@abtnode/router-provider 1.16.45 → 1.16.46-beta-20250703-050038-4ba2582f

package/lib/nginx/includes/security/crs4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.9.0
+# OWASP CRS ver.4.16.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -44,7 +44,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'O
 # Therefore, that pattern is now checked by rule 933190 in paranoia levels
 # 3 or higher.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<\?(?:[^x]|x(?:[^m]|m(?:[^l]|l(?:[^\s\x0b]|[\s\x0b]+[^a-z]|$)))|$|php)|\[[/\x5c]?php\]" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<\?(?:[^x]|x(?:[^m]|m(?:[^l]|l(?:[^\s\x0b]|[\s\x0b]+[^a-z]|$)))|$|php)|\[[/\x5c]?php\]" \
     "id:933100,\
     phase:2,\
     block,\
@@ -58,8 +58,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -99,8 +100,9 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -109,38 +111,39 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
 #
 # [ PHP Configuration Directives ]
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" \
+# Regular expression generated from regex-assembly/933120.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 933120
+#
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:llow_url_(?:fopen|include)|pc.(?:coredump_unmap|en(?:able(?:_cli|d)|tries_hint)|(?:gc_)?ttl|mmap_file_mask|preload_path|s(?:erializer|hm_s(?:egments|ize)|lam_defense)|use_request_time)|rg_separator.(?:in|out)put|ssert.(?:active|(?:bai|quiet_eva)l|callback|exception|warning)|uto_(?:(?:ap|pre)pend_file|detect_line_endings|globals_jit))|b(?:cmath.scale|rowscap)|c(?:gi.(?:check_shebang_line|(?:discard_pat|np)h|f(?:ix_pathinfo|orce_redirect)|r(?:edirect_status_env|fc2616_headers))|hild_terminate|li(?:_server.color|.p(?:ager|rompt))|om.(?:a(?:llow_dcom|utoregister_(?:(?:casesensitiv|verbos)e|typelib))|(?:code_pag|typelib_fil)e|dotnet_version)|url.cainfo)|d(?:ate.(?:(?:default_l(?:at|ong)itud|timezon)e|sun(?:rise|set)_zenith)|ba.default_handler|efault_(?:(?:charse|socket_timeou)t|mimetype)|is(?:able_(?:classe|function)|play_(?:startup_)?error)s|oc(?:_roo|ref_(?:ex|roo))t)|e(?:n(?:able_(?:dl|post_data_reading)|gine)|rror_(?:(?:(?:ap|pre)pend_str|report)in|lo)g|x(?:i(?:f.(?:decode_(?:jis|unicode)_(?:intel|motorola)|encode_(?:jis|unicode))|t_on_timeout)|tension(?:_dir)?|p(?:ect.(?:log(?:file|user)|match_max|timeout)|ose_php)))|f(?:astcgi.(?:impersonate|logging)|fi.(?:enable|preload)|il(?:e_uploads|ter.default(?:_flags)?))|g(?:d.jpeg_ignore_warning|eoip.custom_directory)|h(?:ard_timeout|ighlight.(?:(?:commen|defaul)t|html|keyword|string)|tml_errors)|i(?:b(?:ase.(?:(?:allow_persisten|time(?:stamp)?forma)t|d(?:ateformat|efault_(?:charset|db|password|user))|max_(?:links|persistent))|m_db2.(?:binmode|i(?:5_(?:all(?:_pconnec|ow_commi)t|dbcs_alloc|ignore_userid)|nstance_name)))|conv.(?:in(?:put|ternal)|output)_encoding|g(?:binary.compact_strings|nore_(?:repeated_(?:errors|source)|user_abort))|m(?:a(?:gick.(?:locale_fix|progress_monitor|skip_version_check)|p.enable_insecure_rsh)|plicit_flush)|n(?:clude_path|put_encoding|t(?:ernal_encoding|l.(?:default_locale|error_level|use_exceptions))))|l(?:dap.max_links|og_errors(?:_max_len)?)|m(?:a(?:gic_quotes_(?:gpc|runtime)|il(?:.(?:add_x_header|force_extra_parameters|log)|parse.def_charset)|x_(?:execution_time|file_uploads|input_(?:nesting_level|time|vars)))|bstring.(?:detect_order|encoding_translation|func_overload|http_(?:input|output(?:_conv_mimetypes)?)|internal_encoding|language|regex_(?:retry|stack)_limit|s(?:trict_detection|ubstitute_character))|crypt.(?:algorithm|mode)s_dir|em(?:cache(?:.(?:allow_failover|c(?:hunk_size|ompress_threshold)|(?:default_por|lock_timeou)t|hash_(?:function|strategy)|max_failover_attempts|protocol|(?:session_)?redundancy)|d.(?:compression_(?:factor|t(?:hreshold|ype))|default_(?:binary_protocol|con(?:nect_timeout|sistent_hash))|s(?:e(?:rializer|ss_(?:binary(?:_protocol)?|con(?:nect_timeout|sistent_hash(?:_type)?)|lock(?:_(?:expire|retries|wait(?:_m(?:ax|in))?)|ing)|number_of_replicas|p(?:ersistent|refix)|r(?:andomize_replica_read|emove_failed(?:_servers)?)|s(?:asl_(?:password|username)|erver_failure_limit)))|tore_retry_count)|use_sasl))|ory_limit)|ysql(?:.(?:allow_(?:local_infile|persistent)|connect_timeout|default_(?:(?:hos|socke)t|p(?:assword|ort)|user)|max_(?:links|persistent)|trace_mode)|i.(?:allow_(?:local_infile|persistent)|default_(?:(?:hos|socke)t|p(?:ort|w)|user)|local_infile_directory|max_(?:links|persistent)|r(?:econnect|ollback_on_cached_plink))|nd.(?:collect_(?:memory_)?statistics|debug|(?:fetch_data_cop|sha256_server_public_ke)y|log_mask|mempool_default_size|net_(?:cmd_buffer_size|read_(?:buffer_size|timeout))|trace_alloc)))|o(?:ci8.(?:(?:connection_clas|event|old_oci_close_semantic)s|default_prefetch|max_persistent|p(?:ersistent_timeout|ing_interval|r(?:efetch_lob_size|ivileged_connect))|statement_cache_size)|dbc.(?:(?:allow|check)_persistent|default(?:_(?:cursortype|db|pw|user)|binmode|lrl)|max_(?:links|persistent))|p(?:cache.(?:blacklist_filename|c(?:ache_id|onsistency_checks)|dups_fix|e(?:nable(?:_(?:cli|file_override))?|rror_log)|f(?:ast_shutdown|ile_(?:cache(?:_(?:consistency_checks|fallback|only))?|update_protection)|orce_restart_timeout)|(?:huge_code_page|save_comment)s|in(?:herited_hack|terned_strings_buffer)|jit(?:_(?:b(?:isect_limit|(?:lacklist_(?:root|side)_trac|uffer_siz)e)|debug|hot_(?:func|loop|return|side_exit)|max_(?:exit_counter|(?:loop_unro|polymorphic_ca)ll|r(?:ecursive_(?:call|return)|oot_trace)|side_trace)s|prof_threshold))?|lo(?:ckfile_path|g_verbosity_level)|m(?:ax_(?:accelerated_files|(?:file_siz|wasted_percentag)e)|emory_consumption|map_base)|opt(?:_debug|imization)_level|pr(?:e(?:ferred_memory_model|load(?:_user)?)