5/6/2007 1.9.5 -------------- * Changed Thinking Stone references to Breach Security, Inc. in docs. * Fixed compiler warnings and documented compile with warnings enabled. 11/3/2007 1.9.5-rc1 ------------------- * Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms when the byte range is set to not include NUL bytes. 15/5/2006 1.9.4 --------------- * No changes since 1.9.4-rc1. 27/4/2006 1.9.4-rc1 ------------------- * Request headers that are analysed are now fetched from the header cache. This prevents the potential headers table (the real one) being changed on a rule match - which is only an issue in detection-only mode. * Enhanced memory utilisation. Plus, the memory for the request body is now allocated from the OS directly so that it can be released back to it faster (Apache keeps the memory for itself even after it is freed.) * Added an one-liner to deal with weird IE multipart/form-data behaviour. 10/4/2006 1.9.3 --------------- * No changes since 1.9.3-rc2. 23/3/2006 1.9.3-rc2 ------------------- * Fixed malformed serial audit log entry problem. * Strict checking of what is supplied for the "severity" action. Prettier output in the logs (text instead of numbers). * Improved detection of the response protocol version. 6/3/2006 1.9.3-rc1 ------------------ * Improved the internal chroot feature to work with mod_fastcgi, mod_fcgi, mod_cgid (testers welcome). * Response headers are now escaped in the concurrent audit log * New action: logparts (adjust the audit log parts setting). * Added support for multiple messages per transaction. * Added SCRIPT_BASENAME, REQUEST_BASENAME. * Implemented variable caching to reduce memory consumption. Large memory savings can be achived but only when the rule set is significantly large. Not noticable for "normal" installations. * Fixed the "Server" trailer message in the concurrent audit log. * Removed the extra newline added to the index file by the concurrent audit logger. * Fixed a problem in the action list parser which caused parsing to stop after any action with a quoted parameter. * (Apache 2.x only) Fixed a response buffering problem that manifested as partial loss of output when virtual subrequests are used (it is the output from the virtual subrequests that would be lost). * Deprecated DynamicOnly because it is inherently difficult to use and often unpredictable. 16/1/2006 1.9.2 --------------- * Increased allowed multipart header size to 4096. * Fixed small bugs in the multipart code that would (in some rare cases) lead to incorrectly interpreting the uploaded files. * (Apache 2.x only) Fix for a crash in the serial audit logger. * (Apache 2.x only) Fix to compile on Debian 3.1 (they are not using stock Apache). * Fixed a small concurrency issue. * Chained rules metadata now appears in the logs. * Restrict the length of each line in the concurrent audit logger index when logging over a pipe. * New concurrent audit logger trailer headers: Server, Action, Producer. * Added compile-time directive (DISABLE_SUEXEC) to disable process creation through suEXEC. * Added support for compilation with PCRE (instead of the native Apache regex library) to the Apache 1.3.x version (Apache 2.x already uses PCRE). PCRE is much faster. * Fixed a bug in the concurrent audit logging code where partial audit log entry files were being created for all requests. * Fixed bugs (in the Apache 2.x branch) to make audit logging through a pipe work. 30/11/2005 1.9.1 ---------------- * Variables OUTPUT and OUTPUT_STATUS are no longer accepted in the Apache 1.x version (since they do not work anyway). * Fixed a chained bug. * Relaxed multipart checks slightly, to allow empty multipart body. (In response to a bug report.) 06/11/2005 1.9 -------------- * No changes since 1.9RC4. 03/11/2005 1.9RC4 ----------------- * Warning messages emitted from chained rules are now logged at level 3. 01/11/2005 1.9RC3 ----------------- * Made SecFilterSignatureAction behave in a slightly more consistent manner. When defined it applies to rules that do not have custom actions. 29/10/2005 1.9RC2 ----------------- * Discovered (and fixed) a fragment of non multithred-safe code. * Fix a bug with the chain action. * Improved the per-rule performance figures not to include debug logging (which can be quite slow). 