Mini File Manager

Edit File

# ---------------------------------------------------------------
# Imunify360 ModSecurity Rules
# Copyright (C) 2021 CloudLinux Inc All right reserved
# The Imunify360 ModSecurity Rules is distributed under
# IMUNIFY360 LICENSE AGREEMENT
# Please see the enclosed IM360-LICENSE.txt file for full details.
# ---------------------------------------------------------------
# Imunify360 ModSecurity Joomla! Ruleset

# DEFA-1726
SecRule REQUEST_METHOD "@streq POST" "id:77140836,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: RCE vulnerability in Joomla 3.4.6 CVE-2019-?||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule ARGS:task "@streq user.login" "chain,t:lowercase"
SecRule ARGS:username "@contains \0" "t:none"

# DEFA-1775
SecRule REQUEST_FILENAME "@endsWith com_hdflvplayer/hdflvplayer/download.php" "id:77140845,chain,phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin'"
SecRule ARGS:f "@rx \.\.\/" "t:none,t:urlDecodeUni,t:normalizePath"

# DEFA-1777
SecRule REQUEST_FILENAME "@endsWith s5_media_player/helper.php" "id:77140847,chain,phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: Joomla Shape 5 MP3 Player 2.0 Local File Disclosure||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin'"
SecRule ARGS:fileurl "!@rx ^$" "t:none"

# DEFA-1819
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140901,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla simplefileupload component File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /modules/mod_simplefileuploadv1.3/elements/udd.php" "chain,t:none,t:normalizePath"
SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)\W" "t:none,t:urlDecodeUni"

# DEFA-1819
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140902,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla com_facileforms component File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /components/com_facileforms/libraries/jquery/uploadify.php" "chain,t:none,t:normalizePath"
SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)\W" "t:none,t:urlDecodeUni"

# DEFA-1819
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140911,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla! com_extplorer Components File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith components/com_extplorer/uploadhandler.php" "chain,t:none,t:normalizePath"
SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)\W" "t:none,t:urlDecodeUni"

# DEFA-1908
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140929,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla com_rokdownloads Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith com_rokdownloads/assets/uploadhandler.php" "chain,t:none,t:normalizePath"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace"

# DEFA-1909
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140930,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla com_jbcatalog Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@rx com_jbcatalog/libraries/jsupload/server/php" "chain,t:none,t:normalizePath"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace"

# DEFA-1910
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140931,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla com_alberghi Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith com_alberghi/upload.alberghi.php" "chain,t:none,t:normalizePath"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace"

# DEFA-1912
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:X-Forwarded-For "@rx JDatabaseDriverMysql" "id:77140932,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,msg:'IM360 WAF: Object Injection RCE vulnerability in Joomla CVE-2015-8562||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_core'"

SecRule REQUEST_METHOD "@rx ^POST$" "chain,id:77141002,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,msg:'IM360 WAF: Path traversal vulnerability in com_foxcontact component for Joomla!||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@rx uploader\.php$" "chain,t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace,t:normalizePath"
SecRule REQUEST_FILENAME "@contains /com_foxcontact/lib/" "chain,t:none,t:lowercase,t:removeWhitespace,t:normalizePath"
SecRule &ARGS:cid "@gt 0" "chain,t:none"
SecRule &ARGS:mid "@gt 0" "chain,t:none"
SecRule ARGS:qqfile "@rx \.\.\/" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace,t:normalizePath"

# DEFA-2241
SecRule REQUEST_FILENAME "@endsWith /modules/tdpsthemeoptionpanel/tdpsthemeoptionpanelAjax.php" "id:77141003,chain,phase:2,block,log,severity:2,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,msg:'IM360 WAF: File upload vulnerability in WooCommerce plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin'"
SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace"

# DEFA-2242
SecRule REQUEST_FILENAME "@endsWith /modules/pk_vertflexmenu/ajax/upload.php" "id:77141004,chain,phase:2,block,log,severity:2,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,msg:'IM360 WAF: File upload vulnerability in WooCommerce plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin'"
SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace"

