We have recently released version 4.6.0 for CRS 4, fixing a serious problem. As this problem affects CRS 3 as well, we also did a backport release for v3. (3.3.6). All users are requested to update to the new releases.
The new releases tackle two multipart file upload bypass methods that were reported by @luelueking:
- Wrapping the Content-Disposition with non-printable characters like \x0e (e.g. “%0e Content-Disposition %0e”) may allow the header to go undetected by the WAF engine as it may not be correctly parsed.
- Inserting the character \ in a filename (e.g. “1.j\s\p”) may let the filename go undetected.
The fixes introduced in both versions are the same:
- We have added a new rule 922130 which checks if any multipart header contains a non-ASCII character (v4: #3796; v3: #3797).
- The use of backslashes in file names is prevented (v4: #3799, v3: #3800).
Thanks to @luelueking for bringing this to our attention.
Release 4.6.0 contains other features and fixes like
- a rule to detect bash tilde expansions by @Xhoenix (#3765)
- the addition of the .pem format to the restricted file extensions by @EsadCetiner (#3789)
- the removal of unnecessary chain rule and capture in rule 921180 by @EsadCetiner (#3787)
- a fix for rule 942160 by checking against REQUEST_FILENAME by @mat1010 (#3782)
- an update of rule 932270’s version variable by @airween (#3786)
Alessandro Monachesi