03/10/2005 1.9RC1 ----------------- * Removed -DWORKER_HACK since it is easier and more elegant to use LoadFile. * Improvements to the output filtering to prevent Apache from printing the error message twice (when we have a regex match in the response body). * Improvements to the multipart parser, now it is more strict with that it accepts. (Incidently, Mozilla and IE don't know how to construct a proper multipart/form-data body, but Opera does.) * New directive, SecFilterSignatureAction. If specified, all signatures that follow the directive in the configuration file will use the actions it specified, optionally merging with the per-rule action list (if any specified). 16/09/2005 1.9dev4 ------------------ * Limited the GuardianLog line size when doing piped logging. Writes are atomic over a pipe only if the size of the data is less than PIPE_BUF. * Added a hack (compile with -DWORKER_HACK) to force the pthreads dynamic library to be loaded before chroot is performed. (Apache 2.x only) * Fixed the \xHH unescaping bug when the character was a regex meta character. Such characters are now escaped with \. (Apache 1.x only) * Unicode encoding checks not performed on the contents of the Referer request header. * Added the manual (in DocBook) format to the CVS. * Added action "rev", to be used as a rule serial number, allowing the "id" to remain unchanged (and unique). * Many changes related to how actions are processed. Introduced SecFilterActionsRestricted. When enabled, only the meta-data per-rule actions are allowed. This is useful when you want to include third-party rules to your configuration, and you don't want them to specify just anything in the action. Per-rule actions are now added on top of SecFilterDefaultAction actions. * Wrote a new action parser from scratch. It is now possible to escape action values, and even have a comma inside the value (yay). * Fixed doubling of response headers in the (serial) audit log. * Added support to enable or disable mod_security per request using an environment variable - MODSEC_ENABLE. This is something that is likely to be useful in combination with SetEnvif. This environment variable will not affect audit logging. 18/08/2005 1.9dev3 ------------------ * Files uploaded via PUT are now treated in the same manner as files uploaded via POST and multipart/form-data encoding. * Added experimental support for mod_security to run in an early hook. To test this compile with -DENABLE_EARLY_HOOK. * Implemented SecAuditLogRelevantStatus * Implemented an entirely new approach to audit logging - concurrent audit logging where each request is stored in its own file. * Changed the way internal chroot works. We are not using a file-based lock any more. The process is much cleaner. (I just need to test it thoroughly to see if it performs under all circumstances.) * Many changes to improve handling of DynamicOnly and related internal stuff. * Added OUTPUT_STATUS to the Apache 2.x version. * Implemented SecGuardianLog, to allow mod_security to pass information to httpd-guardian (see http://www.apachesecurity.net/tools/). * Removed debug log locking (writes should be atomic - why did I think otherwise?). * Log level is now present on every entry in the debug log. * Significantly enhanced the filter (rule) inheritance functionality by adding three new directives (SecFilterImport, SecFilterRemove, SecFilterInheritanceMandatory) and one new action (mandatory). * Added "proxy" action to rewrite URL through the internal reverse proxy when a rule is triggered. * Added the script that converts Nessus scripts (.nasl files) into mod_security rules. Written by Javier Fernandez-Sanguino . * Use GetTempPath on Windows to get the path for temporary files. * Non-existent named parameters (ARG_name) and cookies (COOKIE_name) are now treated as empty. This should allow us to write rules that trigger when a named parameter is not present. 19/04/2005 1.9dev2 ------------------ * Added individual rule timing (Apache 2.x only) * Deprecated SecServerResponseToken. It no longer works and it outputs a warning message. * mod_security now logs its version to the error log upon startup (as notice). * When SecServerSignature is used, mod_security now logs the real server signature to the error log (as notice). * Added two new actions: setenv, setnote * Added two new actions: auditlog, noauditlog * Added three new actions: id, msg, severity. These are simple text fields that appear in the error messages. They can be used to clasify problems. * Added RelevantOnly as option to SecUploadKeepFiles. * BUG Fixed the "pass" action bug. * 404 responses are no longer considered relevant. * The request body is now exported through the "mod_security-body" note. (This can be useful for logging other than through the audit log. * BUG Fixed a double URL-decoding bug (Apache first, then us), which could sometimes lead to a false positive. 