Mini File Manager

Edit File

# ---------------------------------------------------------------
# Imunify360 ModSecurity Rules
# Copyright (C) 2021 CloudLinux Inc All right reserved
# The Imunify360 ModSecurity Rules is distributed under
# IMUNIFY360 LICENSE AGREEMENT
# Please see the enclosed IM360-LICENSE.txt file for full details.
# ---------------------------------------------------------------
# Imunify360 ModSecurity Applications Ruleset

# Rule 247891 optimized. DEFA-1222
SecRule REQUEST_COOKIES:MoodleSession "!@rx ^$" "id:77247891,phase:2,pass,severity:2,nolog,msg:'IM360 WAF: Start tracking MoodleSession||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',setvar:'SESSION.moodlesession=1',tag:'other_apps'"

# Rule 247892 optimized. DEFA-1222
SecRule REQUEST_COOKIES:/^glpi_/ "@rx ^[a-z0-9]{26}$" "id:77247892,msg:'IM360 WAF: Start tracking GLPI||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,setvar:'TX.GLPI=1',setvar:'SESSION.GLPI=1',expirevar:'SESSION.GLPI=300',nolog,t:none,t:lowercase,severity:2,tag:'other_apps'"

# Rule 247894 optimized. DEFA-1222
SecRule REQUEST_COOKIES:/^INTELLI_/ "@rx ^[a-z0-9]{26}$" "id:77247894,msg:'IM360 WAF: Start track Subrion CMS||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,setvar:'SESSION.Subrion_CMS_session=1',setvar:'TX.Subrion_CMS=1',expirevar:'SESSION.Subrion_CMS_session=300',nolog,t:none,t:lowercase,severity:2,tag:'other_apps'"

# Rule 247895 optimized. DEFA-1222
SecRule REQUEST_COOKIES_NAMES "@beginsWith s9y_" "id:77247895,chain,msg:'IM360 WAF: Start track Serendipity||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule MATCHED_VAR "@rx ^s9y_([0-9a-fA-f]{32})$" "capture,setvar:'SESSION.serendipity_admin=1',setvar:'TX.serendipity_admin=1',expirevar:'SESSION.serendipity_admin=300'"

# Rule 247896 optimized. DEFA-1222
SecRule REQUEST_COOKIES:CONCRETE5 "@rx ^[0-9a-z]{26}$" "id:77247896,msg:'IM360 WAF: Start track CONCRETE5||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,setvar:'SESSION.CONCRETE5=1',setvar:'TX.CONCRETE5=1',expirevar:'SESSION.CONCRETE5=300',nolog,t:none,t:lowercase,severity:2,tag:'other_apps'"

# Rule 247897 optimized. DEFA-1222
SecRule REQUEST_COOKIES:/^ADMIDIO_/ "@rx ^[0-9a-z]{26}$" "id:77247897,msg:'IM360 WAF: Start track ADMIDIO||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,setvar:'SESSION.ADMIDIO=1',setvar:'TX.ADMIDIO=1',expirevar:'SESSION.ADMIDIO=300',nolog,t:none,t:lowercase,severity:2,tag:'other_apps'"

# Rule 247899 optimized. DEFA-1222
SecRule &REQUEST_COOKIES:yzmphp_adminid "@ge 1" "id:77247899,msg:'IM360 WAF: Start track YzmCMS||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,setvar:'TX.YzmCMS=1',nolog,t:none,severity:2,tag:'other_apps'"

# Rule 247900 optimized. DEFA-1222
SecRule REQUEST_COOKIES_NAMES "@rx ^FA[a-f0-9]{32}$" "id:77247900,msg:'IM360 WAF: Start track FrontAccounting||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,setvar:'TX.FrontAccounting=1',nolog,severity:2,tag:'other_apps'"

SecRule QUERY_STRING "@rx (login|signup)" "id:77220080,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in Mintboard 0.3 (CVE-2013-4951)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:name|ARGS:pass "@rx </?script" "t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace"