# DEFA-2367
SecRule ARGS:creativecontactform_upload "@rx \.\.\/" "id:77141037,block,log,severity:2,t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,msg:'IM360 WAF: Joomla Creative Contact Form 4.6.2 Directory Traversal||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin'"

# DEFA-2746
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142145,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla com_rokdownloads path traversal Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith com_rokdownloads/assets/uploadhandler.php" "chain,t:none,t:normalizePath"
SecRule ARGS "@rx \.\.\/" "t:urlDecodeUni,t:removeWhitespace,t:normalizePath"

# DEFA-2746
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142147,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla com_oziogallery path traversal Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_URI "@rx \/components\/com_oziogallery\/imagin\/scripts_ralcr\/filesystem\/writeToFile\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:removeWhitespace"
SecRule ARGS:path "@rx \.\.\/" "t:urlDecodeUni,t:removeWhitespace,t:normalizePath"

# DEFA-2746
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142148,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla com_oziogallery path traversal Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_category_page_icons',tag:'im360_req_post'"
SecRule REQUEST_URI "@rx \/wp-content\/plugins\/category-page-icons\/include\/wpdev-flash-uploader\.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:removeWhitespace"
SecRule ARGS:dir_icons "@rx \.\.\/" "t:urlDecodeUni,t:removeWhitespace,t:normalizePath"

# Track Joomla!
SecRule REQUEST_COOKIES:/^[a-f0-9]{32}$/ "@rx ^(?:[a-z0-9]{26}|[a-z0-9]{32})$" "id:77209503,msg:'IM360 WAF: Start tracking Joomla! session||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,setsid:'%{MATCHED_VAR}',setvar:'SESSION.joomla_session=1',expirevar:'SESSION.joomla_session=300',nolog,t:none,severity:5,tag:'service_gen'"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222520,chain,msg:'IM360 WAF: Unauthorized account creation and modification in Joomla! before 3.6.4 (CVE-2016-8870 CVE-2016-9836)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_core'"
SecRule ARGS:task "@streq user.register" "chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains /component/users/" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule REQUEST_FILENAME "@contains /images/stories/" "id:77240000,chain,msg:'IM360 WAF: Protecting Joomla folder||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,severity:2,tag:'joomla_core'"
SecRule REQUEST_FILENAME "@endsWith .php" "t:none,t:urlDecodeUni,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith plugins/jtreelink/dialogs/links.php" "id:77223130,chain,msg:'IM360 WAF: SQL injection vulnerability in JCK Editor component 6.4.4 for Joomla (CVE-2018-17254)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'joomla_plugin'"
SecRule ARGS:parent "@rx \x22" "t:none,t:urlDecodeUni"
SecMarker IGNORE_SFS_SIG_XSS_SQLi_JC

SecRule REQUEST_FILENAME "@pm com_sexycontactform com_creativecontactform" "id:77240010,chain,msg:'IM360 WAF: Protecting Joomla Creative Contact Form Files folder||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,t:none,t:lowercase,severity:2,tag:'joomla_plugin'"
SecRule REQUEST_FILENAME "@rx \/com_(?:sexy|creative)contactform\/fileupload\/(files\/)?" "chain,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase"

# DEFA-3987
SecRule &ARGS:option "@lt 1" "id:77316871,pass,phase:2,nolog,severity:5,skipAfter:MARKER_option,msg:'ARGS page optimization||T:APACHE||',tag:'noshow',tag:'service_gen'"

# DEFA-4157
SecRule REQUEST_FILENAME "@endsWith /administrator/index.php" "chain,id:77316875,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Missing input validation within the template manager in Joomla! v3.2.0-v3.9.24 (CVE-2021-23131)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_core'"
SecRule ARGS:option "@streq com_templates" "chain,t:none"
SecRule ARGS:task "@streq template.overrides" "chain,t:none"
SecRule ARGS:folder "@pm ( <" "t:none,t:htmlEntityDecode,multiMatch"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222770,chain,msg:'IM360 WAF: Directory traversal vulnerability in K2 component 2.8.0 for Joomla (CVE-2018-7482)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_k2" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:target "@rx ^l1_(\w+)={0,2}$" "chain,capture,t:none"
SecRule TX:1 "@contains .." "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222900,chain,msg:'IM360 WAF: Arbitrary File Download vulnerability in Jtag Members Directory 5.3.7 component for Joomla (CVE-2018-6008)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_jtagmembersdirectory" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:download_file "@contains .." "t:none,t:urlDecodeUni"