|otect_memory)|re(?:cord_warnings|strict_api|validate_(?:freq|path))|use_cwd|validate_(?:permission|root|timestamps))|en(?:_basedir|ssl.ca(?:file|path)))|utput_(?:(?:buffer|encod)ing|handler))|p(?:cre.(?:(?:backtrack|recursion)_lim|j)it|do(?:_odbc.(?:connection_pooling|db2_instance_name)|.dsn)|gsql.(?:a(?:llow|uto_reset)_persistent|(?:ignore|log)_notice|max_(?:links|persistent))|h(?:ar.(?:cache_list|re(?:adonly|quire_hash))|pdbg.(?:eol|path))|recision|ost_max_size)|r(?:e(?:alpath_cache_(?:size|ttl)|gister_argc_argv|port_(?:memleaks|zend_debug)|quest_order)|unkit.(?:internal_override|superglobal))|s(?:e(?:aslog.(?:appender(?:_retry)?|buffer_(?:disabled_in_cli|size)|d(?:efault_(?:basepath|datetime_format|logger|template)|isting_(?:(?:by_hou|folde)r|type))|ignore_warning|level|re(?:call_depth|mote_(?:hos|por|timeou)t)|t(?:hrow_exception|r(?:ace_(?:e(?:rror|xception)|notice|warning)|im_wrap))|use_buffer)|ndmail_(?:from|path)|rialize_precision|ssion.(?:auto_start|c(?:ache_(?:expire|limiter)|ookie_(?:domain|httponly|(?:lifetim|s(?:amesit|ecur))e|path))|entropy_(?:file|length)|gc_(?:divisor|maxlifetime|probability)|hash_(?:bits_per_character|function)|(?:lazy_writ|nam)e|referer_check|s(?:ave_(?:handler|path)|erialize_handler|id_(?:bits_per_character|length))|trans_sid_(?:host|tag)s|u(?:pload_progress.(?:cleanup|enabled|(?:min_)?freq|name|prefix)|se_(?:(?:only_)?cookies|strict_mode|trans_sid))))|hort_open_tag|mtp(?:_port)?|oap.wsdl_cache(?:_(?:dir|enabled|limit|ttl))?|ql(?:.safe_mode|ite3.(?:defensive|extension_dir))|tomp.default_(?:broker|(?:connection|read)_timeout_u?sec)|woole.(?:aio_thread_num|display_errors|enable_(?:coroutine|library|preemptive_scheduler)|(?:fast_serializ|u(?:nixsock_buffer_siz|se_(?:namespac|shortnam)))e)|ys(?:_temp_dir|log.(?:f(?:acility|ilter)|ident)|vshm.init_mem))|t(?:aint.e(?:nable|rror_level)|idy.(?:clean_output|default_config)|ra(?:ck_errors|der.real_(?:precision|round_mode)))|u(?:nserialize_(?:callback_func|max_depth)|opz.(?:disable|exit|overloads)|pload(?:_(?:max_filesize|tmp_dir)|progress.file.filename_template)|rl_rewriter.(?:host|tag)s|ser_(?:agent|dir|ini.(?:cache_ttl|filename)))|v(?:8js.(?:flag|max_disposed_context)s|ariables_order|ld.(?:(?:activ|execut)e|skip_(?:ap|pre)pend))|w(?:in(?:cache.(?:chkinterval|enablecli|f(?:c(?:achesize|enabled(?:filter)?|ndetect)|ile(?:count|mapdir))|(?:ignorelis|namesal)t|maxfilesize|oc(?:achesize|enabled(?:filter)?)|reroute(?:_enabled|ini)|s(?:cachesize|rwlocks)|ttlmax|uc(?:achesize|enabled))|dows.show_crt_warning)|khtmltox.graphics)|x(?:bithack|hprof.output_dir|mlrpc_error(?:_number|s))|ya(?:c(?:.(?:compress_threshold|debug|enable(?:_cli)?|(?:key|value)s_memory_size|serializer)|onf.(?:check_dela|director)y)|f.(?:action_prefer|cache_config|environ|forward_limit|l(?:ibrary|owcase_path)|name_s(?:eparator|uffix)|use_(?:namespace|spl_autoload))|ml.(?:decode_(?:binary|(?:ph|timestam)p)|output_(?:canonical|indent|width))|r.(?:(?:connect_)?timeout|debug|expose_info|packager)|z.(?:keepalive|log_mask))|z(?:end(?:_extension|.(?:assertions|(?:detect_unicod|multibyt)e|e(?:nable_gc|xception_(?:ignore_args|string_param_max_len))|s(?:cript_encoding|ignal_check)))|lib.output_(?:compression(?:_level)?|handler)|ookeeper.(?:recv_timeout|sess(?:_lock_wait|ion_lock))))[\s\x0b]*=[^=]" \
     "id:933120,\
     phase:2,\
     block,\
     capture,\
     t:none,t:normalisePath,\
     msg:'PHP Injection Attack: Configuration Directive Found',\
-    logdata:'Matched Data: %{TX.1} found within %{TX.933120_MATCHED_VAR_NAME}: %{TX.933120_MATCHED_VAR}',\
+    logdata:'Matched Data: %{TX.0} found within %{TX.933120_MATCHED_VAR_NAME}: %{TX.933120_MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.933120_matched_var=%{MATCHED_VAR}',\
     setvar:'tx.933120_matched_var_name=%{MATCHED_VAR_NAME}',\
-    chain"
-    SecRule MATCHED_VARS "@rx \b([^\s]+)\s*=[^=]" \
-        "capture,\
-        chain"
-        SecRule TX:1 "@pmFromFile php-config-directives.data" \
-            "setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-            setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
 # [ PHP Variables ]
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \
     "id:933130,\
     phase:2,\
     block,\
@@ -154,13 +157,46 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
+#
+# [ PHP Variables ]
+#
+# Prevent accessing PHP variables using these methods:
+# ${'VARIABLE_NAME'}
+# $ {"VARIABLE_NAME"}
+# $ {'_VAR'.'IABLE_NAME'}
+# $     {   $var}
+# $     {   CONSTANT   }
+#
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$\s*\{\s*\S[^\{\}]*\}" \
+    "id:933135,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PHP Injection Attack: Variable Access Found',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-injection-php',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
+    tag:'capec/1000/152/242',\
+    ver:'OWASP_CRS/4.16.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
 #
 # [ PHP I/O Streams ]
 #
@@ -176,7 +212,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 #
 # http://php.net/manual/en/wrappers.php.php
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \
     "id:933140,\
     phase:2,\
     block,\
@@ -190,8 +226,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -213,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 933200
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" \
     "id:933200,\
     phase:2,\
     block,\
@@ -226,8 +263,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -243,19 +281,19 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # The list of PHP functions is divided into four groups of varying attack/false positive risk.
