A new ruleset has been issued by OWASP in late June 2021. Appears there was a security issue in older rulesets. See here:
coreruleset.org
owasp.org
Looks like we should be updating since OWASP is the default on DirectAdmin. It appears we are still using a ruleset from June of 2020.
Bill
CVE-2021-35368 - CRS Request Body Bypass (Update)
There is a severe security issue in our rule set. It has been present since the release of CRS 3.1.0 and was recently brought to our attention. Here is the official advisory that we are also publishing as CVE-2021-35368 via MITRE (as usual, MITRE will take a few days until they publish this)...
CVE-2021-35368 - CRS Request Body Bypass | OWASP Foundation
CVE-2021-35368 - CRS Request Body Bypass on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
Looks like we should be updating since OWASP is the default on DirectAdmin. It appears we are still using a ruleset from June of 2020.
Bill