05/03/2005 1.8.7 ---------------- * Stefan Esser discovered a trivial way to craft request to sneak in the request parameters that are in the request body past the named parameter syntax (e.g. ARG_name). Non-selective filtering (SecFilter), other variables (e.g. THE_REQUEST, ARGS, POST_PAYLOAD), and the audit log worked fine. Fixed. * Stefan Esser also pointed out PHP parses cookies differently from mod_security, and demonstrated a way to exploit the differences to sneak in a cookie past the named cookie syntax (e.g. COOKIE_name). So I decided to add another cookie parser to mod_security. A new directive, SecFilterCookieFormat, determines which parser is used. Possible values are 0 (default, for Netscape-style cookies, aka version 0) and 1 (for RFC 2965 aka version 1 cookies). Without spending more time on research (to determine how different platforms parse cookies) -- which is on my TODO list -- I can't give a definitive answer whether the COOKIE_name syntax is good enough. It should be, but if you are very paranoid you may choose to use the HTTP_Cookie syntax to examine the whole cookie header. Look for more details in the documentation. As a consequence of the recent changes, the SecFilterCheckCookieFormat directive is now obsolete and has no effect. * BUG Request error message was not escaped properly when it was being logged to the audit log. * BUG (Apache 2 only) An error message is now logged if an external script cannot be executed. * BUG If the approver script does not exist the file is rejected. * BUG (Apache 2 only) Made the allow action work with output filtering. * BUG (Apache 2 only) Warning messages (e.g. "log,pass") did not get logged in output filtering. * Cookie normalization is now off by default (as was stated in the documentation). * BUG (Apache 2 only) The audit logging code can cause a segfault when it isn't explicitly configured in the configuration, and the main handler does not run for some reason. Fixed. * BUG (Apache 2 only) Fixed a bug in the code that handles the exec action, which would sometimes cause a segfault (when an external script is executed). 19/11/2004 1.9dev1 ------------------ * Added performance measurement to the Apache 2 versions. mod_security now produces the following notes: mod_security-time1 - after receiving request body mod_security-time2 - after completing input tests mod_security-time3 - after handler produces output Each note contains the time elapsed (in microseconds) since the beginning of processing. * Changed snort2modsec.pl to only work on web rules, and to use the rule sid in the output. With help from Javier Fernandez-Sanguino. * Added the ClamAV integration script. * New variables added: FILE_NAME_*, FILE_SIZE_*, FILE_NAMES, FILE_SIZES, FILES_COUNT, HEADER_*, HEADERS, HEADERS_NAMES, HEADERS_VALUES, HEADERS_COUNT, ARGS_COUNT, COOKIES_COUNT * Relaxed permissions used to create new files to allow group read. It is not possible to allow a process running as some other user (anti-virus daemon, for example) to examine the files that are being uploaded. * Requests with response codes 4xx and 5xx are now considered to be relevant as far as audit logging is concerned. * Cookie values are now *not* normalized by default. * Changed configuration directives to be allowed in .htaccess files only of AllowOverride Options is configured. Provided a compile-time option DISABLE_HTACCESS_CONFIG to disable .htaccess files altogether. * Enhanced logging to include the names of variables where the pattern match has occured. * New variables added: SCRIPT_UID, SCRIPT_GID, SCRIPT_USERNAME, SCRIPT_GROUPNAME, SCRIPT_MODE. 03/11/2004 1.8.6 ---------------- * Made changes to how mod_security works to accommodate those who only want to operate in detection mode. Validation checks are now performed only once, at the beginning of request processing (by mod_security, not Apache). At the same time I have expanded the validation checks to include request headers as well. Only normalisation will be performed later, as the rules in the rule set are processed. There is one constraint, though. Non-fatal default action is not allowed in the initialization phase. Any normalisation or validation problems will result in the request being rejected. Therefore the only way to operate in a fully transparent detection mode is to turn off implicit validation options (URL decoding, Unicode, byte range, cookie format validation). I hope to relax this restriction in the 1.9 branch. * BUG Fixed the broken "skip" action. * BUG Fixed a problem with file interception (when either storage or approval is requested) that occurs with IE. * BUG I introduced a new bug trying to fix a bug from 1.8.4. Uploading a file larger than the memory buffer would cause the approval phase to be skipped altogether. 