mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-08-13 21:36:00 +03:00
263 lines
11 KiB
Plaintext
263 lines
11 KiB
Plaintext
--------------------------
|
|
Version 1.6.1 - 2008/04/22
|
|
--------------------------
|
|
|
|
- Fixed a bug where phases and transformations where not specified explicitly
|
|
in rules. The issue affected a significant number of rules, and we strongly
|
|
recommend to upgrade.
|
|
|
|
--------------------------
|
|
Version 1.6.0 - 2008/02/19
|
|
--------------------------
|
|
|
|
New Rulesets & Features:
|
|
- 42 - Tight Security
|
|
This ruleset contains currently 2 rules which are considered highly prone
|
|
to FPs. They take care of Path Traversal attacks, and RFI attacks. This
|
|
ruleset is included in the optional_rulesets dir
|
|
- 42 - Comment Spam
|
|
Comment Spam is used by the spammers to increase their rating in search
|
|
engines by posting links to their site in other sites that allow posting
|
|
of comments and messages. The rules in this ruleset will work against that.
|
|
(Requires ModSecurity 2.5)
|
|
- Tags
|
|
A single type of attack is often detected by multiple rules. The new alert
|
|
classification tags solve this issue by providing an alternative alert type
|
|
indication and can serve for filtering and analysis of audit logs.
|
|
The classification tags are hierarchical with slashes separating levels.
|
|
Usually there are two levels with the top level describing the alert group
|
|
and the lower level denoting the alert type itself, for example:
|
|
WEB_ATTACK/SQL_INJECTION.
|
|
|
|
False Positives Fixes:
|
|
- Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs
|
|
- Rule 950107 - Will look for invalid url decoding in variables that are not
|
|
automatically url decoded
|
|
|
|
Additional rules logic:
|
|
- Using the new "logdata" action for logging the matched signature in rules
|
|
- When logging an event once, init the collection only if the alert needs to log
|
|
- Using the new operator @pm as a qualifier before large rules to enhance
|
|
performance (Requires ModSecurity 2.5)
|
|
- SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not
|
|
only 1=1. (Thanks to Marc Stern for the idea)
|
|
- New XSS signatures - iframe & flash XSS
|
|
|
|
|
|
-------------------------
|
|
Version 1.5.1 - 2007/12/6
|
|
-------------------------
|
|
|
|
False Positives Fixes:
|
|
- Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /)
|
|
|
|
New Events:
|
|
- 960019 - Detect HTTP/0.9 Requests
|
|
HTTP/0.9 request are not common these days. This rule will log by default,
|
|
and block in the blocking version of file 21
|
|
|
|
Other Fixes:
|
|
- File 40, Rules 950004,950005 - Repaired the correction for the double
|
|
url decoding problem
|
|
- File 55 contained empty regular expressions. Fixed.
|
|
|
|
------------------------
|
|
Version 1.5 - 2007/11/23
|
|
------------------------
|
|
|
|
New Rulesets:
|
|
- 23 - Request Limits
|
|
"Judging by appearances". This rulesets contains rules blocking based on
|
|
the size of the request, for example, a request with too many arguments
|
|
will be denied.
|
|
|
|
Default policy changes:
|
|
- XML protection off by default
|
|
- BLOCKING dir renamed to optional_rules
|
|
- Ruleset 55 (marketing) is now optional (added to the optional_rules dir)
|
|
- Ruleset 21 - The exception for apache internal monitor will not log anymore
|
|
|
|
New Events:
|
|
- 960912 - Invalid request body
|
|
Malformed content will not be parsed by modsecurity, but still there might
|
|
be applications that will parse it, ignoring the errors.
|
|
- 960913 - Invalid Request
|
|
Will trigger a security event when request was rejected by apache with
|
|
code 400, without going through ModSecurity rules.
|
|
|
|
Additional rules logic:
|
|
- 950001 - New signature: delete from
|
|
- 950007 - New signature: waitfor delay
|
|
|
|
False Positives Fixes:
|
|
- 950006 - Will not be looking for /cc pattern in User-Agent header
|
|
- 950002 - "Internet Explorer" signature removed
|
|
- Double decoding bug used to cause FPs. Some of the parameters are already
|
|
url-decoded by apache. This caused FPs when the rule performed another
|
|
url-decoding transformation. The rules have been split so that parameters
|
|
already decoded by apache will not be decoded by the rules anymore.
|
|
- 960911 - Expression is much more permissive now
|
|
- 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding,
|
|
then you should uncomment this rule (in file 20)
|
|
|
|
--------------------------
|
|
version 1.4.3 - 2007/07/21
|
|
--------------------------
|
|
|
|
New Events:
|
|
- 950012 - HTTP Request Smuggling
|
|
For more info on this attack:
|
|
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
|
|
- 960912 - Invalid request body
|
|
Malformed content will not be parsed by modsecurity, but still there might
|
|
be applications that will parse it, ignoring the errors.
|
|
- 960913 - Invalid Request
|
|
Will trigger a security event when request was rejected by apache with
|
|
code 400, without going through ModSecurity rules.
|
|
|
|
False Positives Fixes:
|
|
- 950107 - Will allow a % sign in the middle of a string as well
|
|
- 960911 - A more accurate expression based on the rfc:
|
|
http://www.ietf.org/rfc/rfc2396.txt
|
|
- 950015 - Will not look for http/ pattern in the request headers
|
|
|
|
Additional rules logic:
|
|
- Since Apache applies scope directives only after ModSecurity phase 1
|
|
this directives cannot be used to exclude phase 1 rules. Therefore
|
|
we moved all inspection rules to phase 2.
