From 2c85f81b156917a9672ce5c8a062ff09651561af Mon Sep 17 00:00:00 2001
From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com>
Date: Fri, 3 Apr 2026 07:54:58 +0200
Subject: [PATCH 1/2] feat(933100): all HTTP headers should be checked

---
 rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
index 0026a79ff7..b58f14ad9c 100644
--- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
+++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -50,7 +50,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'O
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 933100
 #
-SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<\?(?:php[\s\x0b]|[\s\x0b=]|xml(?:[\s\x0b]+[^a-z]|:)|$)|\[[/\x5c]?php\]|\{/?php\}" \
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Cookie|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<\?(?:php[\s\x0b]|[\s\x0b=]|xml(?:[\s\x0b]+[^a-z]|:)|$)|\[[/\x5c]?php\]|\{/?php\}" \
     "id:933100,\
     phase:2,\
     block,\

From fcb9864ddb125d1ae4d68d078429a3d0a8bfd59a Mon Sep 17 00:00:00 2001
From: TW - Vincent <315173+touchweb-vincent@users.noreply.github.com>
Date: Fri, 3 Apr 2026 08:59:32 +0200
Subject: [PATCH 2/2] Add test case for PHP injection in HTTP header

---
 .../933100.yaml                                | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml
index 98611e8074..6a6d76970e 100644
--- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml
+++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml
@@ -1653,3 +1653,21 @@ tests:
         output:
           log:
             no_expect_ids: [933100]
+  - test_id: 91
+    desc: |
+      PHP injection in HTTP header - CVE-2026-1540
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            X-Forwarded-For: "<?=phpinfo()?>"
+          method: GET
+          port: 80
+          uri: "/profile"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933100]