This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
The developers of the OWASP Foundation have admitted the breach in the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set (CRS) project that could allow threat actors to bypass security protections offered by the in-built CRS web application firewall (WAF).
The flaw – tracked as CVE-2021-35368 has the ability to bypass CRS without being inspected, due to a combination of two bugs in the CRS Drupal rule exclusion package. The flaw has not only affected the CRS Drupal rule exclusion package but is present in every CRS installation that includes these rule exclusions – regardless of whether they are enabled or not.
“If the backend is broken and configured with the correct trailing pathname information setting… then anything is possible. If the backend looks into the trailing path info as it should, then you are on the safe side. The vulnerability has been around for several years. When we did the early rule exclusion packages in 2016 and 2017, we were not really used to the rule-writing techniques that we had to employ,” Christian Folini, co-lead of the volunteer-led Core Rule Set project explained.
Andrew Howe from Loadbalancer.org identified the vulnerability in the ModSecurity engine last year, Folini said. Howe reported the two flaws in the CRS in June. All known CRS installations th
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Severe flaw Identified in OWASP ModSecurity Core Rule Set