SecRule &ARGS:cid "@ge 1" "id:77220430,chain,msg:'IM360 WAF: Remote command execution vulnerability in SkyBlueCanvas CMS before 1.1 r248-04 (CVE-2014-1683)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule &ARGS:pid "@ge 1" "chain,t:none"
SecRule ARGS:email|ARGS:name|ARGS:subject "@rx \x22;" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule ARGS:func "@within modinfonew modify_instance aliases assignprivileges" "id:77220530,chain,msg:'IM360 WAF: XSS vulnerabilities in Xaraya 2.4.0-b1 and earlier (CVE-2013-3639)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:id|ARGS:interface|ARGS:name|ARGS:tabmodule "@contains <" "t:none,t:urlDecodeUni"

SecRule REQUEST_BASENAME "@streq agenda.php" "id:77220570,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in GuppY before 4.6.28 (CVE-2013-5983)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:an "@rx \x22|<" "t:none,t:urlDecodeUni"

SecRule &REQUEST_COOKIES:Login "@ge 1" "id:77220590,chain,msg:'IM360 WAF: SQLi vulnerabilities in AuraCMS 2.3 and earlier (CVE-2014-1401)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_HEADERS:CLIENT_IP|REQUEST_HEADERS:FORWARDED_FOR|REQUEST_HEADERS:X_FORWARDED|REQUEST_HEADERS:X_FORWARDED_FOR "@rx \'|\x22" "t:none,t:urlDecodeUni"

SecRule ARGS:text "<" "id:77220760,chain,msg:'IM360 WAF: Blocking XSS attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@contains /index.php/guestbook/index/newentry"

SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" "id:77220780,chain,msg:'IM360 WAF: XSS vulnerability in CMS Made Simple (CVE-2014-2092 and CVE-2014-0334)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:group|ARGS:htmlblob|ARGS:title|ARGS:url|ARGS:stylesheet_name|ARGS:template_name|ARGS:template|ARGS:css_name|ARGS:metadata|ARGS:sitedownmessage|ARGS:page_metadata|ARGS:date_format_string|ARGS:filteruser|ARGS:handler "@contains <" "chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx \/admin\/(?:add(?:group|htmlblob|bookmark|template|css)|copy(?:stylesheet|template)|edit(?:bookmark|event)|list(?:css|templates)|siteprefs|pagedefaults|myaccount|adminlog)\.php$" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule Request_URI "@rx \/shared-apartments-rooms\/.*<" "id:77220930,msg:'IM360 WAF: XSS vulnerability in Open Classifieds 2 before 2.1.3 (CVE-2014-2024)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:htmlEntityDecode,t:lowercase,t:urlDecodeUni,severity:2,tag:'other_apps'"

SecRule REQUEST_HEADERS:Referer "@contains >" "id:77221330,chain,msg:'IM360 WAF: XSS vulnerability in concrete5 before 5.6.3 (CVE-2014-5108)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:removeWhitespace,severity:2,tag:'other_apps'"
SecRule REQUEST_URI "@contains index.php/download_file" "t:none,t:urlDecodeUni,t:normalizePath,t:removeWhitespace,t:lowercase"

SecRule ARGS:leftmenu|ARGS:mainmenu|ARGS:dol_hide_leftmenu|ARGS:dol_hide_topmenu|ARGS:dol_no_mouse_hover|ARGS:dol_optimize_smallscreen|ARGS:dol_use_jmobile "@contains >" "id:77221360,msg:'IM360 WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3991)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith viewimage.php" "id:77221364,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3991)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,severity:2,tag:'other_apps'"
SecRule ARGS:file|ARGS:modulepart "@contains >"

SecRule &ARGS:do "!@eq 0" "id:77222070,chain,msg:'IM360 WAF: XSS vulnerability in Kasseler CMS (CVE-2013-3728)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,severity:2,tag:'other_apps'"
SecRule ARGS:module "@pm sendmail news voting forum account categories database" "chain,t:none,t:lowercase,multiMatch"
SecRule ARGS:cat|ARGS:desc|ARGS:dok|ARGS:fid|ARGS:groups[]|ARGS:id|ARGS:module|ARGS:nid|ARGS:tid|ARGS:tid|ARGS:vid "@contains >" "chain,t:none,t:urlDecodeUni,multiMatch"
SecRule REQUEST_FILENAME "@pm admin.php index.php" "t:none,t:urlDecodeUni,t:lowercase,multiMatch"