# DEFA-4626
SecRule REQUEST_METHOD "@rx GET|POST" "id:77318022,chain,msg:'IM360 WAF: Old style account creation and modification in Joomla!||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:2,tag:'joomla_core',tag:'im360_req_post'"
SecRule ARGS:task "@rx register" "chain,t:none"
SecRule REQUEST_FILENAME "@contains /component/users/" "t:none,t:normalizePath,t:lowercase"

SecRule ARGS:option "@contains com_user" "id:77318023,chain,msg:'IM360 WAF: Old style account creation and modification in Joomla!||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:2,tag:'joomla_core'"
SecRule ARGS:view "@streq registration" "t:none"

# Joomla Bruteforce RBL persistent storage check
SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33347,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: Joomla Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360'"
SecRule REQUEST_METHOD "^POST$" "chain,t:none"
SecRule ARGS:username "!@rx ^$" "chain,t:none"
SecRule ARGS:passwd "!@rx ^$" "chain,t:none"
SecRule ARGS:option "^com_login$" "chain,t:none"
SecRule ARGS:task "^login$" "chain,t:none"
SecRule IP:rbl_brute "@eq 1"

# DEFA-1558
SecRule ARGS:option "@streq com_fireboard" "id:77140826,chain,msg:'IM360 WAF: SQL Injection vulnerability in Joomla FireBoard 1.1.3||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,tag:'service_i360custom',tag:'joomla_plugin'"
SecRule ARGS:func "@rx (?:fb_pdf|view|showcat)" "chain,t:none"
SecRule REQUEST_FILENAME "@endsWith index.php" "chain,t:none"
SecRule ARGS:catid|ARGS:Itemid "@rx '|\x22" "t:none,t:urlDecodeUni"

# DEFA-1558
SecRule ARGS:option "@streq com_alphacontent" "id:77140828,chain,msg:'IM360 WAF: SQL Injection vulnerabilities in Joomla AlphaContent v3.x||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,tag:'service_i360custom',tag:'joomla_plugin'"
SecRule &ARGS:section "@ge 1" "chain,t:none"
SecRule REQUEST_FILENAME "@endsWith index.php" "chain,t:none"
SecRule ARGS:limitstart|ARGS:id "@rx '|\x22" "t:none,t:urlDecodeUni"

# DEFA-1589
SecRule ARGS:option "@streq com_jomestate" "id:77140830,chain,msg:'IM360 WAF: SQL Injection vulnerabilities in Joomla JomEstate v4.1||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,tag:'service_i360custom',tag:'joomla_plugin'"
SecRule &ARGS:task "@ge 1" "chain,t:none"
SecRule REQUEST_FILENAME "@endsWith index.php" "chain,t:none"
SecRule ARGS:limitstart|ARGS:id|ARGS:Itemid|ARGS:tmpl "@rx '|\x22" "t:none,t:urlDecodeUni"

# DEFA-1589
SecRule ARGS:option "@streq com_easygb" "id:77140832,chain,msg:'IM360 WAF: SQL Injection vulnerabilities in Joomla Easy GuestBook v1.0||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,tag:'service_i360custom',tag:'joomla_plugin'"
SecRule &ARGS:task "@ge 1" "chain,t:none"
SecRule REQUEST_FILENAME "@endsWith index.php" "chain,t:none"
SecRule ARGS:Itemid "@rx '|\x22" "t:none,t:urlDecodeUni"

# DEFA-1772
SecRule REQUEST_METHOD "@streq POST" "id:77140842,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_adsmanager" "chain,t:none,t:lowercase"
SecRule ARGS:task "@streq upload" "chain,t:none,t:lowercase"
SecRule ARGS:tmpl "@streq component" "chain,t:none,t:lowercase"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace"