21/10/2004 1.8.5 ---------------- * BUG Fixed the O_BINARY problem that manifested itself on Windows. * BUG Fixed a problem with temporary file reading that manifested itself on Windows (Apache 2 version only). * BUG Fixed the problem with requests for folders (where mod_dir performs subrequests) and DynamicOnly is on, and there are several dynamic entries in the DirectoryIndex configuration before the "real" one. It's not a proper fix though. Fixing it properly could jeopardize the stability so I've just disabled DynamicOnly for folders. * BUG Removed the harmless message emitted to the error log on request line timeouts (Apache 1.3.31 started logging request line timeouts with 408). * BUG Dynamic POST buffering control did not work at all in the Apache 2 module (causing segfaults). Fixed now. * BUG Not defining a debug log file would case error messages not to be logged to the Apache error log. 29/07/2004 1.8.4 ---------------- * BUG When the ARGS variable was used in a multipart request it used to test against the raw payload. Now it only works on the request parameters (names & values), just as with non-multipart requests. * BUG mod_security would crash when the default action is not specified in the configuration file. * Fixed a problem when Apache loses our input filter on fast redirects (e.g. mod_dir) and subrequests (e.g. mod_fastcgi). * Relaxed the validation of multipart/form-data requests to allow broken clients (i.e. Internet Explorer) to work. 07/07/2004 1.8.3 ---------------- * BUG Fixed a warning message in the child process initialisation code, complaining about mutex re-initialisation failing (FreeBSD only). * BUG Fixed the problem where URL encoding validation was perform against multipart/form-data variables, which are not URL-encoded. In practice, a percentage character anywhere in the multipart/form-data body would cause the request to be rejected. * BUG Removed ap_escape_logitem from the source code, this time for real I think ;) 22/06/2004 1.8.2 ---------------- * BUG Fixed a bug that would cause mod_security to close stdin by mistake, with multipart/form-data requests and SecUploadKeepFiles set to Off and file validation is not used. * BUG Fixed a bug that would sometimes affect selective variable rules. * Removed ap_escape_logitem from the module (because of compatibility problems with older versions of Apache). * Fixed an invalid regular expression in the default configuration example. 16/06/2004 1.8.1 ---------------- * Zero-length POST payload was not allowed. Fixed. 15/06/2004 1.8 -------------- * Found and fixed several small issues during the final code review. * Updated the converted Snort rules. * Added debug mode to the automated test script. 11/06/2004 1.8RC2 ----------------- * Fixed a problem where validation functions would reject a request without performing the default action fully (previously only the status was honored). * Improved logging a great deal. It is now easy to identify what and where went wrong. * Child processes now re-initialize mutexes, as they should (Apache 2.x only) * Other cosmetic changes here and there. * BUG Temporary files were being created with wrong permissions. * BUG Fixed a problem in the UTF-8 validation routine. Some valid UTF-8 streams were being rejected as invalid. 26/05/2004 1.8RC1 ----------------- * POST payload in the audit log is now preceeded by a line containing the length of the payload. * Preparing for a stable release, this branch now compiles on Windows too. And on Netware. * Debug log entries are now sanitized. * Keeping the code healthy: lots of refactoring, smaller improvements made. Several small fixes too. 29/04/2004 1.8dev2 ------------------ * Added support for custom logging that will contain only information about requests where mod_security got involved. Mod_security will now generate Apache environment variable mod_security-relevant, which can then be used to trigger custom logging. * Audit log will now reference the full request body that is stored outside the audit log (which happens with file uploads) * Removed the fixed-length buffer in sec_logger. Audit logger now calculates data length before allocation. Therefore it can log requests with very large headers. * When available, the UNIQUE_ID value produced my mod_unique_id is written to the audit log. * SECURITY Significant improvements to the chroot functionality. Fixed a problem when mod_security would sometimes "forget" to perform a chroot call. We now also perform a chdir to the target directory before the chroot call not to leave an open fd to a directory outside the jail. * Improved cookie handling. Implemented a new parser, added two directives for better control over features: SecFilterNormalizeCookies and SecFilterCheckCookieFormat. * Made external script execution work with suexec. mod_security now chdirs to the directory where script resides, and then calls it with a relative path. * Mod_security variables were not available (in the environment) to scripts executed via the "exec" action. Fixed. * Mod_security can now decide not to buffer a POST request dynamically. If the MODSEC_NOPOSTBUFFERING variable is set buffering will be skipped (this can be done with SetEnvIf, for example). * Initial support for multibyte charset filtering (added SecCharset directive to support this). * Removed non-threadsafe code from a couple of places. 21/03/2004 1.7.6 ---------------- * Code reviewed, tightened, cleaned up (eg removed C++ style comments, converted TABS to spaces). * Error log messages resulted from a match of regular expressions containing \xHH escape codes were written escaped instead in the original form (1.3.x branch only). 21/02/2004 1.7.5 ---------------- * SECURITY Fixed a bug in the Apache 2.0.x branch that could allow remote denial of service attacks to be performed, causing web server instances to crash. * Fixed a bug in the Apache 2.0.x branch where selective output filtering would not work when the content type is given together with the encoding (ie "Content-Type: text/html; charset=..."). Encoding is now ignored. * Fixed a bug in both branches where "SecFilterEngine DynamicOnly" would not scan dynamic requests that are * Since the Apache 1.x regex library does not seem to implement the "\xHH" method of escaping I've added this functionality to mod_security (Apache 2.x uses a different regex library where this works) 18/12/2003 1.8dev1 ------------------ * Added SecUploadKeepFiles directive, which allows the files uploaded through the web server to be kept * Added SecUploadDir directive, to define where files will be uploaded * Added SecUploadApproveScript directive, to allow to specify an external script to approve a file that is uploaded * Added SecUploadInMemoryLimit (Apache2 only) to specify the maximal amount of memory to be used for in-memory processing during file upload. If a file is larger than the limit the disk will be used. * Added support for multipart/form-data. Selective variable filtering now works when this encoding is used too. * Improved the configuration process, added comments to directives, implemented better control where directives can be used. These changes may cause mod_security to refuse to start if a directive is used at a wrong place (if they do you should get a meaningful message). * Worked around a peculiar Apache behavior that caused a POST body not to be logged when an ErrorDocument directive is used 5/12/2003 1.7.4 --------------- * Fixed a but that caused a request to be logged to the audit log even when a "nolog" action was used (and audit log was set to "RelevantOnly"). * Fixed a bug in the Apache 2 version that could confuse PHP. 9/11/2003 1.7.3 --------------- * More variables are now being normalised before rules are applied 28/10/2003 1.7.2 ---------------- * Added SecFilterOutputMimeTypes directive to control which mime types are scanned on output (to avoid scanning images and other binary files) * Added the script that converts Snort rules to mod_security rules to the distribution, together with a set of converted rules. * A set of rules used for regression testing is now in the CVS too. * Fixed a malloc-based buffer overflow problem in Apache 2 version of the module. This problem could case segmentation faults in some cases. Because the problem is in the code that performs output scanning it could potentially be exploited locally (i.e. by a specially crafted PHP script). * Fixed a bug when a rule match was not logged together with a pass action. Changed behavior of the allow action to behave the same (rule match logged unless nolog action is used). * Fixed a problem with SecServerSignature that caused a real signature to be seen in some cases (on bad requests). * Fixed a problem with output filtering not being off by default (it is now). 