SecRule REQUEST_FILENAME "@contains register-exec.php" "id:77240100,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in Restaurant Script (PizzaInn_Project) 1.0.0 (CVE-2014-6619)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:fname|ARGS:lname|ARGS:login "@contains '" "t:none,t:urlDecodeUni"

SecRule ARGS:page "@streq posts" "id:77240230,chain,msg:'IM360 WAF: XSS vulnerabilities in the MetalGenix GeniXCMS 0.0.3 (CVE-2015-5066)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:act "add" "chain,t:none,t:lowercase"
SecRule ARGS:title|ARGS:content "@rx \x22|'" "chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "index.php" "t:none,t:lowercase"

SecRule REQUEST_FILENAME "@contains phpliteadmin.php" "id:77240370,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in phpLiteAdmin 1.1 (CVE-2015-6518)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_URI "@contains '" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77240640,chain,msg:'IM360 WAF: XSS vulnerability in Piwigo before 2.7.4 (CVE-2015-2035)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:page "@contains <" "t:none,t:urlDecodeUni"

SecRule REQUEST_FILENAME "@contains www/admin/banner-edit" "id:77240700,chain,msg:'IM360 WAF: XSS vulnerabilities in the Revive Adserver before 3.2.2 (CVE-2015-7373)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:submit "@streq savechanges" "chain,t:none,t:removeWhitespace,t:lowercase"
SecRule ARGS:url|ARGS:height|ARGS:width|ARGS:weight "@rx <" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule REQUEST_FILENAME "@endsWith error.php" "id:77240940,chain,msg:'IM360 WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:errorNo|ARGS:errorMsg "@rx \x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule &ARGS:p "@gt 0" "id:77241051,chain,msg:'IM360 WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:sp|ARGS:ssp|ARGS:sssp|ARGS:ssssp "@rx \x22|<" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule ARGS:submit "@contains send!" "id:77241090,chain,msg:'IM360 WAF: SQL injection vulnerability in the CatBot 0.4.2 (CVE-2015-1367)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:lastcatbot "@rx \'" "chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith index.php" "t:none,t:lowercase"

SecRule ARGS:_mbox "@contains <" "id:77241210,chain,msg:'IM360 WAF: XSS vulnerability in Roundcube before 1.0.6 and 1.1.x before 1.1.2 (CVE-2015-8793)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'other_apps'"
SecRule &ARGS:_action "@ge 1" "chain,t:none"
SecRule &ARGS:_remote "@ge 1" "chain,t:none"
SecRule REQUEST_COOKIES_NAMES "@contains roundcube" "t:none"

SecRule REQUEST_FILENAME "@endsWith view_item.php" "id:77241520,chain,msg:'IM360 WAF: SQL injection vulnerability in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) (CVE-2015-2102)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule &ARGS:type "@ge 1" "chain,t:none"
SecRule ARGS:item "@rx \'" "t:none,t:urlDecodeUni"

SecRule REQUEST_FILENAME "@endsWith cms/front_content.php" "id:77241750,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in Contenido before 4.9.6 (CVE-2014-9433)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_COOKIES_NAMES "@contains 1frontend" "chain,t:none,t:lowercase"
SecRule ARGS:idart|ARGS:lang|ARGS:idcat "@contains <" "t:none,t:lowercase,t:urlDecodeUni"

SecRule ARGS:serendipity[comment] "@contains <" "id:77241820,chain,msg:'IM360 WAF: XSS vulnerability in Serendipity before 2.0-rc2 (CVE-2014-9432)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,severity:2,tag:'other_apps'"
SecRule REQUEST_COOKIES_NAMES "@rx ^s9y_[a-f0-9]{32}$" "t:none,t:lowercase"

SecRule REQUEST_FILENAME "@contains textpattern/setup/index.php" "id:77241890,chain,msg:'IM360 WAF: XSS vulnerability in Textpattern CMS before 4.5.7 (CVE-2014-4737)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@rx \x22" "t:none,t:urlDecodeUni"