 # Four separate rules are used to detect these groups of functions:
 #
-# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in
+# - Rule 933150: ~237 words highly common to PHP injection payloads and extremely rare in
 #		natural language or other contexts.
 #		Examples: 'base64_decode', 'file_get_contents'.
 #		These words are detected as a match directly using @pmFromFile.
 #		Function names are defined in php-function-names-933150.data
 #
-# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause
+# - Rule 933160: ~36 words which are common in PHP code, but have a higher chance to cause
 #		false positives in natural language or other contexts.
 #		Examples: 'chr', 'eval'.
 #		To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'.
 #		Regexp is generated from function names in /regexp-assemble/data/933160.ra
 #
-# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
+# - Rule 933151: ~2200 words of lesser importance. This includes most PHP functions and keywords.
 #		Examples: 'addslashes', 'array_diff'.
 #		For performance reasons, the @pmFromFile operator is used, and many functions from lesser
 #		used PHP extensions are removed.
@@ -263,7 +301,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 #		This rule only runs in paranoia level 2 or higher.
 #		Function names are defined in php-function-names-933151.data
 #
-# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives.
+# - Rule 933161: ~95 words with short or trivial names, possibly leading to false positives.
 #		Examples: 'abs', 'cos'.
 #		To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'.
 #		This rule only runs in paranoia level 3 or higher.
@@ -279,7 +317,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # We block these function names outright, without using a complex regexp or chain.
 # This could make the detection a bit more robust against possible bypasses.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \
     "id:933150,\
     phase:2,\
     block,\
@@ -293,8 +331,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -331,7 +370,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 933160
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\(.*\)" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open|puts)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|m(?:d5|kdir)|o(?:pendir|rd)|p(?:assthru|open|r(?:intf|ev))|r(?:eadfile|trim)|s(?:t(?:rip_tags|at)|ubstr|ystem)|tmpfile|u(?:n(?:pac|lin)k|sort))(?:/(?:\*.*?\*/|/[^\n\r]*)|#[^\n\r]*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \
     "id:933160,\
     phase:2,\
     block,\
@@ -345,8 +384,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -386,7 +426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 # https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header)
 # http://karmainsecurity.com/KIS-2015-10 (Host header)
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \
     "id:933170,\
     phase:2,\
     block,\
@@ -400,8 +440,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -441,7 +482,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 #   \(.*\)
 #       Parentheses optionally containing function parameters
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \
     "id:933180,\
     phase:2,\
     block,\
@@ -455,8 +496,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -488,7 +530,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 933210
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\x0b\"'\-\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(\),\./;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\);" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\x0b\"'\-\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(\),\./;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\);" \
     "id:933210,\
     phase:2,\
     block,\
@@ -502,14 +544,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -521,9 +564,11 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'O
 #
 # The size of the PHP function list is considerable.
 # Even after excluding the more obscure PHP extensions, 1300+ functions remain.
-# For performance and maintenance reasons, this rule does not use a regexp,
-# but uses a phrase file (@pmFromFile), and additionally looks for an '(' character
-# in the matched variable.
+# For performance reasons, this rule now uses a singular regex, without any capturing.
+# Due to regex size limitations in Modsecurity 2 with httpd, this is currently split
+# out into 3 seperate regex assembly includes: php-function-names-933151,
+# php-function-names-933152, and php-function-names-933153, which correspond
+# to 933151, 933152, and 933153 respectively.
 #
 # This approach carries some risk for false positives. Therefore, the function list
 # has been curated to remove words closely matching natural language and terms often
@@ -531,38 +576,95 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'O
 #
 # This rule is a stricter sibling of rule 933150.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" \
+# Regular expression generated from regex-assembly/933151.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 933151
+#
