coreruleset · theMiddleBlue · Apr 23, 2023 · Apr 24, 2023 · Apr 24, 2023 · Apr 24, 2023
diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -250,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 #		false positives in natural language or other contexts.
 #		Examples: 'chr', 'eval'.
 #		To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'.
-#		Regexp is generated from function names in util/regexp-assemble/data/933160.data
+#		Regexp is generated from function names in util/regexp-assemble/data/933160.ra
 #
 # - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
 #		Examples: 'addslashes', 'array_diff'.
@@ -264,7 +264,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 #		Examples: 'abs', 'cos'.
 #		To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'.
 #		This rule only runs in paranoia level 3 or higher.
-#		Regexp is generated from function names in util/regexp-assemble/data/933161.data
+#		Regexp is generated from function names in util/regexp-assemble/data/933161.ra
 #
 
 
@@ -318,7 +318,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 #   system //comment \n (...)
 #   system #comment \n (...)
 #
-# This rule is also triggered by the following exploit(s):
+# This rule is triggered by the following exploits as well,
+# as they include the string 'exec(...)':
+#
 # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
 # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
 # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]

diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml
@@ -525,3 +525,37 @@ tests:
             uri: /?a=exploration
           output:
             no_log_contains: id "933150"
+  - test_title: 933150-35
+    desc: |
+      PHP mixed case function call with space, LF between ().
+      payload: file_ExistS (\n\n)
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: GET
+            port: 80
+            uri: /get?foo=file_ExistS%20%28%0A%0A%29
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-36
+    desc: |
+      PHP function call with multiple whitespaces.
+      payload: fopen  (blah)
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: GET
+            port: 80
+            uri: /get?foo=fopen%20%20%28blah%29
+          output:
+            log_contains: id "933150"