coreruleset · fzipi · Jan 27, 2026 · Nov 14, 2025 · Nov 14, 2025 · Nov 14, 2025
diff --git a/regex-assembly/933160.ra b/regex-assembly/933160.ra
@@ -41,6 +41,7 @@ md5
 mkdir
 opendir
 passthru
+phpinfo
 popen
 printf
 readfile
@@ -53,9 +54,11 @@ usort
 ##! English words, or potential snippets of them, are added here to perform a regex match.
 ##! Compared to the parallel match performed by 933150, fewer false positives will be generated.
 exp
+intval
 ord
 prev
 stat
 substr
 system
 unlink
+unserialize
diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -279,13 +279,13 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzi
 # The list of PHP functions is divided into four groups of varying attack/false positive risk.
 # Four separate rules are used to detect these groups of functions:
 #
-# - Rule 933150: ~237 words highly common to PHP injection payloads and extremely rare in
+# - Rule 933150: ~234 words highly common to PHP injection payloads and extremely rare in
 #		natural language or other contexts.
 #		Examples: 'base64_decode', 'file_get_contents'.
 #		These words are detected as a match directly using @pmFromFile.
 #		Function names are defined in php-function-names-933150.data
 #
-# - Rule 933160: ~36 words which are common in PHP code, but have a higher chance to cause
+# - Rule 933160: ~39 words which are common in PHP code, but have a higher chance to cause
 #		false positives in natural language or other contexts.
 #		Examples: 'chr', 'eval'.
 #		To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'.
@@ -312,8 +312,10 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzi
 #
 # Rule 933150 contains a small list of function names which are highly indicative of a PHP
 # injection attack, for example 'base64_decode'.
-# We block these function names outright, without using a complex regexp or chain.
-# This could make the detection a bit more robust against possible bypasses.
+# The rule uses a chained rule to require parentheses after function names.
+# This prevents false positives from substring matches (e.g., "intval" in "PaintValdosta").
+# Functions that commonly appear as English words/substrings are handled by rule 933160
+# with stricter regex-based function call syntax validation.
 #
 SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \
     "id:933150,\
@@ -333,8 +335,11 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X
     tag:'capec/1000/152/242',\
     ver:'OWASP_CRS/4.23.0-dev',\
     severity:'CRITICAL',\
-    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    chain"
+    SecRule MATCHED_VARS "@pm ( )" \
+        "t:none,\
+        setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -368,7 +373,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 933160
 #
-SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open|puts)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|m(?:d5|kdir)|o(?:pendir|rd)|p(?:assthru|open|r(?:intf|ev))|r(?:eadfile|trim)|s(?:t(?:rip_tags|at)|ubstr|ystem)|tmpfile|u(?:n(?:pac|lin)k|sort))(?:/(?:\*.*?\*/|/[^\n\r]*)|#[^\n\r]*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open|puts)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a|ntval)|m(?:d5|kdir)|o(?:pendir|rd)|p(?:assthru|hpinfo|open|r(?:intf|ev))|r(?:eadfile|trim)|s(?:t(?:rip_tags|at)|ubstr|ystem)|tmpfile|u(?:n(?:(?:pac|lin)k|serialize)|sort))(?:/(?:\*.*?\*/|/[^\n\r]*)|#[^\n\r]*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \
     "id:933160,\
     phase:2,\
     block,\

diff --git a/rules/php-function-names-933150.data b/rules/php-function-names-933150.data
@@ -98,7 +98,6 @@ imagegd2
 ini_get
 ini_get_all
 ini_set
-intval
 iptcembed
 is_array
 is_dir
@@ -149,7 +148,6 @@ pg_prepare
 pg_query
 php_strip_whitespace
 php_uname
-phpinfo
 phpversion
 posix_getegid
 posix_geteuid
@@ -231,7 +229,6 @@ strtoupper
 uasort
 ucfirst
 uksort
-unserialize
 urldecode
 urlencode
 var_dump