# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.9 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # # This file is to address the 3UWMWA6W vulnerability. # It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports # of the security fixes in these versions) or a compatible engine supporting these changes. # # If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start. # In that case, you can temporarily delete this file. However, you will be missing # protection from these rules. Therefore, we recommend upgrading your engine instead. # The rules in this file will be part of the 920 / 921 in the future. # Only allow specific charsets when using "_charset_" # Note: this is in phase:2 because these are headers that come in the body SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ "id:922100,\ phase:2,\ block,\ t:none,\ msg:'Multipart content type global _charset_ definition is not allowed by policy',\ logdata:'Matched Data: %{ARGS._charset_}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-multipart-header',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.9',\ severity:'CRITICAL',\ chain" SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \ "t:lowercase,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Only allow specific charsets same as Rule 920600 # Note: this is in phase:2 because these are headers that come in the body # # How do these rules work: # * rule 922140 sets the multipart counter TX variable to 0 # note that this is why does not matter if more parts have the same name - see rule's test # * rule 922150 collects all multipart headers' 'Content-Type' value # eg. 'text/plain; charset=utf-8' # * rule 922110 checks all the collected headers' content type and charset SecRule &MULTIPART_PART_HEADERS "@gt 0" \ "id:922140,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.9',\ setvar:'tx.multipart_headers_content_counter=0'" SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ "id:922150,\ phase:2,\ pass,\ capture,\ t:none,t:lowercase,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.9',\ setvar:'tx.multipart_headers_content_types_%{tx.multipart_headers_content_counter}=%{tx.1}',\ setvar:'tx.multipart_headers_content_counter=+1'" SecRule TX:/MULTIPART_HEADERS_CONTENT_TYPES_*/ "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \ "id:922110,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Illegal MIME Multipart Header content-type: charset parameter',\ logdata:'Matched Data: %{MATCHED_VAR} found within Content-Type multipart form',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/272/220',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.9',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7) # Note: this is in phase:2 because these are headers that come in the body SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ "id:922120,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\ logdata:'Matched Data: %{TX.0}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-deprecated-header',\ tag:'OWASP_CRS',\ tag:'capec/272/220',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.9',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Multipart header names can't contain any characters outside of range 33 and 126, # excluding 58 (':') which is the separator. # RFC 2045 refers RFC 822 about the header syntax. # Note: this is in phase:2 because these are headers that come in the body SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \ "id:922130,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Multipart header contains characters outside of valid range',\ logdata:'Matched Data: %{TX.0}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-multipart-header',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/272/220',\ ver:'OWASP_CRS/3.3.9',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"