SecRule REQUEST_COOKIES_NAMES "@contains yourls_" "id:77242050,chain,msg:'IM360 WAF: XSS vulnerability in the Yourls 1.7 (CVE-2014-8488)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:url|ARGS:title "@rx \x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule REQUEST_FILENAME "@endsWith editor.php" "id:77242090,chain,msg:'IM360 WAF: XSS vulnerability in Network Weathermap before 0.97b (CVE-2013-2618)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule &ARGS:mapname "@ge 1" "chain,t:none"
SecRule ARGS:map_title "@contains <" "t:none,t:urlDecodeUni"

SecRule REQUEST_COOKIES_NAMES "@contains ostsessid" "id:77242141,chain,msg:'IM360 WAF: XSS vulnerability in the osTicket before 1.9.2 (CVE-2014-4744)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@endsWith account.php" "chain,t:none,t:lowercase"
SecRule ARGS:do "@rx \x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule REQUEST_COOKIES_NAMES "@contains ostsessid" "id:77242142,chain,msg:'IM360 WAF: XSS vulnerability in the osTicket before 1.9.2 (CVE-2014-4744)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@endsWith account.php" "chain,t:none,t:lowercase"
SecRule &ARGS:do "@ge 1" "chain,t:none"
SecRule ARGS "@rx \x22" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule REQUEST_FILENAME "@endsWith register.php" "id:77242200,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in WeBid 1.1.1 (CVE-2014-5101)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:TPL_name|ARGS:TPL_nick|ARGS:TPL_email|ARGS:TPL_year|ARGS:TPL_address|ARGS:TPL_city|ARGS:TPL_prov|ARGS:TPL_zip|ARGS:TPL_phone|ARGS:TPL_pp_email|ARGS:TPL_authnet_id|ARGS:TPL_authnet_pass|ARGS:TPL_wordpay_id|ARGS:TPL_toocheckout_id|ARGS:TPL_moneybookers_email "@rx \x22" "t:none,t:urlDecodeUni"

SecRule REQUEST_FILENAME "@endsWith user_login.php" "id:77242201,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in WeBid 1.1.1 (CVE-2014-5101)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:username "@rx \x22" "t:none,t:urlDecodeUni"

SecRule REQUEST_FILENAME "@endsWith admin/changedata.php" "id:77242270,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in GetSimple CMS 3.1.2 and 3.2.3 (CVE-2013-7243)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,severity:2,tag:'other_apps'"
SecRule &ARGS:nonce "@ge 1" "chain,t:none"
SecRule ARGS:post-menu "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule &REQUEST_COOKIES_NAMES:mediawiki_mw_Token "!@ge 1" "id:77242510,phase:2,pass,nolog,skip:2,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith web/magmi_import_run.php" "id:77242681,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Magento Mass Importer (CVE-2015-2068)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,severity:2,tag:'other_apps'"
SecRule REQUEST_URI "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule &REQUEST_COOKIES:ci_session "@eq 1" "id:77242720,chain,msg:'IM360 WAF: XSS in the Open Source Point Of Sale 2.3.1 (CVE-2015-0299)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_URI "@pm opensourcepos customers items item_kits suppliers employees config" "chain,t:none,t:lowercase"
SecRule ARGS:first_name|ARGS:last_name|ARGS:item_number|ARGS:name|ARGS:category|ARGS:company_name|ARGS:company "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule REQUEST_FILENAME "@endsWith forum/viewthread.php" "id:77243160,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_COOKIES_NAMES "@rx ^fusion" "chain,t:none"
SecRule &ARGS:thread_id "@ge 1" "chain,t:none"
SecRule ARGS:highlight "@contains '" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule &ARGS:aid "@ge 1" "id:77243168,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@endsWith administration/articles.php" "chain,t:none,t:normalizePath,t:lowercase"
SecRule ARGS:body|ARGS:body2 "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule &REQUEST_COOKIES:/cpg\d+x_data/ "@ge 1" "id:77243230,chain,msg:'IM360 WAF: XSS vulnerability in the Coppermine Photo Gallery before 1.5.36 (CVE-2015-3921)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:referer "@rx \x22" "chain,t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith contact.php" "t:none,t:lowercase"

SecRule &REQUEST_COOKIES:oc_sessionPassphrase "@ge 1" "id:77243330,chain,msg:'IM360 WAF: XSS vulnerability in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 (CVE-2016-7419)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_METHOD "@streq mkcol" "chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains <" "chain,t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains remote.php" "chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^([0-9a-z]{12})$" "t:none"

