Topic: ModSecurity 2.5.11 released

[Steffen]

ModSecurity 2.5.11 is now available, build with the newest Windows SDK v7.0 and against the newest libxml2-2.7.4.

This release fixes a multipart parsing issue that has the potential to allow bypassing the rules engine. This bypass can be avoided via some simple rules, however. Other changes include a rules update (CRS 2.0.3) and some minor cleanup in build, mlogc, persistence and the output filter ordering.

By using non-standard (but accepted by some platforms) quoting, ModSecurity may be fooled into thinking some parameters are uploaded iles. A working example was presented at POC2009. To mitigate this, the following rules (also included in the latest CRS v2.0.3, included with ModSecurity 2.5.11) are recommended until you can update to ModSecurity 2.5.11:

# Identify multipart/form-data name evasion attempts
SecRule FILES "['\";=]" \
"phase:2,deny,log,t:none,\
msg:'Attempted multipart/form-data bypass'"
SecRule FILES_NAMES "['\";=]" \
"phase:2,deny,log,t:none,\
msg:'Attempted multipart/form-data bypass'"


Steffen


Change log 2.5.11

* Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
set true if any invalid quoting is found during multipart parsing.

* Fixed parsing quoted strings in multipart Content-Disposition headers.
Discovered by Stefan Esser.

* Cleanup persistence database locking code.

* Added warning during configure if libcurl is found linked against
gnutls for SSL. The openssl lib is recommended as gnutls has
proven to cause issues with mutexes and may crash.

* Cleanup some mlogc (over)logging.

* Do not log output filter errors in the error log.

* Moved output filter to run before other stock filters (mod_deflate,
mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
in the response. Patch originally submitted by Ivan Ristic.