From 77403a7a5751987f1d84129608bd2776de2064d8 Mon Sep 17 00:00:00 2001 From: amonachesi <166665355+amonachesi@users.noreply.github.com> Date: Thu, 29 Aug 2024 02:24:01 +0200 Subject: [PATCH 1/4] Blog post on releases 4.6.0 and 3.3.6 --- ...ions-4-6-0-and-3-3-6-have-been-released.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md diff --git a/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md b/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md new file mode 100644 index 0000000..327fa9a --- /dev/null +++ b/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md @@ -0,0 +1,28 @@ +--- +title: CRS Versions 4.6.0 and 3.3.6 have been released +date: 2024-08-29 +author: amonachesi +categories: + - Blog +--- +We have recently released version [4.6.0](https://github.com/coreruleset/coreruleset/releases/tag/v4.6.0) for CRS 4, fixing a serious problem. As this problem affects CRS 3 as well, we also did a backport release for v3. ([3.3.6](https://github.com/coreruleset/coreruleset/releases/tag/v3.3.6)). + +The new releases tackle two multipart file upload bypass methods that were reported by [@luelueking](https://github.com/luelueking): + +1. Wrapping the Content-Disposition with non-printable characters like \x0e (e.g. “%0e Content-Disposition %0e”) may allow the header to go undetected by the WAF engine as it may not be correctly parsed. +2. Inserting the character \ in a filename (e.g. “1.j\s\p”) may let the filename go undetected. + +The fixes introduced in both versions are the same: + +1. We have added a new rule 922130 which checks if any multipart header contains a non-ASCII character (v4: [#3796](https://github.com/coreruleset/coreruleset/pull/3796); v3: [#3797](https://github.com/coreruleset/coreruleset/pull/3797)). +2. The use of backslashes in file names is prevented (v4: [#3799](https://github.com/coreruleset/coreruleset/pull/3799), v3: [#3800](https://github.com/coreruleset/coreruleset/pull/3800)). + +Thanks to @luelueking for bringing this to our attention. + +Release 4.6.0 contains other features and fixes like + +- a rule to detect bash tilde expansions by [@Xhoenix](https://github.com/Xhoenix) ([#3765](https://github.com/coreruleset/coreruleset/pull/3765)) +- the addition of the .pem format to the restricted file extensions by [@EsadCetiner](https://github.com/EsadCetiner) ([#3789](https://github.com/coreruleset/coreruleset/pull/3789)) +- the removal of unnecessary chain rule and capture in rule 921180 by [@EsadCetiner](https://github.com/EsadCetiner) ([#3787](https://github.com/coreruleset/coreruleset/pull/3787)) +- a fix for rule 942160 by checking against REQUEST_FILENAME by [@mat1010](https://github.com/mat1010) ([#3782](https://github.com/coreruleset/coreruleset/pull/3782)) +- an update of rule 932270's version variable by [@airween](https://github.com/airween) ([#3786](https://github.com/coreruleset/coreruleset/pull/3786)) \ No newline at end of file From f9f2fa3cc00231f27224d69254f7a10fbf5d4dc4 Mon Sep 17 00:00:00 2001 From: amonachesi <166665355+amonachesi@users.noreply.github.com> Date: Thu, 29 Aug 2024 02:57:59 +0200 Subject: [PATCH 2/4] Update 2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md --- ...ions-4-6-0-and-3-3-6-have-been-released.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md b/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md index 327fa9a..f168090 100644 --- a/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md +++ b/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md @@ -1,28 +1,28 @@ ---- -title: CRS Versions 4.6.0 and 3.3.6 have been released -date: 2024-08-29 -author: amonachesi -categories: - - Blog ---- +--- +title: CRS versions 4.6.0 and 3.3.6 have been released +date: 2024-08-29 +author: amonachesi +categories: + - Blog +--- We have recently released version [4.6.0](https://github.com/coreruleset/coreruleset/releases/tag/v4.6.0) for CRS 4, fixing a serious problem. As this problem affects CRS 3 as well, we also did a backport release for v3. ([3.3.6](https://github.com/coreruleset/coreruleset/releases/tag/v3.3.6)). - -The new releases tackle two multipart file upload bypass methods that were reported by [@luelueking](https://github.com/luelueking): + +The new releases tackle two multipart file upload bypass methods that were reported by [@luelueking](https://github.com/luelueking): 1. Wrapping the Content-Disposition with non-printable characters like \x0e (e.g. “%0e Content-Disposition %0e”) may allow the header to go undetected by the WAF engine as it may not be correctly parsed. 