SecRule ARGS:token "@rx \x22|>" "id:77243860,chain,msg:'IM360 WAF: XSS vulnerability in PayPal PHP Merchant SDK 3.9.1 (CVE-2017-6099)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'other_apps'"
SecRule REQUEST_BASENAME "@streq getauthdetails.html.php" "t:none,t:lowercase"

SecRule ARGS:lang "@contains '" "id:77244350,chain,msg:'IM360 WAF: SQL injection vulnerability in Dolibarr ERP/CRM 4.0.4 (CVE-2017-7886)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@endsWith /theme/eldy/style.css.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule ARGS:sall "@contains <" "id:77244360,chain,msg:'IM360 WAF: XSS vulnerability in Dolibarr ERP/CRM 4.0.4 (CVE-2017-7887)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'other_apps'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" "chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /societe/list.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule &ARGS:/MODAUTH/ "@ge 1" "id:77244410,chain,msg:'IM360 WAF: XSS vulnerability in the MODX Revolution before 2.5.7 (CVE-2017-9070)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none"
SecRule REQUEST_FILENAME "@contains /connectors/" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:pagetitle "@contains <" "t:none,t:urlDecodeUni"

SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77244720,chain,msg:'IM360 WAF: XSS vulnerability in the Piwigo through 2.9.1 (CVE-2017-9836)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:virtual_name|ARGS:name "@contains <" "chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase"
SecRule ARGS:page "@rx ^(?:cat_list|album\-\d+?\-properties)$" "t:none,t:lowercase"

SecRule &ARGS:URLSegment "@ge 1" "id:77245300,chain,msg:'IM360 WAF: XSS vulnerability in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2 (CVE-2017-5197)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule &ARGS:SecurityID "@ge 1" "chain,t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none"
SecRule ARGS:Title "@rx (?:\x22|>)" "chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx (?:admin\/pages\/edit\/editform\/\d+?\/$)" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

# DEFA-1654 FP MODX CMS
SecRule &ARGS:/MODAUTH/ "@ge 1" "id:77245470,chain,msg:'IM360 WAF: XSS vulnerability in the MODX Revolution 2.5.7 and earlier (CVE-2017-1000223 & CVE-2017-11744)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none"
SecRule ARGS:name|ARGS:description|ARGS:key|ARGS:value "@contains <" "chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /connectors/" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77245790,chain,msg:'IM360 WAF: XSS vulnerability in Piwigo 2.9.3 (CVE-2018-7722)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:method "@streq pwg.categories.add" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq ws.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:name "@rx <|\x22" "t:none,t:urlDecodeUni"

SecRule &REQUEST_COOKIES:password "@ge 1" "id:77246060,chain,msg:'IM360 WAF: XSS vulnerability in Z-BlogPHP 2.0.0 (CVE-2018-11208)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@contains /zb_system/cmd.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:ZC_BLOG_COPYRIGHT "@contains <" "t:none,t:urlDecodeUni"

SecRule REQUEST_URI "@contains /settings/profile" "id:77246210,chain,msg:'IM360 WAF: XSS vulnerability in Chevereto Free before 1.0.13 (CVE-2018-12030)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none"
SecRule &ARGS:auth_token "@ge 1" "chain,t:none"
SecRule ARGS:name|ARGS:bio "@rx \x22|<" "t:none,t:urlDecodeUni"

SecRule REQUEST_COOKIES_NAMES "@beginsWith senayan" "id:77246220,chain,msg:'IM360 WAF: XSS vulnerability in SLiMS 8 Akasia through 8.3.1 (CVE-2018-12654 CVE-2018-12655 CVE-2018-12656 CVE-2018-12657 CVE-2018-12658)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_URI "@rx admin\/modules\/(?:circulation|master_file|bibliography|membership|stock_take)\/" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:keywords "@contains <" "t:none,t:urlDecodeUni"

SecRule &ARGS:site_id "@ge 1" "id:77246260,chain,msg:'IM360 WAF: XSS Vulnerability in ClipperCMS 1.3.3 (CVE-2018-11332 CVE-2018-13106)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_URI "@contains /manager/" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^SN5[a-z0-9]{12}$" "chain,t:none"
SecRule ARGS "@rx <|\x22" "t:none,t:urlDecodeUni"

SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" "id:77246280,chain,msg:'IM360 WAF: XSS vulnerability in CMS Made Simple in 2.2.6 (CVE-2018-7893 CVE-2018-8058)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule &ARGS:_sk_ "@ge 1" "chain,t:none"
SecRule REQUEST_BASENAME "@streq moduleinterface.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:metadata|ARGS:pagedata "@contains <" "t:none,t:urlDecodeUni"

SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" "id:77246800,chain,msg:'IM360 WAF: XSS vulnerability in Dolibarr ERP/CRM 8.0.2 (CVE-2018-19992 CVE-2018-19995)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:MAIN_INFO_SOCIETE_TOWN|ARGS:address|ARGS:town "@rx \x22|<" "chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx (?:(?:(?:user|adherents)(?:\/card))|admin\/company)\.php$" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule REQUEST_BASENAME "@streq view.php" "id:77247690,chain,msg:'IM360 WAF: SQL injection vulnerability in Machform 2 (CVE-2013-4948)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:/^element_\d+?$/ "@contains </script>" "t:none,t:lowercase,t:urlDecodeUni"

SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" "id:77211060,chain,msg:'IM360 WAF: SQLi vulnerability in Dolibarr ERP/CRM 7.0.0 (CVE-2017-18260)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_BASENAME "@streq list.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:search_statut|ARGS:propal_statut|ARGS:viewstatut "!@rx ^\-?\d+?$" "t:none,t:urlDecodeUni"

SecRule REQUEST_FILENAME "@endsWith view.php" "id:77220110,chain,msg:'IM360 WAF: SQL injection vulnerability in Machform 2 (CVE-2013-4948)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:id "@rx \d+" "chain,t:none"
SecRule ARGS:form_id "@rx \D" "t:none"

SecRule ARGS:cidToEdit|ARGS:module_id|ARGS:offset "@rx \D" "id:77220360,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in Claroline before 1.11.9 (CVE-2013-6267)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@rx \/admin\/(?:admin(?:registeruser|_user_course_settings)|module\/module|right\/profile_list)\.php$" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule REQUEST_BASENAME "@streq thumb.php" "id:77220440,chain,msg:'IM360 WAF: Remote command execution vulnerability in MediaWiki 1.22.x before 1.22.2 1.21.x before 1.21.5 and 1.19.x before 1.19.11 (CVE-2014-1610)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule &ARGS:f "@ge 1" "chain,t:none"
SecRule ARGS:w "@rx \D" "t:none"

SecRule ARGS:pm_email_notify|ARGS:pm_save_sent "!@rx ^(0|1)$" "id:77221292,chain,msg:'IM360 WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@contains administration/settings_messages.php" "t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith admin/uploads.php" "id:77221650,chain,msg:'IM360 WAF: SQL injection vulnerability in The Digital Craft AtomCMS 2.0 (CVE-2014-4852)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,severity:2,tag:'other_apps'"
SecRule ARGS:id "@rx \D+" "t:none"

SecRule REQUEST_URI "@contains admin/admin.php" "id:77221820,chain,msg:'IM360 WAF: RCE vulnerability in Sphider 1.3.6 (CVE-2014-5194)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,t:normalizePath,severity:2,tag:'other_apps'"
SecRule ARGS:_word_upper_bound "@rx \D" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" "id:77240500,chain,msg:'IM360 WAF: SQL injection vulnerability in the Serendipity before 2.0.2 (CVE-2015-6943)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:serendipity[id] "@rx \D" "t:none"

SecRule ARGS:serendipity[submit] "@streq submit comment" "id:77240520,chain,msg:'IM360 WAF: XSS vulnerability in the 2k11 theme in Serendipity before 2.0.2 (CVE-2015-6969)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:serendipity[name] "@rx \W" "chain,t:none"
SecRule REQUEST_FILENAME "@endsWith index.php" "t:none,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" "id:77240550,chain,msg:'IM360 WAF: XSS vulnerability in Serendipity before 2.0.1 (CVE-2015-2289)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:serendipity[cat][name] "@rx \W" "t:none"

