OWASP CRS 4.24.0: Smarty Tags Now Detected, UTF‑8 Bugs Fixed, and False Positives Cut
The latest 4.24.0 build of the OWASP Core Rule Set brings a handful of practical tweaks that help admins keep their ModSecurity or Coraza firewalls humming without drowning in alerts. The changes focus on tightening detection for legacy PHP templating, smoothing out multi‑byte character handling, and re‑engineering many leakage rules into the new regex‑assembly format.
New Detection Rule – Smarty Templates
The most headline‑worthy addition is a rule that flags <?php tags embedded in Smarty templates. A handful of sites that still ship PHP code inside .tpl files were repeatedly hit by false positives; now the CRS can catch those without blocking legitimate requests.
UTF‑8 and Multibyte Sensitivity
A subtle but critical bug was fixed where SQL special character detection misbehaved with non‑ASCII input. In practice, sites serving international audiences saw a spike in alerts for French address lines containing commas or apostrophes; the patch resolves that by correctly treating UTF‑8 byte sequences as single characters.
Method Override Safeguard
Another tweak prevents unwarranted blocking when an HTTP method override header is present but the actual request method isn’t being changed. A few developers had their legitimate PUT or DELETE calls flagged after upgrading to 4.24.0; this fix removes the false alarms.
Leakage Rules Rewritten for Performance
All database‑leakage rules (DB2, MSSQL, SQLite, Sybase, etc.) have been converted from legacy regexes into the newer regex‑assembly engine. This improves rule evaluation speed and reduces memory usage, especially on high‑traffic application servers that routinely parse large query strings.
JSON Variable Exception for “profile”
If your API passes a JSON payload with a profile key, you may have seen ModSecurity blocking it after the previous release. The 4.24.0 update explicitly whitelists this variable name in libmodsecurity3/coraza contexts, letting legitimate user data flow through unchanged.
Miscellaneous Tweaks
- A few false positives around Extensible Metadata Platform tags and XSL stylesheets were trimmed.
- An exclusion was added for the Google Funding Choices cookie to avoid unnecessary rule hits on that popular ad‑tech service.
- The change log also lists several refactorings and lazy regex optimizations that are invisible to admins but keep the engine lean.
How to Upgrade Quickly
- Download the newest CRS zip from the official GitHub release page; it will contain the updated ruleset and a fresh crs-setup.conf.
- Replace your existing modsecurity.d directory with the new one, making sure to preserve any custom local overrides you’ve added.
- Test in a staging environment by replaying traffic that previously triggered false positives—especially Smarty templates and French address strings—to confirm the fixes are active.
- Once satisfied, swap the production config and watch your alert volume drop.
The 4.24.0 release may seem like a patchy update at first glance, but for admins who wrestle with noisy alerts day‑to‑day, these small adjustments mean fewer hours spent triaging and more bandwidth left for genuine threats. Give it a spin; the CRS team has done the heavy lifting, so you can focus on the next feature to secure.
Release Coreruleset v4.24.0
What's Changed
New features and detections
feat(933100): add detection of smarty template php tag by @touchweb-vincent in #4447