# DEFA-1773
SecRule REQUEST_METHOD "@streq POST" "id:77140843,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla Component com_fabrik File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_fabrik" "chain,t:none,t:lowercase"
SecRule ARGS:view|ARGS:c "@streq import" "chain,t:none,t:lowercase"
SecRule ARGS:filetype "@streq csv" "chain,t:none,t:lowercase"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace"

# DEFA-1774
SecRule ARGS:option "@streq com_cckjseblod" "id:77140844,chain,phase:2,block,log,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Joomla com_cckjseblod Local File Download Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin'"
SecRule ARGS:task "@streq download" "chain,t:none,t:lowercase"
SecRule ARGS:file "@streq configuration.php" "t:none"

# DEFA-1776
SecRule REQUEST_METHOD "@streq POST" "id:77140846,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla jDownloads 1.0 Arbitrary File Upload||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_jdownloads" "chain,t:none,t:lowercase"
SecRule ARGS:view "@streq upload" "chain,t:none,t:lowercase"
SecRule &ARGS:Itemid "@gt 0" "chain,t:none"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace"

# DEFA-1778
SecRule REQUEST_METHOD "@streq POST" "id:77140848,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla JCE 2.6.33 Arbitrary File Upload||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_jce" "chain,t:none,t:lowercase"
SecRule ARGS:task "@streq plugin" "chain,t:none,t:lowercase"
SecRule ARGS:plugin "@streq imgmanager" "chain,t:none,t:lowercase"
SecRule ARGS:file "@streq imgmanager" "chain,t:none,t:lowercase"
SecRule ARGS:method "@streq form" "chain,t:none,t:lowercase"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace"

# DEFA-1779
SecRule REQUEST_METHOD "@streq POST" "id:77140849,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla com_Myblog Exploit Arbitrary File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_myblog" "chain,t:none,t:lowercase"
SecRule ARGS:task "@streq ajaxupload" "chain,t:none,t:lowercase"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace"

# DEFA-1780
SecRule ARGS:option "@streq com_macgallery" "id:77140850,chain,phase:2,block,log,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Joomla com_macgallery 1.5 Arbitrary File Download||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin'"
SecRule ARGS:view "@streq download" "chain,t:none,t:lowercase"
SecRule ARGS:albumid "@rx \.\.\/" "t:none,t:urlDecodeUni,t:normalizePath"

# DEFA-1781
SecRule ARGS:option "@streq com_joomanager" "id:77140851,chain,phase:2,block,log,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Joomla com_Joomanager Arbitrary File Download||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin'"
SecRule ARGS:controller "@streq details" "chain,t:none,t:lowercase"
SecRule ARGS:task "@streq download" "chain,t:none,t:lowercase"
SecRule ARGS:path "!@rx ^$" "t:none"

# DEFA-1826, DEFA-2905
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140875,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla Com_Fabrik 3.9 controller File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith index.php" "chain,t:none,t:normalizePath"
SecRule ARGS:option "@streq com_fabrik" "chain,t:none"
SecRule ARGS:task "@streq plugin.pluginAjax" "chain,t:none"
SecRule ARGS:plugin "@streq fileupload" "chain,t:none"
SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico|rb)\W" "t:none"

# DEFA-1819
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140904,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: FCKEditor Core 2.x 2.4.3 File Upload Vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith index.php" "chain,t:none,t:normalizePath"
SecRule ARGS:option "@streq com_collector" "chain,t:none"
SecRule ARGS:view "@streq filelist" "chain,t:none"
SecRule ARGS:tmpl "@streq component" "chain,t:none"
SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico|rb)\W" "t:none"

# DEFA-1819
SecRule ARGS:option "@streq com_b2jcontact" "id:77140905,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla Codextrous B2jcontact 2.1.17 File Upload Vulnerability (CVE-2017-5214)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'joomla_plugin'"
SecRule ARGS:qqfile "@rx \.\.\/" "t:none"

# DEFA-1785
SecRule REQUEST_METHOD "@rx ^GET$" "id:77140923,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla Component Jreservation Blind SQLi Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_get'"
SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:normalizePath"
SecRule ARGS:option "@streq com_content" "chain,t:none"
SecRule ARGS:view "@streq article" "chain,t:none"
SecRule ARGS:id|ARGS:limit_low "@rx [\)=*\/\|]" "t:none"

