.
* Added SecGsbLookupDB used to load Google Safe Browsing malware databse into
memory.
* Added the directive SecInterceptOnError to control what to do if a rule returns
values less than zero.
* Improvements in DetectionOnly engine mode. Also added SecRequestBodyLimitAction
to control what to do if the engine receive a http request over a hard limit.
Note that there is now many combinations with SecRuleEngine and the limit action
directives for response and request data. Please see the reference manual.
* Improvements under RBL operator. It now will parse return code values for some
RBL lists.
* Added new Log Part J. It should log some informations about uploaded files.
* Added new sanitizeMatchedBytes action. It will give more flexibilty for user to sanitize
logged data, also improving peformance when sanitize big amount of data.
* Improvements on Logging phase. It is possible now see full chains, distinguish between
simple rules, chain starters and chain nodes.
* Improvements on AutoTools usage.
* Improvements on pattern matching operators, pmf, pm and strmatch now supports more flexible
input data allowing any kind of special char.
* Improvements on SecRuleUpdateActionById to update chain nodes.
* Many bugs were fixed. Please see the ModSecurity Jira for more details
19 Mar 2010 - trunk
-------------------
* Added SecDisableBackendCompression, which disabled backend compression
while keeping the frontend compression enabled (assuming mod_deflate
in installed and configured in the proxy). [Ivan Ristic]
* Added REQUEST_BODY_LENGTH, which contains the number of request body
bytes read. [Ivan Ristic]
* Integrate with mod_log_config using the %{VARNAME}M format string.
(MODSEC-108) [Ivan Ristic]
* Replaced the previous time-measuring mechanism with a new one, which
provides the following information: request time, request duration,
phase duration (for all 5 phases), time spent dealing with persistent
storage, and time spent on audit logging. The new information is now
available in the Stopwatch2 audit log header. The Stopwatch header
remains for backward compatiblity, although it now only includes
the request time and request duration values. Added the following
variables: PERF_COMBINED, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3,
PERF_PHASE4, PERF_PHASE5, PERF_SREAD, PERF_SWRITE, PERF_LOGGING,
PERF_GC. [Ivan Ristic]
* Added DURATION, which contains the time ellapsed since the beginning
of the current transaction, in milliseconds. [Ivan Ristic]
* Adjusted phase 5 to execute just prior to mod_log_config. This should
allow phase 5 rules to to implement conditional logging, as well as
pave support for allowing access to all ModSecurity variables from
mog_log_config. [Ivan Ristic]
* Added the URLENCODED_ERROR flag, which is raised whenever invalid URL
encoding is encountered in the query string or in the request body
(but only if URLENCODED request body processor is used). (MODSEC-111)
[Ivan Ristic]
* Removed the obsolete PDF UXSS functionality. (MODSEC-96) [Ivan Ristic]
* Renamed normalisePath to normalizePath and normalisePathWin to
normalizePathWin. Kept the previous names for backward compatibility.
(MODSEC-103) [Ivan Ristic]
* Moved phase 1 to be run in the same Apache hook as phase 2. This means
that you can now have phase 1 rules in <Location> tags and, more
importantly, override server configuration in <Location> and others.
(MODSEC-98) [Ivan Ristic]
* Renamed the sanitise family of actions to sanitize. Kept the old variants
for backward compatibility. (MODSEC-95) [Ivan Ristic]
* Improve the logging of the ctl action. (MODSEC-99) [Ivan Ristic]
* Cleanup build files that were from the Apache source.
14 Feb 2010 - 2.5.13-dev1
-------------------------
* Cleaned up some mlogc code and debugging output.
* Remove the ability to use a relative path to a piped audit logger
(i.e. mlogc) as Apache does not support it in their piped loggers
and it was breaking Windows and probably other platforms that
use spaces in filesystem paths. Discovered by Tom Donovan.
* Fix memory leak freeing regex. Discovered by Tom Donovan.
* Fix some portability issues on Windows.