21/10/2003 1.7.1 ---------------- * Fixed a mutex leak in Apache 2.x version of the module * Fixed a bug in the output scanning code of the Apache 2.x version of the module * Fixed a bug where SecAuditLog wouldn't work when set to "On" 18/10/2003 1.7 -------------- * Fixed mod_security not to attempt to do any work if the context is not initialised properly. 24/9/2003 1.7RC1 ---------------- * Added output filtering to Apache 2.x * Removed the two-stage filtering process that used to take place in Apache 2.x (if you know what I'm talking about fine, if not ignore this) * Added the ability to filter cookies (names, values, etc) directly * Added SecServerSignature to mask the web server * Added new action, allow, to finish filter processing and let the request through * Added new action, chain, to chain several filter together (logical AND) * Added new action, skipnext, to skip over filters * New anti-evasion technique to fight null-byte attacks * Netware support (with help from Guenter Knauf) 17/8/2003 1.6 ------------- * Windows compatibility. As this is the first Windows release the code should be considered of beta quality. * Unicode encoding validation * New action, pause, enables you to slow down, or completely confuse web vulnerability scanners * Switch that optimises request filtering, allowing you to only implement scanning on relevant resources * Internal chroot feature added to Apache 2 * Fixed a POST variables parsing bug 10/7/2003 1.5.1 --------------- * POST payload processing code for Apache 2 version completely rewritten. * Changed the SecAuditEngine parameter to take the following options: On, Off, DynamicOrRelevant, RelvantOnly. This new feature allows you to log only what you really need. * New internal chroot option available in the Apache 1 version. * Fixed a problem where "+" was not decoded properly. * Fixed a problem where you could not use PHP CLI scripts in combination with the "exec" action. * Fixed a problem where zombie processes would remain after external binaries were executed using the "exec" action. * Fixed other bugs, two of which are security issues. 26/5/2003 1.5 ------------- * Apache 2.x compatibility * Added SecFilterInheritance * Added SecFilterByteRange * Added SecFilterCheckURLEncoding * A few bug fixes * New web site @ www.modsecurity.org * Comprehensive manual 08/2/2003 1.4.2 --------------- * Got rid of the Apache patch, the module now works without it! 30/1/2003 1.4.1 --------------- * The default method of locking is now FCNTL. It appears that FLOCK does not work well on Solaris. FCNTL seems to work fine on both platforms. * Fixed the bug with improper calling of the ap_pstrcat function, which could result in segfaults on some platforms (Solaris) 24/1/2003 1.4 ------------- * Several bug fixes * Execute an external script on pattern match * Perform custom redirect on pattern match * Added a separate debug file with configurable log levels * Cleaned up the source code, added comments and removed TAB characters * Fixed the audit logger to log complete requests * mod_security now creates custom headers when a pattern match occurs, access is denied or an action is taken (external script execution) * Introduced the ability to test for a match against variable names only * Introduced the ability to test for a match against variable values only * Added the test script in Perl for automated testing, plus tests for most (all) features * Enhanced event logging, messages are now much more descriptive and helpful * mod_security can now appear as a token in the server signature ("Off" by default) 09/12/2002 1.3b --------------- Introduced selective filtering (SecFilterSelective) where you can choose which part of the request to observe. Fixed a couple of bugs. Added inverted filters (when the regular expression begins with an exclamation mark) where the regular expression must be satisfied to proceed. 22/11/2002 1.2b --------------- Changed the approach from using mod_proxy to patching the core server. The software is usable now. Performed some tests and it all looks fine. 21/11/2002 1.1b --------------- Fixed the audit part of the module to log relevant request information, and to ignore requests to which responses are not dynamic.