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:c(?:cel_chdir|osh?)|ddc?slashes|pache_(?:child_terminate|get(?:_(?:modules|version)|env)|lookup_uri|note |re(?:quest|sponse)_headers|setenv)|r(?:ray_(?:c(?:h(?:ange_key_case|unk)|o(?:lumn|mbine|unt_values))|diff(?:_(?:assoc|key|u(?:assoc|key)))?|f(?:ill(?:_keys)?|lip)|i(?:ntersect(?:_(?:assoc|key|u(?:assoc|key)))?|s_list)|key(?:_(?:fir|la)st|s)|m(?:ap|erge(?:_recursive)?|ultisort)|p(?:ad|op|roduct)|r(?:and|e(?:(?:duc|vers)e|place(?:_recursive)?))|s(?:earch|p?lice|um)|u(?:(?:diff|intersect)(?:_u?assoc)?|n(?:ique|shift))|walk(?:_recursive)?)|sort)|s(?:inh|ort|sert_options)|tan[2h]?)|b(?:ase(?:64_(?:de|en)code|_convert)|c(?:add|comp|div|m(?:od|ul)|pow(?:mod)?|s(?:cale|qrt|ub))|in(?:2hex|d(?:_textdomain_codeset|ec|textdomain))|oolval|z(?:(?:de)?compress|err(?:no|(?:o|st)r)|open|read))|c(?:al(?:_(?:days_in_month|(?:from|to)_jd|info)|l_user_func_array)|eil|h(?:(?:di)?r|grp|mod|own|unk_split)|l(?:ass_(?:alia|(?:implem|par)ent|use)s|earstatcache|ose(?:dir|log))|o(?:llator_(?:asort|c(?:ompar|reat)e|get_(?:(?:attribut|error_(?:cod|messag)|local)e|s(?:ort_key|trength))|s(?:et_(?:attribute|strength)|ort(?:_with_sort_keys)?))|m_(?:create_guid|event_sink|get_active_object|load_typelib|message_pump|print_typeinfo)|n(?:fig_get_hash|nection_(?:aborted|status)|vert_uu(?:de|en)code)|unt_chars)|rc32|type_(?:al(?:num|pha)|cntrl|(?:x?digi|p(?:rin|unc))t|graph|(?:low|upp)er|space)|url_(?:(?:c(?:los|opy_handl)|file_creat|paus)e|e(?:rr(?:no|or)|scape|xec)|getinfo|(?:ini|rese)t|multi_(?:(?:(?:add|remove)_handl|clos)e|e(?:rrno|xec)|getcontent|in(?:fo_read|it)|s(?:e(?:lec|top)t|trerror))|s(?:etopt(?:_array)?|hare_(?:close|errno|init|s(?:etopt|trerror))|trerror)|u(?:nescape|pkeep)|version))|d(?:ate(?:_(?:add|create(?:_(?:from_format|immutable(?:_from_format)?))?|d(?:(?:ate_s|efault_timezone_[gs])et|iff)|(?:forma|(?:offset_g|time(?:_s|(?:stamp|zone)_[gs]))e)t|get_last_errors|i(?:nterval_(?:create_from_date_string|format)|sodate_set)|modify|parse(?:_from_format)?|su(?:b|n(?:_info|rise|set)))|fmt_(?:(?:creat|localtim|pars)e|format(?:_object)?|get_(?:calendar(?:_object)?|(?:datetyp|error_(?:cod|messag)|local)e|pattern|time(?:type|zone(?:_id)?))|is_lenient|set_(?:calendar|lenient|pattern|timezone)))|ba_(?:(?:clos|delet|replac)e|(?:exist|handler)s|f(?:etch|irstkey)|(?:inser|key_spli|lis)t|nextkey|op(?:en|timize)|popen|sync)|(?:cn?)?gettext|e(?:bug_(?:(?:print_)?backtrace|zval_dump)|c(?:bin|hex)|flate_(?:add|init)|g2rad)|isk_(?:free|total)_space|l_test_test[12]|n(?:gettext|s_(?:check_record|get_(?:mx|record)))|om_import_simplexml)|e(?:aster_da(?:te|ys)|n(?:chant_(?:broker_(?:d(?:escribe|ict_exists)|free(?:_dict)?|get_(?:dict_path|error)|(?:ini|request_(?:pwl_)?dic)t|list_dicts|set_(?:dict_path|ordering))|dict_(?:add(?:_to_session)?|(?:quick_)?check|describe|get_error|is_added|s(?:tore_replacemen|ugges)t))|um_exists)|rror_(?:(?:clear|get)_last|(?:lo|reportin)g)|scapeshell(?:arg|cmd)|x(?:if_(?:imagetype|read_data|t(?:agname|humbnail))|pm1|tension_loaded))|f(?:astcgi_finish_request|d(?:atasync|iv)|eof|f(?:i_trampoline|lush)|get(?:c(?:sv)?|s)|i(?:l(?:e_put_contents|ter_(?:has_var|i(?:d|nput(?:_array)?)|list|var(?:_array)?))|nfo_(?:buffer|(?:clos|fil)e|open|set_flags))|loatval|(?:mo|re(?:a|nchtoj))d|nmatch|orward_static_call(?:_array)?|p(?:assthru|m_get_status|rintf|utcsv)|s(?:canf|eek|ockopen|tat|ync)|t(?:ell|ok|p_(?:a(?:lloc|ppend)|c(?:dup|h(?:dir|mod)|lose|onnect)|delete|exec|f(?:ge|pu)t|get(?:_option)?|login|m(?:dtm|kdir|lsd)|n(?:b_(?:continue|(?:f(?:ge|pu)|ge|pu)t)|list)|p(?:asv|ut|wd)|r(?:aw(?:list)?|ename|mdir)|s(?:et_option|(?:i[tz]|ystyp)e|sl_connect))|runcate)|unc_(?:get_args?|num_args)|write)|g(?:c_(?:(?:(?:collect_cycl|mem_cach)e|statu)s|disable|enabled?)|d_info|et(?:_(?:browser|c(?:(?:alled_clas|lass_(?:method|var))s|(?:fg_va|urrent_use)r)|de(?:bug_type|(?:clared_(?:(?:class|interfac)e|trait)|fined_(?:constant|function|var))s)|(?:extension_func|loaded_extension|m(?:angled_object_var|eta_tag)|parent_clas)s|h(?:eaders|tml_translation_table)|include(?:_path|d_files)|o(?:bject_vars|pen_basedir)|resource(?:_(?:id|type)|s))|(?:cw|lastmo)d|(?:dat|rusag)e|env|host(?:by(?:addr|namel?)|name)|imagesize(?:fromstring)?|my(?:[gpu]id|inode)|opt|protobyn(?:ame|umber)|servby(?:name|port)|t(?:ext|imeofday|ype))|m(?:(?:dat|(?:mk|strf)tim)e|p_(?:a(?:bs|[dn]d)|binomial|c(?:lrbit|mp|om)|div(?:_(?:qr?|r)|exact)|(?:expor|fac|hamdis|testbi)t|gcd(?:ext)?|i(?:mport|n(?:(?:i|ver)t|tval))|jacobi|(?:kronecke|x?o)r|l(?:cm|egendre)|m(?:od|ul)|ne(?:g|xtprime)|p(?:erfect_(?:power|square)|o(?:pcount|wm?)|rob_prime)|r(?:andom_(?:bits|range|seed)|oot(?:rem)?)|s(?:can[01]|etbit|ign|qrt(?:rem)?|trval|ub)))|r(?:apheme_(?:extract|s(?:tr(?:i(?:pos|str)|len|(?:ri?)?pos|str)|ubstr))|egoriantojd)|z(?:(?:un)?compress|(?:de(?:cod|flat)|encod|fil|inflat)e|open))|h(?:ash_(?:(?:algo|equal)s|copy|fi(?:le|nal)|h(?:kdf|mac(?:_(?:algos|file))?)|init|pbkdf2|update(?:_(?:file|stream))?)|e(?:ader(?:_re(?:gister_callback|move)|s_(?:lis|sen)t)|brev|x(?:2bin|dec))|ighlight_(?:file|string)|rtime|t(?:ml(?:(?:_entity|specialchars)_decode|entities)|tp_(?:build_query|response_code))|ypot)|i(?:conv(?:_(?:get_encoding|mime_(?:decode(?:_headers)?|encode)|s(?:et_encoding|tr(?:len|r?pos)|ubstr)))?|dn_to_(?:ascii|utf8)|gnore_user_abort|ma(?:ge(?:_type_to_(?:extension|mime_type)|a(?:ffine(?:matrix(?:conca|ge)t)?|lphablending|ntialias|rc|vif)|(?:bm|w(?:bm|eb))p|c(?:har(?:up)?|o(?:lor(?:a(?:llocate(?:alpha)?|t)|closest(?:alpha|hwb)?|deallocate|(?:exact|resolve)(?:alpha)?|match|s(?:et|forindex|total)|transparent)|nvolution|py(?:merge(?:gray)?