# DEFA-1918
SecRule REQUEST_METHOD "@rx ^POST$" "id:77140933,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Joomla JCE Arbitrary File Upload (file renaming)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_jce" "chain,t:none,t:lowercase"
SecRule ARGS:task "@streq plugin" "chain,t:none,t:lowercase"
SecRule ARGS:plugin "@streq imgmanager" "chain,t:none,t:lowercase"
SecRule ARGS:file "@streq imgmanager" "chain,t:none,t:lowercase"
SecRule ARGS:json "@rx folderRename" "chain,t:none"
SecRule ARGS:json "@rx \.htaccess|.+\.(pht|phtml|php\d?)" "t:urlDecodeUni,t:removeWhitespace"

# DEFA-2203 file upload vulnerability in jwallpapers component for Dupal
SecRule ARGS:option "@streq com_jwallpapers" "chain,id:77140999,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: File upload vulnerability in jwallpapers component for Dupal||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule ARGS:task "@streq upload" "chain,t:none"
SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace"

# DEFA-2239
SecRule REQUEST_METHOD "@rx ^POST$" "chain,id:77141000,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,msg:'IM360 WAF: File Upload Vulnerability in com_weblinks component dor Joomla!||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_media" "chain,t:none"
SecRule ARGS:tmpl "@streq component" "chain,t:none"
SecRule ARGS:view "@streq images" "chain,t:none"
SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace,t:normalizePath"

# DEFA-2240
SecRule REQUEST_METHOD "@rx ^POST$" "chain,id:77141001,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,msg:'IM360 WAF: Path traversal vulnerability in com_foxcontact component for Joomla!||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_foxcontact" "chain,t:none"
SecRule ARGS:view "@streq loader" "chain,t:none"
SecRule ARGS:qqfile "@rx \.\.\/" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace,t:normalizePath"

# DEFA-2456
SecRule REQUEST_METHOD "@streq POST" "id:77141065,chain,phase:2,block,log,t:none,severity:2,t:normalizePath,msg:'IM360 WAF: Joomla Component GMapFP 3.30 Arbitrary File Upload||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule ARGS:task "@streq upload_image" "chain,t:none,t:lowercase"
SecRule ARGS:option "@streq comgmapfp" "chain,t:none,t:lowercase"
SecRule ARGS:tmpl "@streq component" "chain,t:none,t:lowercase"
SecRule ARGS:controller "@streq editlieux" "chain,t:none,t:lowercase"
SecRule FILES "@rx \.(pht|phar|phtml|php\d?)\.(jpg|jpeg|jpe|gif|webp|png|bmp|flif)$" "t:urlDecodeUni,t:removeWhitespace"

SecRule REQUEST_METHOD "@rx ^POST$" "id:77142115,chain,block,t:none,severity:2,msg:'IM360 WAF: SQLi in Joomla||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'joomla_core',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_users" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:task "@streq user.login" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:remember "@rx \W" "t:none,t:urlDecodeUni"

SecRule REQUEST_METHOD "@rx ^POST$" "id:77142117,chain,deny,log,t:none,severity:2,msg:'IM360 WAF: SQLi vulnerability in Joomla||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'joomla_core',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_users" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:task "@streq user.login" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:username "@rx [\x22\:\\\]]" "t:none,t:urlDecodeUni"

# DEFA-2704
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142122,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: SQLi in com_content component for Joomla!||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:urlDecodeUni,t:normalizePath"
SecRule ARGS:option "@streq com_content" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:task "@streq view" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:id|ARGS:Itemid "@rx \D" "t:none,t:urlDecodeUni"

# DEFA-2704
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142123,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: SQLi in com_content component for Joomla!||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:urlDecodeUni,t:normalizePath"
SecRule ARGS:task "@streq view" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:option "@rx \W" "t:none,t:urlDecodeUni"

