Rule 950140 improve #3266
Description
SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
"id:950140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'CGI source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
The above rule make false positive alarm because ^ does not only match the first line of the response body, i think it should be fixed to below
SecRule RESPONSE_BODY "@rx ^(.{10})" \
"id:950140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'CGI source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.first_ten_chars=%{tx.1}',\
chain"
SecRule TX:FIRST_TEN_CHARS "@rx ^#\!\s?/" \
"setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
You can refer owasp-modsecurity/ModSecurity#2921