|res(?:ampl|iz)ed)?)|r(?:eate(?:from(?:avif|(?:bm|w(?:bm|eb))p|g(?:d(?:2(?:part)?)?|if)|(?:jpe|(?:p|stri)n)g|tga|x[bp]m)|truecolor)?|op(?:auto)?))|d(?:ashedline|estroy)|ellipse|f(?:il(?:l(?:ed(?:arc|(?:ellips|rectangl)e|polygon)|toborder)?|ter)|lip|ont(?:height|width)|t(?:bbox|text))|g(?:ammacorrect|d2?|et(?:clip|interpolation)|if|rab(?:screen|window))|i(?:nterlace|struecolor)|jpeg|l(?:(?:ayereffec|oadfon)t|ine)|openpolygon|p(?:alette(?:copy|totruecolor)|ng|olygon)|r(?:e(?:ctangle|solution)|otate)|s(?:avealpha|cale|et(?:brush|clip|interpolation|pixel|style|t(?:hickness|ile))|tring(?:up)?|[xy])|t(?:ruecolortopalette|ypes)|xbm)|p_(?:(?:8bi|qprin)t|a(?:lerts|ppend)|b(?:ase64|inary|ody(?:struct)?)|c(?:heck|l(?:earflag_full|ose)|reatemailbox)|delete(?:mailbox)?|e(?:rrors|xpunge)|fetch(?:_overview|body|header|(?:mim|structur)e)|g(?:c|et(?:_quota(?:root)?|acl|mailboxes|subscribed))|header(?:info|s)|(?:is_)?open|l(?:ast_error|ist(?:scan)?|sub)|m(?:ail(?:_(?:co(?:mpose|py)|move)|boxmsginfo)?|ime_header_decode|sgno|utf7_to_utf8)|num_(?:msg|recent)|ping|r(?:e(?:namemailbox|open)|fc822_(?:parse_(?:adrlist|headers)|write_address))|s(?:avebody|e(?:arch|t(?:_quota|(?:ac|flag_ful)l))|ort|tatus|ubscribe)|t(?:hread|imeout)|u(?:id|n(?:delet|subscrib)e|tf(?:7_(?:de|en)code|8(?:_to_mutf7)?))))|n(?:_array|et_(?:ntop|pton)|flate_(?:add|get_(?:read_len|status)|init)|i_(?:get(?:_all)?|parse_quantity|restore|set)|t(?:div|erface_exists|l(?:_(?:error_nam|get_error_(?:cod|messag)|is_failur)e|cal_(?:a(?:dd|fter)|(?:befor|f(?:ield_differenc|rom_date_tim)|to_date_tim)e|c(?:lear|reate_instance)|equals|get(?:_(?:a(?:ctual_m(?:ax|in)imum|vailable_locales)|(?:day_of_week_typ|error_(?:cod|messag)|keyword_values_for_local)e|first_day_of_week|greatest_minimum|l(?:east_maximum|ocale)|m(?:aximum|inim(?:al_days_in_first_week|um))|now|(?:(?:repeat|skipp)ed_wall_time_op|weekend_transi)tion|t(?:ime(?:_zone)?|ype)))?|i(?:n_daylight_time|s_(?:equivalent_to|(?:lenien|se)t|weekend))|roll|set(?:_(?:(?:first_day_of|minimal_days_in_first)_week|lenient|(?:repeat|skipp)ed_wall_time_option|time(?:_zone)?))?)|gregcal_(?:(?:create_instanc|[gs]et_gregorian_chang)e|is_leap_year)|tz_(?:c(?:ount_equivalent_ids|reate_(?:default|enumeration|time_zone(?:_id_enumeration)?))|(?:(?:from|to)_date_time_zon|use_daylight_tim)e|get_(?:(?:canonical|windows)_id|d(?:isplay_name|st_savings)|e(?:quivalent_id|rror_(?:cod|messag)e)|(?:gm|offse)t|id(?:_for_windows_id)?|r(?:aw_offset|egion)|(?:tz_data_versio|unknow)n)|has_same_rules))))|p(?:2long|tc(?:embed|parse))|s_(?:bool|(?:(?:(?:c(?:all|ount)|(?:execu|wri)t)ab|uploaded_fi)l|i(?:nfinit|terabl)|re(?:adabl|sourc))e|f(?:i(?:l|nit)e|loat)|link|nan|s(?:calar|oap_fault|tring|ubclass_of))|terator_(?:(?:appl|to_arra)y|count))|j(?:d(?:dayofweek|monthname|to(?:french|gregorian|j(?:ewish|ulian)|unix))|(?:ewish|ulian)tojd|son_(?:last_error(?:_msg)?|validate)))[\s\x0b]*\(" \
     "id:933151,\
     phase:2,\
     block,\
     capture,\
     t:none,\
     msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\
-    logdata:'Matched Data: %{TX.1} found within %{TX.933151_MATCHED_VAR_NAME}: %{TX.933151_MATCHED_VAR}',\
+    logdata:'Matched Data: %{TX.0} found within %{TX.933151_MATCHED_VAR_NAME}: %{TX.933151_MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.933151_matched_var=%{MATCHED_VAR}',\
     setvar:'tx.933151_matched_var_name=%{MATCHED_VAR_NAME}',\
-    chain"
-    SecRule MATCHED_VARS "@rx \b([^\s]+)\s*[(]" \
-        "capture,\
-        chain"
-        SecRule TX:1 "@pmFromFile php-function-names-933151.data" \
-            "setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-            setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
+# This rule is a sibling of rule 933151.
+#
+# Regular expression generated from regex-assembly/933152.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 933152
+#
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:kr?sort|l(?:c(?:first|g_value|h(?:grp|own))|dap_(?:8859_to_t61|(?:ad|bin)d(?:_ext)?|co(?:mpare|nnect(?:_wallet)?|unt_(?:entri|referenc)es)|d(?:elete(?:_ext)?|n2ufn)|e(?:rr(?:(?:2st|o)r|no)|scape|x(?:op(?:_(?:passwd|refresh|sync|whoami))?|plode_dn))|f(?:irst_(?:(?:attribut|referenc)e|entry)|ree_result)|get_(?:(?:attribut|entri)es|(?:d|optio|values_le)n)|list|mod(?:_(?:add|del|replace)(?:_ext)?|ify_batch)|next_(?:(?:attribut|referenc)e|entry)|parse_(?:exop|re(?:ference|sult))|re(?:ad|name(?:_ext)?)|s(?:asl_bind|e(?:arch|t_(?:option|rebind_proc))|tart_tls)|t61_to_8859|unbind)|evenshtein|i(?:bxml_(?:(?:clear|use_internal)_errors|disable_entity_loader|get_(?:e(?:rrors|xternal_entity_loader)|last_error)|set_(?:external_entity_loader|streams_context))|nkinfo|tespeed_(?:finish_request|re(?:quest|sponse)_headers))|o(?:cal(?:e(?:_(?:(?:accept_from_htt|looku)p|(?:c(?:anonicaliz|ompos)|pars)e|filter_matches|get_(?:(?:all_variant|keyword)s|d(?:efault|isplay_(?:(?:languag|nam)e|region|(?:scrip|varian)t))|primary_language|region|script)|set_default)|conv)|time)|g1[0p]|ng2ip)|stat|trim)|m(?:b_(?:c(?:h(?:eck_encoding|r)|onvert_(?:case|encoding|kana|variables))|de(?:code_(?:mimeheader|numericentity)|tect_(?:encoding|order))|e(?:ncod(?:e_(?:mimeheader|numericentity)|ing_aliases)|reg(?:_(?:match|replace(?:_callback)?|search(?:_(?:(?:get(?:po|reg)|(?:set)?po|reg)s|init))?)|i(?:_replace)?)?)