SecRule REQUEST_URI "@rx user:(.*)$" "id:77240950,chain,deny,status:403,log,phase:2,capture,severity:2,t:none,t:lowercase,msg:'IM360 WAF: XSS & SQL injection vulnerability in Pragyan CMS 3.0 (CVE-2015-1471)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'other_apps'"
SecRule TX:1 "@rx [\)\'\x22<]" "t:none"

SecRule ARGS:subcats-included "@ge 1" "id:77241000,chain,msg:'IM360 WAF: SQL injection vulnerability in the Piwigo before 2.5.6 2.6.x before 2.6.5 and 2.7.x before 2.7.3 (CVE-2015-1441)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@endsWith search.php" "chain,t:none,t:lowercase"
SecRule ARGS:mode|ARGS:date_type|ARGS:search_author|ARGS:fields[] "@rx \W" "t:none"

SecRule ARGS:subcats-included "@ge 1" "id:77241001,chain,msg:'IM360 WAF: SQL injection vulnerability in the Piwigo before 2.5.6 2.6.x before 2.6.5 and 2.7.x before 2.7.3 (CVE-2015-1441)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@endsWith search.php" "chain,t:none,t:lowercase"
SecRule ARGS:start_day|ARGS:start_month|ARGS:start_year|ARGS:end_day|ARGS:end_month|ARGS:end_year|ARGS:subcats-included "@rx \D" "t:none"

SecRule REQUEST_FILENAME "@contains /manager/" "id:77241980,chain,msg:'IM360 WAF: XSS & SQL injection vulnerability in the MODX Revolution before 2.2.14 (CVE-2014-2736)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none"
SecRule ARGS:id "@rx [\(';]" "t:none"

SecRule &REQUEST_COOKIES:SenayanAdmin "@ge 1" "id:77244940,chain,msg:'IM360 WAF: SQLi vulnerability in SLiMS 8 Akasia through 8.3.1 (CVE-2017-12585)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_BASENAME "@within ajax_lookup_handler.php ajax_check_id.php ajax_vocabolary_control.php" "chain,t:none,t:lowercase"
SecRule ARGS:tableName|ARGS:tableFields "@rx \W" "t:none"

SecRule &REQUEST_COOKIES:/DOLSESSID_([0-9a-fA-f]{32})/ "@ge 1" "id:77245040,chain,msg:'IM360 WAF: SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.0 (CVE-2017-14238)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@endsWith /admin/menus/edit.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:menuId "@rx \D" "t:none"

SecRule ARGS:_itemtype "@streq computer" "id:77245140,chain,msg:'IM360 WAF: SQL injection vulnerability in GLPI before 9.1.5.1 (CVE-2017-11474)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:_glpi_tab "@contains computer_softwareversion" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith glpi_" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith ajax/common.tabs.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:criterion "@rx \D" "t:none"

SecRule ARGS:page "@streq tags" "id:77245360,chain,msg:'IM360 WAF: SQL injection vulnerability in Piwigo 2.9.2 (CVE-2017-16893)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase"
SecRule ARGS:edit_list "@rx \D" "t:none"

SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77245770,chain,msg:'IM360 WAF: SQLi vulnerability in Piwigo Facetag plugin 0.0.3 (CVE-2017-9426)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:method "@within facetag.changetag facetag.listtags" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq ws.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:imageId "@rx \D" "t:none,t:urlDecodeUni"

SecRule &REQUEST_COOKIES:mydms_session "@ge 1" "id:77246530,chain,msg:'IM360 WAF: SQL injection vulnerability in SeedDMS before 5.1.8 (CVE-2018-12942)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:userid "@rx \D" "chain,t:none"
SecRule REQUEST_BASENAME "@rx ^(?:op|out)\.usrmgr\.php$" "t:none,t:urlDecodeUni,t:lowercase"

SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77247920,chain,msg:'IM360 WAF: SQL Injection vulnerability in Piwigo before 2.7.4 (CVE-2015-2035)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:page "@streq history" "chain,t:none,t:lowercase"
SecRule ARGS:user "@rx \D" "t:none"