# No DEFA
SecRule &ARGS:title "@gt 0" "id:77142127,chain,block,severity:2,t:none,msg:'IM360 WAF: XSS vulnerability in com_easydiscuss plugin for Joomla||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'joomla_plugin'"
SecRule &ARGS:dc_content "@gt 0" "chain,t:none"
SecRule &ARGS:poster_email "@gt 0" "chain,t:none"
SecRule ARGS:option "@streq com_easydiscuss" "chain,t:none"
SecRule ARGS:tags[] "@rx [\x22><']" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"

# DEFA-2746
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142149,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Joomla JCE Editor path traversal Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_plugin',tag:'im360_req_post'"
SecRule ARGS:option "@streq com_jce" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:plugin|ARGS:file "@streq imgmanager" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:upload-dir "@rx \.\.\/" "t:urlDecodeUni,t:removeWhitespace,t:normalizePath"

# DEFA-2906
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142213,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Shell upload in Joomla 3.x||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||jform[source]==%{args.jform[source]}||',tag:'joomla_core',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@endsWith /administrator/index.php" "chain,t:none,t:normalizePath"
SecRule ARGS:option "@streq com_templates" "chain,t:none"
SecRule ARGS:view "@streq template" "chain,t:none"
SecRule &ARGS:id "@gt 0" "chain,t:none"
SecRule &ARGS:file "@gt 0" "chain,t:none"
SecRule FILES "!@rx ^$"

# DEFA-2907
SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,id:77142215,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQLi in JM Car Classifieds CarAgent Templates Joomla Plugin||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_caragent" "chain,t:none"
SecRule ARGS:task "@streq showItem" "chain,t:none"
SecRule ARGS:id|ARGS:Itemid "@rx \D"

# DEFA-2907
SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,id:77142214,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQLi in JM Car Classifieds CarAgent Templates Joomla Plugin||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_djclassifieds" "chain,t:none"
SecRule ARGS:view "@pm item show showitem" "chain,t:none,t:lowercase"
SecRule ARGS:id|ARGS:Itemid|ARGS:type|ARGS:layout|ARGS:cid|ARGS:uid|ARGS:se "@rx [\x22\']" "t:none,t:urlDecode"

SecRule REQUEST_METHOD "@pm GET POST" "id:77223010,chain,msg:'IM360 WAF: XSS vulnerability in Joomla! before 3.8.12 (CVE-2018-15880)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_core'"
SecRule ARGS:option "@streq com_users" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:jform[name] "@contains <" "t:none,t:urlDecodeUni"

SecRule REQUEST_METHOD "@pm GET POST" "id:77223300,chain,msg:'IM360 WAF: Directory Traversal vulnerability in Joomla before 3.9.5 (CVE-2019-10945)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_core'"
SecRule ARGS:option "@streq com_media" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:folder "@contains .." "t:none,t:urlDecodeUni"
SecMarker Joomla_Skip_URF_223010

SecRule ARGS:option "@streq com_fields" "id:77222550,chain,msg:'IM360 WAF: SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 (CVE-2017-8917)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'joomla_core'"
SecRule ARGS:view "@streq fields" "chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "!@contains /administrator/" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_BASENAME "@within index.php" "chain,t:none,t:lowercase"
SecRule ARGS:list[fullordering] "@rx [^\w\ \.]" "t:none,t:urlDecodeUni"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222620,chain,msg:'IM360 WAF: SQL injection vulnerability in the iJoomla com_adagency plugin 6.0.9 for Joomla! (CVE-2018-5696)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option|ARGS:controller "@pm com_adagency adagencyadvertisers" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:advertiser_status|ARGS:status_select "@contains '" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222820,chain,msg:'IM360 WAF: SQL Injection vulnerability in AllVideos Reloaded 1.2.x component for Joomla (CVE-2018-5990)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_avreloaded" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:view "@streq popup" "chain,t:none,t:lowercase"
SecRule ARGS:divid "@contains '" "t:none,t:urlDecodeUni"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222830,chain,msg:'IM360 WAF: SQL Injection vulnerability in ccNewsletter 2.x component for Joomla (CVE-2018-5989)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_ccnewsletter" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:task "@streq removesubscriber" "chain,t:none,t:lowercase"
SecRule ARGS:id "@contains '" "t:none,t:urlDecodeUni"

