ModSecurity
ModSecurity copied to clipboard
owasp-modsecurity
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range o...
The compile-time option `--disable-request-early` in ModSecurity 2.x can lead to incorrect request processing with Core Rule Set (CRS) 4.0 and higher (as highlighted [here](https://github.com/coreruleset/coreruleset/issues/3696#issuecomment-2729129047)). Given that CRS 4.0+ relies on...
I uploade an image on WordPress 6.8.1 / PHP 8.4. 7 / Win Srv 2025 and IIS crashes. I tried it several times, always the same result AppName w3wp.exe AppVersion...
## what This PR changes the format of [utils::string::ascTime()](https://github.com/owasp-modsecurity/ModSecurity/commit/6248ac1c166b22f4de82680c5ceb26377d1d4e72#diff-e71d5c46f8ce20d4b7e76eb815fc9a3866ab8c854d62e54b9e2fa92bee98be13R77). The function is used only in one place, in [transaction.cc](https://github.com/owasp-modsecurity/ModSecurity/blob/6248ac1c166b22f4de82680c5ceb26377d1d4e72/src/transaction.cc#L1568), it produces the field `time_stamp` if the audit log format is...
**What this PR implements:** Implements the ability to reopen audit log files to ensure compatibility with Linux log rotation (`logrotate`). **Details:** This pull request introduces the functionality that allows ModSecurity...
This commit makes it possible to build ModSecurity on systems where /bin/sh is a POSIX-compliant shell that is not Bash. Debian, Alpine Linux, and Gentoo Linux with the system shell...
Hello, by downloading last release "modsecurity-v3.0.14.tar.gz" user is completly lost to install module on IIS . is there any binary somewhere ? the decoupling with adaptor might be great technology...
**Describe the bug** The way macros are expanded to regex patterns in rules changed from ModSecurity 2.9.7 to 2.9.8. This affects CRS 3.2.x (920420, 920480) and CRS 3.3.x (920480) that...
**Describe the bug** Segmentation fault in ModSecurity 2.9.7 for Apache on very specific POST requests. **Logs and dumps** I cannot provide full core dump or request parameters due to potential...
## Describe the bug Hi, the Audit Log duplicates the `Server` header content under the `Response headers` section `F`. When configuring Nginx with the following directives, the Audit Log duplicates...
The application/json content type defaults to supporting charset=UTF-8 parsing. How can it also be made compatible with charset=GBK parsing, such that if UTF-8 parsing fails, it will attempt GBK parsing?
Metadata
Owner
Metadata
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range o...