Update CHANGES

2026-01-14 23:47:11 +03:00 · 2012-06-08 15:29:11 +00:00
parent 33c73a7ef5
commit c0896c3ae6
1 changed files with 7 additions and 0 deletions
--- a/7
+++ b/7
@@ -1,3 +1,10 @@
+08 Jun 2012 - 2.6.6
+-------------------
+
+ * In 2009, Stefan Esser published an evasion technique that relies on the use of single quotes and PHP.
+   The trick was treating a request parameter as a file. A patch was applied into ModSecurity 2.5.11 by Brian Rectanus.
+   Ivan Ristic reported that the patch was imcomplete. We added extra checks for this evasion.
+
 20 Mar 2012 - 2.6.5
 -------------------