SecRule REQUEST_METHOD "@pm GET POST" "id:77223330,chain,msg:'IM360 WAF: XSS vulnerability in Creative Image Slider component 3.1.0 for Joomla||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_creativeimageslider" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS|!ARGS:caption|!ARGS:custom_css|!ARGS:custom_js "@rx \x22" "t:none,t:urlDecodeUni"
SecMarker JC_Skip_URF_211250

SecRule REQUEST_METHOD "@pm GET POST" "id:77221600,chain,msg:'IM360 WAF: SQL injection vulnerability in Youtube Gallery component 4.x through 4.1.7 and possibly 3.x for Joomla! (CVE-2014-4960)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_youtubegallery" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:listid|ARGS:themeid "@rx \D" "t:none,t:urlDecodeUni"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222441,chain,msg:'IM360 WAF: XSS and SQLi vulnerability in the Joomla extension Huge IT gallery v1.1.5 (CVE-2016-1000113 and CVE-2016-1000114)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_gallery" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:id "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222650,chain,msg:'IM360 WAF: SQL injection vulnerability in Zh YandexMap 6.2.1.0 Zh BaiduMap 3.0.0.1 and Zh GoogleMap 8.4.0.0 for Joomla (CVE-2018-6582 CVE-2018-6604 2018-6605)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@rx ^com_zh(?:baidu|yandex|google)map$" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:id "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222670,chain,msg:'IM360 WAF: SQL injection vulnerability in the Gallery WD 1.3.6 component for Joomla! (CVE-2018-5981)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_gallery_wd" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:tag_id|ARGS:gallery_id "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222800,chain,msg:'IM360 WAF: SQL injection vulnerability in DT Register 3.2.7 component for Joomla (CVE-2018-6584)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_dtregister" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:controller "@streq category" "chain,t:none,t:lowercase"
SecRule ARGS:id "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222930,chain,msg:'IM360 WAF: SQL injection vulnerability in JomEstate PRO through 3.7 component for Joomla (CVE-2018-6368)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_jomestate" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:id "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222960,chain,msg:'IM360 WAF: SQL injection vulnerability in Fastball 2.5 component for Joomla (CVE-2018-6373)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_fastball" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:season "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222980,chain,msg:'IM360 WAF: SQL injection vulnerability in OS Property Real Estate 3.12.7 component for Joomla (CVE-2018-7319)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_osproperty" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:cooling_system1|ARGS:heating_system1|ARGS:laundry "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77223060,chain,msg:'IM360 WAF: SQL injection vulnerability in Swap Factory 2.2.1 Raffle Factory 3.5.2 Penny Auction Factory 2.0.4 component for Joomla! (CVE-2018-17379 CVE-2018-17378 CVE-2018-17384)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@within com_rafflefactory com_pennyfactory com_swapfactory" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:filter_order "!@rx ^[\w\-\.]+?$" "t:none,t:urlDecodeUni"

SecRule REQUEST_METHOD "@pm GET POST" "id:77223160,chain,msg:'IM360 WAF: SQL injection vulnerability in Zap Calendar Lite 4.3.4 component for Joomla||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_zcalendar" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:eid "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77223190,chain,msg:'IM360 WAF: SQL injection vulnerability in Pinterest Clone Social Pinboard 2.0 component for Joomla (CVE-2018-5987)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_socialpinboard" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:pin_id|ARGS:user_id|ARGS:ends|ARGS:uid "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77223270,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the StackIdeas Komento before 1.7.3 for Joomla (CVE-2014-0793)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_komento" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:latitude "@rx \D" "t:none"
SecMarker JC_Skip_URF_210940

SecRule ARGS:view "@streq product" "id:77223240,chain,msg:'IM360 WAF: SQLi vulnerability in J2Store plugin 3.x before 3.3.7 for Joomla! (CVE-2019-9184)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_j2store" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:/^product_option\[/ "@rx \D" "t:none"
SecMarker IGNORE_SFS_Non_Digit_JC

