Improper Encoding or Escaping of Output

Summary

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern-matching techniques and allow undetected access. The legacy CRS versions 3.0.0 through 3.2.1, and 3.3.2 and configure a CRS paranoia level of 3 or higher.