Topic: ModSecurity 2.5.12 released

[Steffen]

ModSecurity 2.5.12 is now available at the download page. To get also the new functions with Windows, it is build against PCRE 7.9. Do not forget to copy the included pcre.dll, see Readme.txt.

This release fixes several important issues to help prevent a detection bypass and denial of service attacks against ModSecurity. Many thanks to the Sogeti/ESEC R&D team for sending us the results of their code review. In addition, this release fixes quite a few small but notable bugs and includes the latest Core Ruleset (v2.0.5).

It is highly recommended that you upgrade to ModSecurity 2.5.12, but there are some changes you need to watch out for.

Notable changes which may impact an upgrade:

* PCRE match limits are substantially lowered by default. If you have custom rules that are resulting in "PCRE limits exceeded", then you may have to adjust SecPcreMatchLimit* directives or modify your regex.

* PCRE "studying" is now on by default. This allows for extra checks when compiling a regex for optimization.

* A new form of processing flags has been introduced. ModSecurity processing flags may indicate an issue or inconsistency when processing a transaction. These flags have been placed in the TX collection so that they maintain backwards compatibility. Each of these flags are prefixed with "MSC_". If you are using this prefix, then you may have false positives and will need to change to another prefix. Currently there is just one flag, TX:MSC_PCRE_LIMITS_EXCEEDED, being used. See the documentation on the TX and SecPcreMatchLimit* directives for more information.

* ModSecurity will now (by default) not process more than 100 file uploads. This can be overridden via SecUploadFileLimit. You are encouraged to *lower* the limit if you do not allow mass uploads of files on your site.

* The @pmFromFile operator will now trim whitespace from both sides of the phrase (line) when reading in the list of phrases. If you have used whitespace as a left or right boundary in custom rules, then you will need to replace the boundary with non-whitespace character.



Steffen


Change log 2.5.12

* Fixed SecUploadFileMode to set the correct mode.

* Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.

* Added additional file info definitions introduced in APR 0.9.5 so that
build will work with older APRs (IBM HTTP Server v6).

* Added SecUploadFileLimit to limit the number of uploaded file parts that
will be processed in a multipart POST. The default is 100.

* Fixed path normalization to better handle backreferences that extend
above root directories. Reported by Sogeti/ESEC R&D.

* Trim whitespace around phrases used with @pmFromFile and allow
for both LF and CRLF terminated lines.

* Allow for more robust parsing for multipart header folding. Reported
by Sogeti/ESEC R&D.

* Fixed failure to match internally set TX variables with regex
(TX:/.../) syntax.

* Fixed failure to log full internal TX variable names and populate
MATCHED_VAR* vars.

* Enabled PCRE "studying" by default. This is now a configure-time option.

* Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
aide in REDoS type attacks. A rule that goes over the limits will set
TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release
of ModSecurity (2.6.x) will move these flags to a dedicated collection.

* Reduced default PCRE match limits reducing impact of REDoS on poorly
written regex rules. Reported by Sogeti/ESEC R&D.

* Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.

* Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

* Update copyright to 2010.

* Reserved 700,000-799,999 IDs for Ivan Ristic.

* Fixed SecAction not working when CONNECT request method is used
(MODSEC-110). [Ivan Ristic]

* Do not escape quotes in macro resolution and only escape NUL in setenv
values.