|get_info|http_(?:in|out)put|internal_encoding|l(?:anguage|ist_encodings)|o(?:rd|utput_handler)|p(?:arse_str|referred_mime_name)|regex_(?:encoding|set_options)|s(?:crub|end_mail|plit|tr(?:_(?:pad|split)|cut|i(?:mwidth|pos|str)|len|pos|r(?:chr|i(?:chr|pos)|pos)|(?:st|to(?:low|upp)e)r|width)|ubst(?:itute_character|r(?:_count)?)))|(?:(?:d5|ove_uploaded)_fil|e(?:mory_(?:get_(?:peak_)?|reset_peak_)usag|taphon)|i(?:crotim|me_content_typ))e|hash(?:_(?:count|get_(?:block_siz|hash_nam)e|keygen_s2k))?|k(?:dir|time)|sg(?:_(?:(?:get_queu|re(?:ceiv|move_queu))e|queue_exists|s(?:e(?:nd|t_queue)|tat_queue))|fmt_(?:create|(?:format|parse)(?:_message)?|get_(?:(?:error_(?:cod|messag)|local)e|pattern)|set_pattern))|t_(?:getrandmax|s?rand)|ysqli_(?:a(?:ffected_rows|utocommit)|begin_transaction|c(?:ha(?:nge_user|racter_set_name)|lose|o(?:mmit|nnect(?:_err(?:no|or))?))|d(?:ata_seek|ebug|ump_debug_info)|e(?:rr(?:no|or(?:_list)?)|xecute_query)|f(?:etch_(?:a(?:ll|rray|ssoc)|column|field(?:_direct|s)?|lengths|object|row)|ield_(?:count|seek|tell)|ree_result)|get_(?:c(?:harset|lient_(?:info|stats|version)|onnection_stats)|(?:host|proto)_info|(?:links_stat|warning)s|server_(?:info|version))|in(?:fo|it|sert_id)|kill|m(?:ore_results|ulti_query)|n(?:ext_result|um_(?:field|row)s)|options|p(?:ing|oll|repare)|query|r(?:e(?:a(?:l_(?:connect|escape_string|query)|p_async_query)|fresh|(?:lease_savepoin|por)t)|ollback)|s(?:(?:avepoin|sl_se)t|e(?:lect_db|t_charset)|qlstate|t(?:(?:a|ore_resul)t|mt_(?:a(?:ffected_rows|ttr_[gs]et)|bind_(?:param|result)|close|data_seek|e(?:rr(?:no|or(?:_list)?)|xecute)|f(?:etch|(?:ield_coun|ree_resul)t)|get_(?:result|warnings)|in(?:it|sert_id)|more_results|n(?:ext_result|um_rows)|p(?:aram_count|repare)|res(?:et|ult_metadata)|s(?:end_long_data|qlstate|tore_result))))|thread_(?:id|safe)|(?:use_resul|warning_coun)t))|n(?:(?:at(?:case)?sor|gettex)t|et_get_interfaces|l(?:2br|_langinfo)|ormalizer_(?:get_raw_decomposition|is_normalized|normalize)|umfmt_(?:create|(?:format|parse)(?:_currency)?|get_(?:(?:(?:text_)?attribut|error_(?:cod|messag)|local)e|pattern|symbol)|set_(?:(?:text_)?attribute|pattern|symbol)))|o(?:b_(?:clean|end_(?:clean|flush)|(?:implicit_)?flush|g(?:et_(?:c(?:lean|ontents)|flush|le(?:ngth|vel)|status)|zhandler)|list_handlers)|c(?:i(?:_(?:(?:bind_(?:array_)?|define_)by_name|c(?:ancel|l(?:ient_version|ose)|o(?:llection_(?:a(?:ppend|ssign)|element_(?:assign|get)|max|size|trim)|(?:mmi|nnec)t))|e(?:rror|xecute)|f(?:etch(?:_(?:a(?:ll|rray|ssoc)|object|row))?|ield_(?:is_null|(?:nam|s(?:cal|iz))e|precision|type(?:_raw)?)|ree_(?:collection|descriptor|statement))|get_implicit_resultset|lob_(?:(?:appen|loa|re(?:a|win))d|copy|e(?:of|rase|xport)|flush|i(?:mport|s_equal)|s(?:(?:av|iz)e|eek)|t(?:ell|runcate)|write)|n(?:ew_(?:c(?:o(?:llection|nnect)|ursor)|descriptor)|um_(?:field|row)s)|p(?:a(?:rs|ssword_chang)e|connect)|r(?:e(?:gister_taf_callback|sult)|ollback)|s(?:e(?:rver_version|t_(?:(?:ac|db_opera|edi)tion|c(?:all_timeout|lient_i(?:dentifier|nfo))|module_name|prefetch(?:_lob)?))|tatement_type)|unregister_taf_callback)|fetchinto|[gs]etbufferinglob)|tdec)|dbc_(?:autocommit|(?:binmod|data_sourc)e|c(?:lose(?:_all)?|o(?:lumn(?:privilege)?s|mmit|nnect(?:ion_string_(?:is_quoted|(?:should_)?quote))?)|ursor)|e(?:rror(?:msg)?|xec(?:ute)?)|f(?:etch_(?:array|into|object|row)|ield_(?:len|n(?:ame|um)|(?:scal|typ)e)|oreignkeys|ree_result)|gettypeinfo|longreadlen|n(?:ext_result|um_(?:field|row)s)|p(?:connect|r(?:epare|(?:imarykey|ocedure(?:column)?)s))|r(?:esult(?:_all)?|ollback)|s(?:etoption|(?:pecialcolumn|tatistic)s)|table(?:privilege)?s)|p(?:cache_(?:compile_file|get_(?:configuration|status)|i(?:nvalidate|s_script_cached)|reset)|en(?:dir|log|ssl_(?:c(?:ipher_(?:iv|key)_length|ms_(?:(?:de|en)crypt|read|sign|verify)|sr_(?:export(?:_to_file)?|get_(?:public_key|subject)|new|sign))|d(?:(?:ecryp|iges)t|h_compute_key)|e(?:ncrypt|rror_string)|(?:get_(?:c(?:ert_location|ipher_method|urve_name)|md_method)|random_pseudo_byte)s|open|p(?:bkdf2|k(?:cs(?:12_(?:export(?:_to_file)?|read)|7_(?:(?:de|en)crypt|read|sign|verify))|ey_(?:(?:deriv|fre)e|export(?:_to_file)?|get_(?:details|p(?:rivate|ublic))|new))|(?:rivate|ublic)_(?:de|en)crypt)|s(?:eal|ign|pki_(?:export(?:_challenge)?|new|verify))|verify|x509_(?:check(?:_private_key|purpose)|export(?:_to_file)?|f(?:ingerprint|ree)|parse|read|verify))))|utput_(?:add_rewrite_var|reset_rewrite_vars))|p(?:a(?:rse_(?:ini_(?:file|string)|str)|ss(?:thru|word_(?:algos|get_info|(?:needs_re)?hash|verify))|thinfo)|c(?:lose|ntl_(?:a(?:larm|sync_signals)|exec|forkx?|get(?:_last_error|priority)|rfork|s(?:etpriority|ig(?:nal(?:_(?:dispatch|get_handler))?|procmask|timedwait|waitinfo)|trerror)|unshare|w(?:ait(?:pid)?|exitstatus|if(?:continu|exit|s(?:ignal|topp))ed|(?:stop|term)sig)))|do_drivers|fsockopen|g_(?:(?:affected_row|num_(?:field|row)|option)s|c(?:ancel_query|l(?:ient_encoding|ose)|o(?:n(?:nect(?:_poll|ion_(?:busy|reset|status))?|(?:sume_inpu|ver)t)|py_(?:from|to)))|d(?:bnam|elet)e|e(?:n(?:d_copy|ter_pipeline_mode)|scape_(?:bytea|identifier|literal|string)|x(?:ecut|it_pipeline_mod)e)|f(?:etch_(?:a(?:ll(?:_columns)?|rray|ssoc)|object|r(?:esult|ow))|ield(?:_(?:is_null|n(?:ame|um)|prtlen|size|t(?:able|ype(?:_oid)?))|isnull|prtlen)|lush|ree_result)|get_(?:notify|pid|result)|(?:hos|inser)t|l(?:ast_(?:error|notice|oid)|o_(?:(?:c(?:los|reat)|writ)e|(?:ex|im)port|open|read(?:_all)?