04 Feb 2010 - 2.5.12
--------------------
* Fixed SecUploadFileMode to set the correct mode.
* Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
* Added additional file info definitions introduced in APR 0.9.5 so that
build will work with older APRs (IBM HTTP Server v6).
* Added SecUploadFileLimit to limit the number of uploaded file parts that
will be processed in a multipart POST. The default is 100.
* Fixed path normalization to better handle backreferences that extend
above root directories. Reported by Sogeti/ESEC R&D.
* Trim whitespace around phrases used with @pmFromFile and allow
for both LF and CRLF terminated lines.
* Allow for more robust parsing for multipart header folding. Reported
by Sogeti/ESEC R&D.
* Fixed failure to match internally set TX variables with regex
(TX:/.../) syntax.
* Fixed failure to log full internal TX variable names and populate
MATCHED_VAR* vars.
* Enabled PCRE "studying" by default. This is now a configure-time option.
* Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
aide in REDoS type attacks. A rule that goes over the limits will set
TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release
of ModSecurity (2.6.x) will move these flags to a dedicated collection.
* Reduced default PCRE match limits reducing impact of REDoS on poorly
written regex rules. Reported by Sogeti/ESEC R&D.
* Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
* Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
* Update copyright to 2010.
* Reserved 700,000-799,999 IDs for Ivan Ristic.
* Fixed SecAction not working when CONNECT request method is used
(MODSEC-110). [Ivan Ristic]
* Do not escape quotes in macro resolution and only escape NUL in setenv
values.
04 Nov 2009 - 2.5.11
--------------------
* Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
set true if any invalid quoting is found during multipart parsing.
* Fixed parsing quoted strings in multipart Content-Disposition headers.
Discovered by Stefan Esser.
* Cleanup persistence database locking code.
* Added warning during configure if libcurl is found linked against
gnutls for SSL. The openssl lib is recommended as gnutls has
proven to cause issues with mutexes and may crash.
* Cleanup some mlogc (over)logging.
* Do not log output filter errors in the error log.
* Moved output filter to run before other stock filters (mod_deflate,
mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
in the response. Patch originally submitted by Ivan Ristic.
18 Sep 2009 - 2.5.10
--------------------
* Cleanup mlogc so that it builds on Windows.
* Added more detailed messages to replace "Unknown error" in filters.
* Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
auditlog permissions (especially with mpm-itk).
* Cleanup SecUploadFileMode implementation.
* Cleanup build scripts.
* Fixed crash on configuration if SecMarker is used before any rules.
* Fixed SecRuleUpdateActionById so that it will work on chain starters.
* Cleanup build system for mlogc.
* Allow mlogc to periodically flush memory pools.
* Using nolog,auditlog will now log the "Message:" line to the auditlog, but
nothing to the error log. Prior versions dropped the "Message:" line from
both logs. To do this now, just use "nolog" or "nolog,noauditlog".
* Forced mlogc to use SSLv3 to avoid some potential auto negotiation
issues with some libcurl versions.
* Fixed mlogc issue seen on big endian machines where content type
could be listed as zero.
* Removed extra newline from audit log message line when logging XML errors.
This was causing problems parsing audit logs.
* Fixed @pm/@pmFromFile case insensitivity.
* Truncate long parameters in log message for "Match of ... against ...
required" messages.
* Correctly resolve chained rule actions in logs.
* Cleanup some code for portability.
* AIX does not support hidden visibility with xlc compiler.
* Allow specifying EXTRA_CFLAGS during configure to override gcc specific
values for non-gcc compilers.
* Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
* Handle a newer geo database more gracefully, avoiding a potential crash for
new countries that ModSecurity is not yet aware.
* Allow checking &GEO "@eq 0" for a failed @geoLookup.
* Fixed mlogc global mutex locking issue and added more debugging output.
* Cleaned up build dependencies and configure options.
05 Mar 2009 - 2.5.9
-------------------
* Fixed parsing multipart content with a missing part header name which
would crash Apache. Discovered by "Internet Security Auditors"
(isecauditors.com).
