fix CVE-2021-20205 and examples update

2021-04-26 17:00:23 +02:00
parent 1a7abab570
commit a98dae1fb6
34 changed files with 268 additions and 12 deletions
--- a/examples/wordpress/docker-compose.yml
+++ b/examples/wordpress/docker-compose.yml
@@ -13,6 +13,7 @@ services:
      - ./letsencrypt:/etc/letsencrypt
      - ./server-confs:/server-confs:ro         # custom confs at server context for permalinks
      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Wordpress exclusions
+      - ./modsec-confs:/modsec-confs:ro         # avoid some FP with CRS
    environment:
      - SERVER_NAME=www.website.com             # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
--- a/examples/wordpress/modsec-confs/wordpress.conf
+++ b/examples/wordpress/modsec-confs/wordpress.conf
@@ -0,0 +1,4 @@
+SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
+SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
+SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
+SecRuleRemoveById 953120