|
|
|
|
|
|
--------------------------------
|
|
version 1.4 build 2 - 2007/05/17
|
|
--------------------------------
|
|
|
|
New Feature:
|
|
- Search for signatures in XML content
|
|
XML Content will be parsed and ispected for signatures
|
|
|
|
New Events:
|
|
- 950116 - Unicode Full/Half Width Abuse Attack Attempt
|
|
Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden
|
|
http://www.kb.cert.org/vuls/id/739224
|
|
- 960911 - Invalid HTTP request line
|
|
Enforce request line to be valid, i.e.: <METHOD> <path> <HTTP version>
|
|
- 960904 - Request Missing Content-Type (when there is content)
|
|
When a request contains content, the content-type must be specified. If not, the content will not be inspected
|
|
- 970018 - IIS installed in default location (any drive)
|
|
Log once if IIS in installed in the /Inetpub directory (on any drive, not only C)
|
|
- 950019 - Email Injection
|
|
Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails
|
|
|
|
Regular expressions fixes:
|
|
- Further optimization of some regular expressions (using the non-greediness operator)
|
|
The non-greediness operator, <?>, prevents excessive backtracking
|
|
|
|
FP fixes:
|
|
- Rule 950107 - Will allow a parameter to end in a % sign from now on
|
|
|
|
------------------------
|
|
version 1.4 - 2007/05/02
|
|
------------------------
|
|
|
|
New Events:
|
|
- 970021 - WebLogic information disclosure
|
|
Matching of "<title>JSP compile error</title>" in the response body, will trigger this rule, with severity 4 (Warning)
|
|
- 950015,950910,950911 - HTTP Response Splitting
|
|
Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper:
|
|
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
|
|
ModSecurity does not support compressed content at the moment. Thus, the following rules have been added:
|
|
- 960902 - Content-Encoding in request not supported
|
|
Any incoming compressed request will be denied
|
|
- 960903 - Content-Encoding in response not suppoted
|
|
An outgoing compressed response will be logged to alert, but ONLY ONCE.
|
|
|
|
False Positives Fixes:
|
|
- Removed <.exe>,<.shtml> from restricted extensions
|
|
- Will not be looking for SQL Injection signatures <root@>,<coalesce> in the Via request header
|
|
- Excluded Referer header from SQL injection, XSS and command injection rules
|
|
- Excluded X-OS-Prefs header from command injection rule
|
|
- Will be looking for command injection signatures in
|
|
REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
|
|
- Allowing charset specification in the <application/x-www-form-urlencoded> Content-Type
|
|
|
|
Additional rules logic:
|
|
- Corrected match of OPTIONS method in event 960015
|
|
- Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
|
|
- Moved all rules apart from method inspection from phase 1 to phase 2 -
|
|
This will enable viewing content if such a rule triggers as well as setting
|
|
exceptions using Apache scope tags.
|
|
- Added match for double quote in addition to single quote for <or x=x> signature (SQL Injection)
|
|
- Added 1=1 signature (SQL Injection)
|
|
|
|
--------------------------------
|
|
version 1.3.2 build 4 2007/01/17
|
|
--------------------------------
|
|
|
|
Fixed apache 2.4 dummy requests exclusion
|
|
Added persistent PDF UXSS detection rule
|
|
|
|
--------------------------------
|
|
Version 1.3.2 build 3 2007/01/10
|
|
--------------------------------
|
|
|
|
Fixed regular expression in rule 960010 (file #30) to allow multipart form data
|
|
content
|
|
|
|
--------------------------
|
|
Version 1.3.2 - 2006/12/27
|
|
--------------------------
|
|
|
|
New events:
|
|
- 960037 Directory is restricted by policy
|
|
- 960038 HTTP header is restricted by policy
|
|
|
|
Regular expressions fixes:
|
|
- Regular expressions with @ at end of beginning (for example "@import)
|
|
- Regular expressions with un-escaped "."
|
|
- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
|
|
- The command injection wget is not searched in the UA header as it has different meaning there.
|
|
- LDAP Fixed to reduce FPs:
|
|
+ More accurate regular expressions
|
|
+ high bit characters not accpeted between signature tokens.
|
|
- Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
|
|
- Removed Java from automation UA
|
|
- When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"
|
|
|
|
Additional rules logic:
|
|
- Checks for empty headers in addition to missing ones (Host, Accept and User-Agent)
|
|
- OPTIONS method does not require an accept header.
|
|
- Apache keep alive request exception.
|
|
- PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
|
|
- Validate byte range checks by default only that no NULL char exists.
|
|
- Added CSS to allowed extensions in strict rule sets.
|
|
- Changed default action in file #50 to pass instead of deny.
|
|
- Moved IP host header from protocol violations to protocol anomalies.
|
|
|
|
Modified descriptions:
|
|
- 950107: URL Encoding Abuse Attack Attempt
|
|
- 950801: UTF8 Encoding Abuse Attack Attempt
|
|
- Added matched pattern in many events using capture and %{TX.0}
|
|
- Added ctl:auditLogParts=+E for outbound events and attacks to collect response.
|
|
|
|
------------------------
|
|
Version 1.2 - 2006/11/19
|
|
------------------------
|
|
|
|
Changes:
|
|
+ Move all events to the range of events allocated to Thinking Stone, now Breach
|
|
by prefixing all event IDs with "9".
|
|
+ Reverse severities to follow the Syslog format used by ModSecurity, now 1 is
|
|
the highest and 5 the lowest.
|
|
|
|
Bug fixes:
|
|
+ Removed quotes from list of mime types inspected on exit (directive
|
|
SecResponseBodyMimeType)
|
|
+ Corrected "cd .." signature. Now the periods are escaped.
|
|
+ Too many FPs with events 950903 & 950905. Commented them out until fixed.
|
|
|
|
------------------------
|
|
Version 1.1 - 2006/10/18
|
|
------------------------
|
|
|
|
Initial version
|