Critical vulnerability in CRS was present for years in web application firewalls of Drupal, WordPress, Nextcloud, Dokuwiki, CPanel& Xenforo

Cybersecurity specialists report the detection of a critical vulnerability in OWASP ModSecurity Core Rule Set (CRS), whose exploitation would allow threat actors to bypass security mechanisms in affected deployments, including web application firewalls (WAF). The flaw was tracked as CVE-2021-35368 and apparently remained several years without being updated.

The bug would allow malicious request body payloads to pass the rule set without being inspected, due to a combination of two bugs in the CRS Drupal rule exclusion packet. It is worth mentioning that the vulnerability is not limited to Drupal installations, but is present in all CRS installations that include these rule exclusions, regardless of whether they are enabled or not.

The report mentions that the risks to websites on Drupal depend on their configuration in ModSecurity: “If the backend is broken and configured with the correct final path name information configuration, any security risk is possible,” the experts say.

In this regard, Christian Folini, one of the people responsible for the Core Rule Set project, mentioned: “The fault has existed for years; when we made the first exclusion packages we were not used to using the techniques for drafting rules that we had to employ.”

The developer mentions that they also didn’t have coding guidelines, so no one reviewed that part of the code: “Failure is obvious; the important part now is to show that we learned our lesson, as well as to adopt a truly functional code development and review process in the future,” Folini says.  

The flaw was reported by Andrew Howe of, who took an in-depth look at ModSecurity when he joined the project last year. Howe reported the two errors at CRS in June. All known CRS installations that offer the predefined CRS rule exclusion packages are compromised, which applies to CRS versions 3.0.x, 3.1.0, 3.1.1 until the latest version that received updates, as well as to currently supported versions 3.2.0 and 3.3.0.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.