* Added ability to specify the config script directly using --with-apr
and --with-apu.
* Updated copyright year to 2009.
* Added macro expansion for append/prepend action.
* Fixed race condition in concurrent updates of persistent counters. Updates
are now atomic.
* Cleaned up build, adding an option for verbose configure output and making
the mlogc build more portable.
21 Nov 2008 - 2.5.8
-------------------
* Fixed PDF XSS issue where a non-GET request for a PDF file would crash the
Apache httpd process. Discovered by Steve Grubb at Red Hat.
* Removed an invalid "Internal error: Issuing "%s" for unspecified error."
message that was logged when denying with nolog/noauditlog set and
causing the request to be audited.
24 Sep 2008 - 2.5.7
-------------------
* Fixed XML DTD/Schema validation which will now fail after request body
processing errors, even if the XML parser returns a document tree.
* Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force
the REQUEST_BODY variable to be set when a request body processor is not set.
Previously the REQUEST_BODY target was only populated by the URLENCODED
request body processor.
* Integrated mlogc source.
* Fixed logging the hostname in the error_log which was logging the
request hostname instead of the Apache resolved hostname.
* Allow for disabling request body limit checks in phase:1.
* Added transformations for processing parity for legacy protocols ported
to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit
* Added t:cssDecode transformation to decode CSS escapes.
* Now log XML parsing/validation warnings and errors to be in the debug log
at levels 3 and 4, respectivly.
31 Jul 2008 - 2.5.6
-------------------
* Transformation caching has been deprecated, and is now off by default. We
now advise against using transformation caching in production.
* Fixed two separate transformation caching issues that could cause incorrect
content inspection in some circumstances.
* Fixed an issue with the transformation cache using too much RAM, potentially
crashing Apache with a large number of cache entries. Two new configuration
options have been added to allow for a finer control of caching:
maxitems: Max number of items to cache (default 1024)
incremental: Whether to cache incrementally (default off)
* Added an experimental regression testing suite. The regression suite may
be executed via "make test-regression", however it is strongly advised
to only be executed on a non-production machine as it will startup the
Apache web server that ModSecurity is compiled against with various
configurations in which it will run tests.
* Added a licensing exception so that ModSecurity can be used in a derivative
work when that derivative is also under an approved open source license.
* Updated mlogc to version 1.4.5 which adds a LockFile directive and fixes an
issue in which the configuration file may be deleted.
05 Jun 2008 - 2.5.5
-------------------
* Fixed an issue where an alert was not logged in the error log
unless "auditlog" was used.
* Enable the "auditlog" action by default to help prevent a misconfiguration.
The new default is now: "phase:2,log,auditlog,pass"
* Improve request body processing error messages.
* Handle lack of a new line after the final boundary in a multipart request.
This fixes the reported WordPress Flash file uploader problem.
* Fixed issue with multithreaded servers where concurrent XML processing
could crash the web server (at least under Windows).
* Fixed blocking in phase 3.
* Force modules "mod_rpaf-2.0.c" and "mod_custom_header.c" to run before
ModSecurity so that the correct IP is used.
07 May 2008 - 2.5.4
-------------------
* Fixed issue where transformation cache was using the SecDefaultAction
value even when t:none was used within a rule.
24 Apr 2008 - 2.5.3
-------------------
* Fixed issue where the exec action may not be able to execute shell scripts.
* Macros are now expanded in expirevar and deprecatevar.
* Fixed crash if a persistent variable name was more than 126 characters.
* Updated included Core Ruleset to version 1.6.1 which fixes some
false negative issues in the migration to using some 2.5 features.
02 Apr 2008 - 2.5.2
-------------------
* Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.
* Make sure temporary filehandles are closed after a transaction.
* Make sure the apache include directory is included during build.
02 Apr 2008 - 2.1.7
-------------------
* Make sure temporary filehandles are closed after a transaction.