2. Inserting the character \ in a filename (e.g. “1.j\s\p”) may let the filename go undetected. The fixes introduced in both versions are the same: - + 1. We have added a new rule 922130 which checks if any multipart header contains a non-ASCII character (v4: [#3796](https://github.com/coreruleset/coreruleset/pull/3796); v3: [#3797](https://github.com/coreruleset/coreruleset/pull/3797)). 2. The use of backslashes in file names is prevented (v4: [#3799](https://github.com/coreruleset/coreruleset/pull/3799), v3: [#3800](https://github.com/coreruleset/coreruleset/pull/3800)). Thanks to @luelueking for bringing this to our attention. Release 4.6.0 contains other features and fixes like - + - a rule to detect bash tilde expansions by [@Xhoenix](https://github.com/Xhoenix) ([#3765](https://github.com/coreruleset/coreruleset/pull/3765)) - the addition of the .pem format to the restricted file extensions by [@EsadCetiner](https://github.com/EsadCetiner) ([#3789](https://github.com/coreruleset/coreruleset/pull/3789)) - the removal of unnecessary chain rule and capture in rule 921180 by [@EsadCetiner](https://github.com/EsadCetiner) ([#3787](https://github.com/coreruleset/coreruleset/pull/3787)) - a fix for rule 942160 by checking against REQUEST_FILENAME by [@mat1010](https://github.com/mat1010) ([#3782](https://github.com/coreruleset/coreruleset/pull/3782)) -- an update of rule 932270's version variable by [@airween](https://github.com/airween) ([#3786](https://github.com/coreruleset/coreruleset/pull/3786)) \ No newline at end of file +- an update of rule 932270's version variable by [@airween](https://github.com/airween) ([#3786](https://github.com/coreruleset/coreruleset/pull/3786)) From a8ba2df3128fd961b0ba2cb94ceecf494c44735c Mon Sep 17 00:00:00 2001 From: amonachesi <166665355+amonachesi@users.noreply.github.com> Date: Thu, 29 Aug 2024 12:08:15 +0200 Subject: [PATCH 3/4] Update 2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md Added call to update --- ...024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md b/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md index f168090..a8c0720 100644 --- a/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md +++ b/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md @@ -26,3 +26,5 @@ Release 4.6.0 contains other features and fixes like - the removal of unnecessary chain rule and capture in rule 921180 by [@EsadCetiner](https://github.com/EsadCetiner) ([#3787](https://github.com/coreruleset/coreruleset/pull/3787)) - a fix for rule 942160 by checking against REQUEST_FILENAME by [@mat1010](https://github.com/mat1010) ([#3782](https://github.com/coreruleset/coreruleset/pull/3782)) - an update of rule 932270's version variable by [@airween](https://github.com/airween) ([#3786](https://github.com/coreruleset/coreruleset/pull/3786)) + +All users are requested to update to the new releases. From ba72c779d47b4988a30ca3a5165cff89455c980e Mon Sep 17 00:00:00 2001 From: amonachesi <166665355+amonachesi@users.noreply.github.com> Date: Thu, 29 Aug 2024 13:06:28 +0200 Subject: [PATCH 4/4] Update 2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md --- ...4-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md b/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md index a8c0720..19ffc59 100644 --- a/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md +++ b/content/blog/2024-08-29-crs-versions-4-6-0-and-3-3-6-have-been-released.md @@ -5,7 +5,7 @@ author: amonachesi categories: - Blog --- -We have recently released version [4.6.0](https://github.com/coreruleset/coreruleset/releases/tag/v4.6.0) for CRS 4, fixing a serious problem. As this problem affects CRS 3 as well, we also did a backport release for v3. ([3.3.6](https://github.com/coreruleset/coreruleset/releases/tag/v3.3.6)). +We have recently released version [4.6.0](https://github.com/coreruleset/coreruleset/releases/tag/v4.6.0) for CRS 4, fixing a serious problem. As this problem affects CRS 3 as well, we also did a backport release for v3. ([3.3.6](https://github.com/coreruleset/coreruleset/releases/tag/v3.3.6)). All users are requested to update to the new releases. The new releases tackle two multipart file upload bypass methods that were reported by [@luelueking](https://github.com/luelueking): @@ -26,5 +26,3 @@ Release 4.6.0 contains other features and fixes like - the removal of unnecessary chain rule and capture in rule 921180 by [@EsadCetiner](https://github.com/EsadCetiner) ([#3787](https://github.com/coreruleset/coreruleset/pull/3787)) - a fix for rule 942160 by checking against REQUEST_FILENAME by [@mat1010](https://github.com/mat1010) ([#3782](https://github.com/coreruleset/coreruleset/pull/3782)) - an update of rule 932270's version variable by [@airween](https://github.com/airween) ([#3786](https://github.com/coreruleset/coreruleset/pull/3786)) - -All users are requested to update to the new releases.