|(?:see|unlin)k|t(?:ell|runcate)))|meta_data|p(?:arameter_status|(?:connec|or)t|i(?:ng|peline_s(?:tatus|ync))|(?:repar|ut_lin)e)|query(?:_params)?|result_(?:error(?:_field)?|s(?:eek|tatus))|s(?:e(?:lect|nd_(?:(?:execut|prepar)e|query(?:_params)?)|t_(?:client_encoding|error_(?:context_visibil|verbos)ity))|ocket)|t(?:ra(?:ce|nsaction_status)|ty)|u(?:n(?:escape_bytea|trace)|pdate)|version)|hp(?:_(?:ini_(?:loaded_file|scanned_files)|(?:s(?:api_nam|trip_whitespac)|unam)e)|credits|dbg_(?:break_(?:f(?:ile|unction)|method|next)|c(?:lea|olo)r|e(?:nd_oplog|xec)|get_executable|prompt|start_oplog)|info|version)|osix_(?:e?access|ctermid|f?pathconf|get(?:_last_error|(?:cw|(?:e[gu]|[su])i)d|g(?:id|r(?:gid|nam|oups))|login|p(?:g(?:id|rp)|p?id|w(?:nam|uid))|rlimit)|i(?:nitgroups|satty)|kill|mk(?:fifo|nod)|s(?:et(?:(?:e[gu]|p?g|[su])id|rlimit)|trerror|ysconf)|t(?:imes|tyname)|uname)|r(?:eg_(?:filter|grep|last_error(?:_msg)?|match_all|quote|replace_callback(?:_array)?|split)|o(?:c_(?:(?:clos|nic|terminat)e|get_status|open)|perty_exists))|spell_(?:add_to_(?:personal|session)|c(?:heck|lear_session|onfig_(?:(?:creat|ignor|mod)e|d(?:ata|ict)_dir|(?:persona|save_rep)l|r(?:epl|untogether)))|new(?:_(?:config|personal))?|s(?:(?:ave_wordli|ugge)s|tore_replacemen)t)|utenv)|quote(?:d_printable_(?:de|en)code|meta))[\s\x0b]*\(" \
+    "id:933152,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\
+    logdata:'Matched Data: %{TX.0} found within %{TX.933152_MATCHED_VAR_NAME}: %{TX.933152_MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-injection-php',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
+    tag:'capec/1000/152/242',\
+    ver:'OWASP_CRS/4.16.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.933152_matched_var=%{MATCHED_VAR}',\
+    setvar:'tx.933152_matched_var_name=%{MATCHED_VAR_NAME}',\
+    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
+# This rule is a sibling of rule 933151.
+#
+# Regular expression generated from regex-assembly/933153.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 933153
+#
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:r(?:a(?:d2deg|ndom_(?:bytes|int)|wurl(?:de|en)code)|e(?:a(?:d(?:dir|(?:gz)?file|lin(?:e(?:_(?:(?:(?:add|list|write)_histor|re(?:ad_histor|displa))y|c(?:allback_(?:handler_(?:install|remove)|read_char)|lear_history|ompletion_function)|info|on_new_line))?|k))|lpath(?:_cache_(?:get|size))?)|gister_(?:shutdown|tick)_function|s(?:ourcebundle_(?:c(?:ount|reate)|get(?:_error_(?:cod|messag)e)?|locales)|tore_e(?:rror|xception)_handler)|wind(?:dir)?)|mdir|sort)|s(?:api_windows_(?:cp_(?:conv|[gs]et|is_utf8)|(?:generate_ctrl_even|vt100_suppor)t|set_ctrl_handler)|candir|e(?:m_(?:(?:acquir|re(?:leas|mov))e|get)|ssion_(?:(?:abor|unse)t|c(?:ache_(?:expire|limiter)|reate_id)|de(?:code|stroy)|(?:encod|(?:module_)?nam|write_clos)e|g(?:c|et_cookie_params)|id|re(?:g(?:enerate_id|ister_shutdown)|set)|s(?:ave_path|et_(?:cookie_params|save_handler)|ta(?:rt|tus)))|t(?:_(?:e(?:rror|xception)_handler|include_path|time_limit)|(?:(?:raw)?cooki|local)e))|h(?:a1(?:_file)?|ell_exec|m(?:_(?:(?:at|de)tach|(?:(?:ge|pu)t|has)_var|remove(?:_var)?)|op_(?:(?:clos|(?:dele|wri)t|siz)e|open|read)))|i(?:m(?:ilar_text|plexml_(?:import_dom|load_(?:file|string)))|nh)|nmp(?:[23]_(?:get(?:next)?|(?:real_)?walk|set)|_(?:get_(?:quick_print|valueretrieval)|read_mib|set_(?:(?:(?:enum|quick)_prin|oid_output_forma)t|valueretrieval))|get(?:next)?|(?:real)?walk|set)|o(?:cket_(?:a(?:ccept|ddrinfo_(?:bind|connect|explain|lookup)|tmark)|bind|c(?:l(?:ear_error|ose)|msg_space|onnect|reate(?:_(?:listen|pair))?)|(?:ex|im)port_stream|get(?:_option|(?:peer|sock)name)|l(?:ast_error|isten)|re(?:ad|cv(?:from|msg)?)|s(?:e(?:lect|nd(?:msg|to)?|t_(?:(?:non)?block|option))|hutdown|trerror)|w(?:rite|saprotocol_info_(?:(?:ex|im)port|release)))|dium_(?:(?:ad|(?:un)?pa)d|b(?:ase642bin|in2(?:base64|hex))|c(?:ompare|rypto_(?:a(?:ead_(?:aes256gcm_(?:(?:de|en)crypt|is_available|keygen)|chacha20poly1305_(?:(?:de|en)crypt|ietf_(?:(?:de|en)crypt|keygen)|keygen)|xchacha20poly1305_ietf_(?:(?:de|en)crypt|keygen))|uth(?:_(?:keygen|verify))?)|box(?:_(?:keypair(?:_from_secretkey_and_publickey)?|open|publickey(?:_from_secretkey)?|se(?:al(?:_open)?|cretkey|ed_keypair)))?|core_ristretto255_(?:add|from_hash|is_valid_point|random|s(?:calar_(?:add|(?:complemen|inver)t|mul|negate|r(?:andom|educe)|sub)|ub))|generichash(?:_(?:final|init|keygen|update))?|k(?:df_(?:derive_from_key|keygen)|x_(?:client_session_keys|keypair|publickey|se(?:cretkey|ed_keypair|rver_session_keys)))|pwhash(?:_s(?:cryptsalsa208sha256(?:_str(?:_verify)?)?|tr(?:_(?:needs_rehash|verify))?))?|s(?:calarmult(?:_ristretto255(?:_base)?)?|ecret(?:box(?:_(?:keyg|op)en)?|stream_xchacha20poly1305_(?:(?:init_)?pu(?:ll|sh)|keygen|rekey))|horthash(?:_keygen)?|ign(?:_(?:(?:verify_)?detached|ed25519_[ps]k_to_curve25519|keypair(?:_from_secretkey_and_publickey)?|open|publickey(?:_from_secretkey)?|se(?:cretkey|ed_keypair)))?|tream(?:_(?:keygen|x(?:chacha20(?:_(?:keygen|xor(?:_ic)?))?|or)))?)))|hex2bin|increment|mem(?:cmp|zero))|undex)|p(?:l_(?:autoload(?:_(?:call|(?:extens|funct)ions|(?:un)?register))?|classes|object_(?:hash|id))|rintf)|qrt|scanf|tr(?:_(?:contains|(?:decreme|word_cou)nt|ends_with|getcsv|i(?:ncrement|replace)|pad|r(?:epeat|ot13)|s(?:huffle|plit|tarts_with))|c(?:(?:asec)?mp|oll|spn)|eam_(?:bucket_(?:(?:ap|pre)pend|make_writeable|new)|co(?:ntext_(?:create|get_(?:default|(?:option|param)s)|set_(?:default|options?