Now OWASP is out since October and the last big version was from 2013. OWASP 3.0 is designed to give less false positives I updated my website to that release. In previous version I had to switch off a lot of the filters that keep hackers and other bad people from trying to do bad stuff with my site.
I have run a quick test and the only thing that cropped up in that period was that the cookie set by Coppermine could contain a "=" and that triggered a detection. Maybe there are more non alphabetical/number characters that could trigger detections but I have not yet tested it that much because it was already late in the evening.
Information what it filters:
1. More than 16,000 specific rules, broken out into the following attack
categories:
* SQL injection
* Cross-site Scripting (XSS)
* Local File Include
* Remote File Include
2. User option for application specific rules, covering the same
vulnerability classes for applications such as:
* WordPress
* cPanel
* osCommerce
* Joomla
I saw that it also is covering Coppermine Gallery with 30 settings, however I think the main part if not all are already fixed by the programmers in contact with users of Coppermine.
I am also using Owncloud that is triggering a lot more of detections so Coppermine is very clean in the eyes of OWASP
Some links:
https://modsecurity.org/crs/https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Projecthttps://github.com/SpiderLabs/owasp-modsecurity-crs
Author
Topic: Compliance with Modsecurity + OWASP (Read 3214 times)