SecRule &SESSION:joomla_session "@ge 1" "id:77222401,chain,msg:'IM360 WAF: Start tracking Joomla! com_templates session||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,t:none,severity:2,tag:'joomla_plugin',tag:'im360_req_get'"
SecRule ARGS:option "@streq com_templates" "chain,t:none,t:lowercase"
SecRule &ARGS:task "@eq 0" "chain,t:none"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.joomla_comtemplates=1',expirevar:'SESSION.joomla_comtemplates=300',t:none,t:lowercase"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222910,chain,msg:'IM360 WAF: SQL injection vulnerability in Solidres 2.5.1 component for Joomla (CVE-2018-5980)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_solidres" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:direction "!@within desc asc" "t:none,t:urlDecodeUni,t:lowercase"

SecRule &SESSION:joomla_session "@ge 1" "id:77222970,chain,phase:2,pass,nolog,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_jssupportticket" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS:cid[] "@ge 1" "setvar:'SESSION.com_jssupportticket=1',expirevar:'SESSION.com_jssupportticket=300',t:none"

SecRule &SESSION:joomla_session "@ge 1" "id:77222971,chain,msg:'IM360 WAF: CSRF vulnerability in JS Support Ticket 1.1.0 component for Joomla (CVE-2018-6007)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_jssupportticket" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS:ticketid "@ge 1" "chain,t:none"
SecRule &SESSION:com_jssupportticket "!@eq 1" "t:none"

SecRule ARGS:option "@streq com_extplorer" "id:77240030,chain,msg:'IM360 WAF: Possible Shell Upload Vulnerability in extplorer plugin for Joomla!||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'joomla_plugin'"
SecRule FILES "@contains .php" "t:none,t:lowercase"

SecRule REQUEST_METHOD "@pm GET POST" "id:77223380,chain,msg:'IM360 WAF: SQLi vulnerability in aWeb Cart Watching System for Virtuemart v1.0.7 for Joomla! (CVE-2016-10114)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option|ARGS:task "@pm com_content com_virtuemart smartsearch" "chain,t:none,t:lowercase"
SecRule ARGS:option|ARGS:view "@rx \W" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77223400,chain,msg:'IM360 WAF: SQLi vulnerability in Spider Catalog component 3.0 for Joomla||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_spidercatalog" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:category_id "!@rx ^[\d\,]+$" "t:none,t:urlDecodeUni"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222990,chain,msg:'IM360 WAF: SQL injection vulnerability in Google Map Landkarten 4.2.3 component for Joomla (CVE-2018-6396)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_gmap" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:cid|ARGS:id|ARGS:map "@contains '" "t:none,t:urlDecodeUni"

SecRule ARGS:option "@streq com_googlesearch_cse" "id:77222380,chain,msg:'IM360 WAF: XSS vulnerability in the googleSearch (CSE) (com_googlesearch_cse) component 3.0.2 for Joomla! (CVE-2015-6919)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:q "@rx \x22" "t:none,t:urlDecodeUni"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222580,chain,msg:'IM360 WAF: SQL injection vulnerability in Joomla! Component JEXTN FAQ Pro 4.0.0 (CVE-2017-17875)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_jefaqpro" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:id "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222630,chain,msg:'IM360 WAF: SQL injection vulnerability in the SimpleCalendar 3.1.9 component for Joomla! (CVE-2018-5974)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_simplecalendar" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:view "@streq events" "chain,t:none,t:lowercase"
SecRule ARGS:/catid\[\d+\]/ "@rx \D" "t:none"

SecRule REQUEST_METHOD "@pm GET POST" "id:77222690,chain,msg:'IM360 WAF: SQL injection vulnerability in JEXTN Classified 1.0.0 component and JEXTN Reverse Auction 3.1.0 component for Joomla (CVE-2018-6575 and CVE-2018-6579)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'joomla_plugin'"
SecRule ARGS:option "@within com_jereverseauction com_jeclassifieds" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:id "@rx \D" "t:none"

# DEFA-3987
SecMarker MARKER_option

SecRule REQUEST_URI "@rx \/api\/index.php\/v1\/(?:config\/application|users)" "id:77350169,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Improper access check in webservice endpoints in Joomla! (CVE-2023-23752)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'joomla_core'"
SecRule ARGS:public "!@rx ^$" "t:none"