|params))|py_to_stream)|filter_(?:(?:ap|pre)pend|re(?:gister|move))|get_(?:(?:(?:conten|transpor)t|(?:filt|wrapp)er)s|line|meta_data)|is(?:_local|atty)|resolve_include_path|s(?:e(?:lect|t_(?:blocking|chunk_size|(?:read|write)_buffer|timeout))|ocket_(?:(?:accep|clien)t|enable_crypto|get_name|pair|recvfrom|s(?:e(?:ndto|rver)|hutdown))|upports_lock)|wrapper_(?:re(?:gister|store)|unregister))|ftime|i(?:p(?:c?slashe|o)s|str)|n(?:at)?c(?:asec)?mp|p(?:brk|time)|r(?:chr|ev|i?pos)|s(?:pn|tr)|t(?:ok|r)|val)|ubstr_(?:co(?:mpare|unt)|replace)|ys_get(?:_temp_dir|loadavg))|t(?:anh|e(?:mpnam|st[12]|xtdomain)|i(?:dy_(?:(?:access|error|warning)_count|c(?:lean_repair|onfig_count)|diagnose|get(?:_(?:body|config|error_buffer|h(?:ead|tml(?:_ver)?)|o(?:pt_doc|utput)|r(?:elease|oot)|status)|opt)|is_x(?:ht)?ml|(?:parse|repair)_(?:file|string))|me(?:_(?:nanosleep|sleep_until)|zone_(?:(?:(?:abbreviation|identifier)s_lis|(?:(?:locat|vers)ion|transitions)_ge)t|name_(?:from_abbr|get)|o(?:ffset_get|pen))))|mpfile|oken_(?:get_all|name)|r(?:a(?:it_exists|nsliterator_(?:create(?:_(?:from_rules|inverse))?|(?:get_error_(?:cod|messag)|transliterat)e|list_ids))|igger_error))|u(?:[ak]sort|cwords|mask|n(?:i(?:qi|xtoj)d|register_tick_function)|(?:rlde|tf8_(?:de|en))code|s(?:e_soap_error_handler|leep|ort))|v(?:ar(?:_(?:dump|export)|iant_(?:a(?:bs|[dn]d)|c(?:as?t|mp)|d(?:ate_(?:from|to)_timestamp|iv)|eqv|fix|get_type|i(?:div|mp|nt)|m(?:od|ul)|n(?:eg|ot)|x?or|pow|round|s(?:et(?:_type)?|ub)))|ersion_compare|[fs]?printf)|wordwrap|xml(?:_(?:error_string|get_(?:current_(?:byte_index|(?:column|line)_number)|error_code)|parse(?:_into_struct|r_(?:create(?:_ns)?|free|[gs]et_option))?|set_(?:(?:character_data|default|e(?:lement|nd_namespace_decl|xternal_entity_ref)|(?:notation|start_namespace|unparsed_entity)_decl|processing_instruction)_handler|object))|writer_(?:end_(?:attribute|c(?:data|omment)|d(?:ocument|td(?:_(?:attlist|e(?:lement|ntity)))?)|element|pi)|f(?:lush|ull_end_element)|o(?:pen_(?:memory|uri)|utput_memory)|s(?:et_indent(?:_string)?|tart_(?:(?:attribute|element)(?:_ns)?|c(?:data|omment)|d(?:ocument|td(?:_(?:attlist|e(?:lement|ntity)))?)|pi))|text|write_(?:(?:attribute|element)(?:_ns)?|c(?:data|omment)|dtd(?:_(?:attlist|e(?:lement|ntity)))?|pi|raw)))|z(?:end_(?:c(?:all_method|reate_unterminated_string)|get_(?:current_func_name|map_ptr_last|unit_enum)|iterable(?:_legacy)?|leak_(?:bytes|variable)|(?:number_or_string|string_or_(?:object|stdclass))(?:_or_null)?|t(?:e(?:rminate_string|st_(?:(?:(?:nullable_)?array|void)_return|c(?:ompile_string|r(?:ash|eate_throwing_resource))|deprecated|f(?:ill_packed_array|unc)|is_string_marked_as_valid_utf8|(?:override_libxml_global_sta|parameter_with_attribu)te|zend_(?:call_stack_(?:get|use_all)|ini_(?:parse_u?quantity|str))))|hread_id)|version|weakmap_(?:attach|dump|remove))|ip_(?:close|entry_(?:c(?:lose|ompress(?:edsize|ionmethod))|(?:filesiz|nam)e|open|read)|open|read)|lib_(?:(?:de|en)cod|get_coding_typ)e)|ZendTestNS2_(?:ZendSubNS_)?namespaced_(?:deprecated_)?func)[\s\x0b]*\(" \
+    "id:933153,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\
+    logdata:'Matched Data: %{TX.0} found within %{TX.933153_MATCHED_VAR_NAME}: %{TX.933153_MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-injection-php',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
+    tag:'capec/1000/152/242',\
+    ver:'OWASP_CRS/4.16.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.933153_matched_var=%{MATCHED_VAR}',\
+    setvar:'tx.933153_matched_var_name=%{MATCHED_VAR_NAME}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -589,7 +691,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'O
 #   crs-toolchain regex update 933131
 #
 # This rule is a stricter sibling of rule 933130.
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" \
     "id:933131,\
     phase:2,\
     block,\
@@ -603,8 +705,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -633,7 +736,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 933161
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\s\x0b]|/\*.*\*/|(?:#|//).*)*\(.*\)" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\s\x0b]|/\*.*\*/|(?:#|//).*)*\(.*\)" \
     "id:933161,\
     phase:2,\
     block,\
@@ -647,8 +750,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -689,8 +793,9 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -704,7 +809,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
 # checked sequence '?>' commonly causes false positives.
 # See issue #654 for discussion.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \
     "id:933190,\
     phase:2,\
     block,\
@@ -718,8 +823,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -739,7 +845,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 933211
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\x0b\"'\-\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(\),\./;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\)(?:;|$)?" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\x0b\"'\-\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(\),\./;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\)(?:;|$)?" \
     "id:933211,\
     phase:2,\
     block,\
@@ -753,15 +859,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #