owasp-modsecurity
diff --git a/‎iis/installer.wxs‎
Lines changed: 32 additions & 16 deletions b/‎iis/installer.wxs‎
Lines changed: 32 additions & 16 deletions
diff --git a/‎iis/wix/Microsoft_VC110_CRT_x64.msm‎
-728 KB b/‎iis/wix/Microsoft_VC110_CRT_x64.msm‎
-728 KB
diff --git a/‎iis/wix/Microsoft_VC110_CRT_x86.msm‎
-748 KB b/‎iis/wix/Microsoft_VC110_CRT_x86.msm‎
-748 KB
diff --git a/‎iis/wix/Microsoft_VC120_CRT_x64.msm‎
-784 KB b/‎iis/wix/Microsoft_VC120_CRT_x64.msm‎
-784 KB
diff --git a/‎iis/wix/Microsoft_VC120_CRT_x86.msm‎
-788 KB b/‎iis/wix/Microsoft_VC120_CRT_x86.msm‎
-788 KB
diff --git a/‎iis/wix/README.TXT‎
Lines changed: 11 additions & 0 deletions b/‎iis/wix/README.TXT‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎iis/wix/modsecurity.conf‎
Lines changed: 19 additions & 5 deletions b/‎iis/wix/modsecurity.conf‎
Lines changed: 19 additions & 5 deletions
@@ -29,6 +29,25 @@
         <Property Id="IIS">
             <RegistrySearch Id="IISInstalledVersion" Root="HKLM" Key="SOFTWARE\Microsoft\InetStp" Type="raw" Name="MajorVersion" />
         </Property>
+        <!-- Detect Visual C++ 2019 Redistributable (VC142) -->
+        <?if $(var.Win64) = "yes" ?>
+        <Property Id="VC142X64INSTALLED">
+            <RegistrySearch Id="FindVC142X64" Root="HKLM"
+                Key="SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64"
+                Name="Installed" Type="raw" Win64="yes" />
+        </Property>
+        <Property Id="VC142X86INSTALLED">
+            <RegistrySearch Id="FindVC142X86" Root="HKLM"
+                Key="SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86"
+                Name="Installed" Type="raw" Win64="yes" />
+        </Property>
+        <?else?>
+        <Property Id="VC142X86INSTALLED">
+            <RegistrySearch Id="FindVC142X86" Root="HKLM"
+                Key="SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86"
+                Name="Installed" Type="raw" Win64="no" />
+        </Property>
+        <?endif?>
         <!-- Detect if ModSecurity IIS module and its dependent DLL files exist -->
         <Property Id="FILEEXISTS" Secure="yes">
             <DirectorySearch Id="CheckFileDir1" Path="C:\Windows\System32\inetsrv" Depth="0">
@@ -97,6 +116,19 @@
         <Property Id="MSIUSEREALADMINDETECTION" Value="1" />
         <!-- Define installation conditions -->
         <Condition Message="This setup requires IIS 7.0, 8.0 or 10.0. If that's the case, please ensure that the installer is running as administrator or try running it from the 'Apps and features' or 'Add/Remove Programs' menu"><![CDATA[(IIS="#7") OR (IIS="#8") OR (IIS="#10")]]></Condition>
+        <!-- Check for required Visual C++ 2019 Redistributables -->
+        <?if $(var.Win64) = "yes" ?>
+        <Condition Message="This application requires Microsoft Visual C++ 2019 Redistributable (x64). Please download and install from: https://aka.ms/vs/17/release/vc_redist.x64.exe">
+            <![CDATA[Installed OR VC142X64INSTALLED]]>
+        </Condition>
+        <Condition Message="This application requires Microsoft Visual C++ 2019 Redistributable (x86) for 32-bit support. Please download and install from: https://aka.ms/vs/17/release/vc_redist.x86.exe">
+            <![CDATA[Installed OR VC142X86INSTALLED]]>
+        </Condition>
+        <?else?>
+        <Condition Message="This application requires Microsoft Visual C++ 2019 Redistributable (x86). Please download and install from: https://aka.ms/vs/17/release/vc_redist.x86.exe">
+            <![CDATA[Installed OR VC142X86INSTALLED]]>
+        </Condition>
+        <?endif?>
         <!-- Version 2.7.5 had an uninstall issue that leaves some files behind. Asking the user to manually hash this out. -->
         <Condition Message="A older version of ModSecurityIIS was found in your computer. Please complete uninstall by removing the following file: [FILEEXISTS]. You may have to remove ModSecurity module from IIS, use the IIS Manager to do so."><![CDATA[(NOT FILEEXISTS) OR (Installed)]]></Condition>
         <Condition Message="64-bit operating system was detected, please use the 64-bit installer.">
@@ -205,14 +237,6 @@
             <?endif?>
             <ComponentRef Id="StartMenuShortcuts" />
         </Feature>
-        <Feature Id="VCRedist" Title="Visual C++ 14.2 Runtime (VS2019)" AllowAdvertise="no" Display="hidden" Level="1">
-            <?if $(var.Win64) = "yes" ?>
-            <MergeRef Id="VCRedist142_64" />
-            <MergeRef Id="VCRedist142_32" />
-            <?else?>
-            <MergeRef Id="VCRedist142_32" />
-            <?endif?>
-        </Feature>
         <?if $(var.Win64) = "yes" ?>
         <Feature Id="ModSec64" Title="ModSecurity IIS (64 bits)" Level="1" InstallDefault="local" Display="expand" AllowAdvertise="no" Description="This option will install ModSecurityIIS 64bits with all the necessary dependencies.">
             <ComponentRef Id="ModSec64" />
@@ -408,13 +432,5 @@
         <?else?>
         <CustomAction Id="UninstallConf" Execute="deferred" Impersonate="no" Return="check" Directory="INSTALLFOLDER" ExeCommand="&quot;[SystemFolder]inetsrv\appcmd.exe&quot; clear config -section:&quot;system.webServer/ModSecurity&quot;" />
         <?endif?>
-        <DirectoryRef Id="TARGETDIR">
-            <?if $(var.Win64) = "yes" ?>
-            <Merge Id="VCRedist142_64" SourceFile="wix\Microsoft_VC142_CRT_x64.msm" DiskId="1" Language="0" />
-            <Merge Id="VCRedist142_32" SourceFile="wix\Microsoft_VC142_CRT_x86.msm" DiskId="1" Language="0" />
-            <?else?>
-            <Merge Id="VCRedist142_32" SourceFile="wix\Microsoft_VC142_CRT_x86.msm" DiskId="1" Language="0" />
-            <?endif?>
-        </DirectoryRef>
     </Product>
 </Wix>
@@ -1,5 +1,16 @@
 Please note that installing ModSecurity for IIS requires IIS to be installed and enabled.
 