14 Mar 2008 - 2.5.1
-------------------
* Fixed an issue where a match would not occur if transformation caching
was enabled.
* Using "severity" in a default action is now just a warning.
* Cleaned up the "make test" target to better locate headers/libraries.
* Now search /usr/lib64 and /usr/lib32 for lua libs.
* No longer treat warnings as errors by default (use --enable-strict-compile).
19 Feb 2008 - 2.5.0
-------------------
* Updated included Core Ruleset to version 1.6.0 which uses 2.5 features.
* Cleaned up and clarified some documentation.
* Updated code to be more portable so it builds with MS VC++.
* Added unit tests for most operators and transformations.
* Fixed crash on startup when ENV is improperly used without a parameter.
* Allow macro resolution in setenv action.
* The default action is now a minimal "phase:2,log,pass" with no default
transformations performed.
* Implemented SecUploadFileMode to allow setting the mode for uploaded files.
* Implemented "block" action.
* Implemented SecRuleUpdateActionById.
* Fixed removal of phase 5 rules via SecRuleRemoveBy* directives.
* No longer log the query portion of the URI in the error log as
it may contain sensitive data.
* Build is now 'configure' based: ./configure && make && make install
* Added support for Lua scripting in the following ways: SecRuleScript
can be used to specify a script to execute as a rule, the exec
action processes Lua scripts internally, as does the @inspectFile
operator. Refer to the documentation for more details.
* Changed how allow works. Used on its own it now allows phases 1-4. Used
with parameter "phase" (e.g. SecAction allow:phase) it only affects
the current phase. Used with parameter "request" it allows phases
1-2.
* Fixed issue where only the first phase 5 rule would run when the
request was intercepted in an earlier phase.
* Stricter configuration parsing. Disruptive actions, meta actions and
phases are no longer allowed in a chained rule. Disruptive actions,
are no longer allowed in a logging phase (phase 5) rule, including
inheriting from SecDefaultAction.
* More efficient collection persistance.
* Fixed t:escapeSeqDecode to better follow ANSI C escapes.
* Added t:jsDecode to decode JavScript escape sequences.
* Added IS_NEW built-in collection variables.
* New audit log part 'K' logs all matching rules.
* Implemented SecRequestBodyNoFilesLimit.
* Enhance handling of the case where we run out of disk space while
writing to audit log entry.
* Added SecComponentSignature to allow other components the ability
to append to the logged signature.
* Added skipAfter:<id> action to allow skipping all rules until a rule
with a specified ID is reached. Rule execution then continues after
the specified rule.
* Added SecMarker <id> directive to allow a fixed target for skipAfter.
* Added ctl:ruleRemoveById action to allow rule removal on a match.
* Added a @containsWord operator that will match a given string anywhere in
the target value, but only on word boundaries.
* Added a MATCHED_VAR_NAME variable to store the last matched variable name
so that it can be more easily used by rules.
* Added a MATCHED_VAR variable to store the last matched variable value
so that it can be more easily used by rules.
* Fixed expansion of macros when using relative changes with setvar. In
addition, added support for expanding macros in the variable name.
* Situations where ModSecurity will intercept, generate an error or log
a level 1-3 message to the debug log are now marked as 'relevant' and may
generate an audit log entry.
* Fixed deprecatevar:var=N/S action so that it decrements N every S seconds
as documented instead of decrementing by a rate.
* Enable ModSecurity to look at partial response bodies. In previous
versions, ModSecurity would respond with status code 500 when the
response body was too long. Now, if SecResponseBodyLimitAction is
set to "ProcessPartial", it will process the part of the response
body received up until that point but send the rest without buffering.
* ModSecurity will now process phases 3 and 4 even when request processing
is interrupted (either by Apache - e.g. by responding with 400, 401
or 403, or by ModSecurity itself).
* Fixed the base64decode transformation function to not return extra
characters at the end.
* Return from the output filter with an error in addition to setting