+PREREQUISITES:
+
+ModSecurity for IIS requires the Microsoft Visual C++ 2019 Redistributable to be installed:
+- For 64-bit systems: Install both x64 and x86 versions (for 32-bit application pool support)
+  - x64: https://aka.ms/vs/17/release/vc_redist.x64.exe
+  - x86: https://aka.ms/vs/17/release/vc_redist.x86.exe
+- For 32-bit systems: Install x86 version only
+  - x86: https://aka.ms/vs/17/release/vc_redist.x86.exe
+
+The installer will check for these prerequisites and provide download links if they are missing.
+
 
 After installing ModSecurity for IIS, the module will be running in all websites by default. To remove from a website add to web.config:
 
 
@@ -23,16 +23,23 @@ SecStreamInBodyInspection On
 # Enable XML request body parser.
 # Initiate XML Processor in case of xml content-type
 #
-SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
+SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
      "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
 
 # Enable JSON request body parser.
 # Initiate JSON Processor in case of JSON content-type; change accordingly
 # if your application does not use 'application/json'
 #
-SecRule REQUEST_HEADERS:Content-Type "application/json" \
+SecRule REQUEST_HEADERS:Content-Type "^application/json" \
      "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
+# Sample rule to enable JSON request body parser for more subtypes.
+# Uncomment or adapt this rule if you want to engage the JSON
+# Processor for "+json" subtypes
+#
+#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
+#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
 # Maximum request body size we will accept for buffering. If you support
 # file uploads then the value given on the first line has to be as large
 # as the largest file you are willing to accept. The second value refers
@@ -55,6 +62,11 @@ SecRequestBodyInMemoryLimit 131072
 #
 SecRequestBodyLimitAction Reject
 
+# Maximum parsing depth allowed for JSON objects. You want to keep this
+# value as low as practical.
+#
+SecRequestBodyJsonDepthLimit 512
+
 # Verify that we've correctly processed the request body.
 # As a rule of thumb, when failing to process a request body
 # you should reject the request (when deployed in blocking mode)
@@ -101,7 +113,7 @@ SecPcreMatchLimitRecursion 1000
 # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
 #
 SecRule TX:/^MSC_/ "!@streq 0" \
-        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+    "id:'200005',phase:2,t:none,log,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
 
 
 # -- Response body handling --------------------------------------------------
@@ -194,7 +206,7 @@ SecAuditLogParts ABIJDEFHZ
 # assumes that you will use the audit log only ocassionally.
 #
 SecAuditLogType Serial
-#SecAuditLog c:\inetpub\logs\modsec_audit.log
+SecAuditLog c:\inetpub\logs\modsec_audit.log
 
 # Specify the path for concurrent audit logging.
 #SecAuditLogStorageDir c:\inetpub\logs\
@@ -226,5 +238,7 @@ SecUnicodeMapFile unicode.mapping 20127
 # The following information will be shared: ModSecurity version,
 # Web Server version, APR version, PCRE version, Lua version, Libxml2
 # version, Anonymous unique id for host.
-SecStatusEngine On
+# NB: As of April 2022, there is no longer any advantage to turning this
+# setting On, as there is no active receiver for the information.
+SecStatusEngine Off