SecRule REQUEST_FILENAME "@endsWith web/ajax_pluginconf.php" "id:77210320,chain,msg:'IM360 WAF: Directory traversal vulnerability in Magento Mass Importer (CVE-2015-2067)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,severity:2,tag:'other_apps'"
SecRule &ARGS:plugintype "@ge 1" "chain,t:none"
SecRule &ARGS:pluginclass "@ge 1" "chain,t:none"
SecRule ARGS:file "@rx \.\.|^\/" "t:none,t:urlDecodeUni,t:htmlEntityDecode"

SecRule REQUEST_FILENAME "admin/plugin-index\.php|admin/plugin-settings\.php|admin/plugin-preferences\.php" "id:77220060,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in OpenX Source 2.8.10 and earlier (CVE-2013-3515)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:action|ARGS:group|ARGS:package|ARGS:parent|ARGS:plugin "@rx [^a-zA-Z0-9\._-]"

SecRule REQUEST_FILENAME "@rx /data/form_[0-9]+/files/element_[0-9]+.*\.php" "id:77220070,msg:'IM360 WAF: File upload vulnerability in Machform 2 (CVE-2013-4949)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "libraries\/(?:error(?:_handler)?\.class|auth\/swekey\/swekey\.auth\.lib|bookmark\.lib|common\.inc|config\.class|config\.default|data_drizzle\.inc|data_mysql\.inc|dbi\/drizzle-wrappers\.lib|display_tbl\.lib|engines\/(?:bdb|berkeleydb|binlog|innobase|innodb|memory|merge|mrg_myisam|myisam|ndbcluster|pbms|pbxt)\.lib|list_database\.class|pdf\.class|pma|pmd_common|recenttable\.class|schema\/pdf_relation_schema\.class)\.php" "id:77220090,msg:'IM360 WAF: Multiple vulnerabilities in phpMyAdmin (CVE-2013-4998 / CVE-2013-4999 / CVE-2013-5000)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"

SecRule ARGS|!ARGS:w "@pm unionselect union/*" "id:77220150,chain,msg:'IM360 WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||T:APACHE||',phase:2,deny,status:403,log,t:none,t:removeWhitespace,severity:2,tag:'other_apps'"
SecRule ARGS|!ARGS:/FCKeditor/|!ARGS:/^jform/|!ARGS:/^para/|!ARGS:/appendTo/|!ARGS:/database/|!ARGS:/description/|!ARGS:/insertAfter/|!ARGS:/insertBefore/|!ARGS:/installcode/|!ARGS:/message/|!ARGS:/msg/|!ARGS:/narrative/|!ARGS:/php/|!ARGS:/prependTo/|!ARGS:/prevObject/|!ARGS:/replaceAll/|!ARGS:/report/|!ARGS:/sql/|!ARGS:/teaser/|!ARGS:/text/|!ARGS:/txt/|!ARGS:Db_submit|!ARGS:Post|!ARGS:TicketID|!ARGS:action|!ARGS:alternate1|!ARGS:article_content|!ARGS:body|!ARGS:code|!ARGS:comment|!ARGS:contenido|!ARGS:content|!ARGS:data|!ARGS:faqs_answer|!ARGS:fck_body|!ARGS:file_content|!ARGS:form[pagina_text]|!ARGS:fulldescr|!ARGS:json|!ARGS:keywords|!ARGS:newcontent|!ARGS:p_action|!ARGS:prefix|!ARGS:query|!ARGS:resolution|!ARGS:saved_data|!ARGS:steps|!ARGS:suffix|!ARGS:wpSummary "@rx (?:union(?:\/\*.*\*\/)?select)" "t:none,t:removeWhitespace,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith /recursos/agent.php" "id:77220450,chain,msg:'IM360 WAF: Multiple SQL injection vulnerabilities in Cubic CMS 5.1.1 5.1.2 and 5.2 (CVE-2014-1619)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:resource_id|ARGS:version_id "!@rx ^-?\d+$" "t:none,t:urlDecodeUni"

SecRule &REQUEST_COOKIES:MoodleSession "@ge 1" "id:77220480,chain,phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_URI "@contains /user/profile/" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.Moodle=1',expirevar:'SESSION.Moodle=300',t:none,t:lowercase"

SecRule SESSION:Moodle "@eq 1" "id:77220481,phase:2,pass,nolog,skip:1,severity:2,tag:'other_apps'"

SecRule ARGS:m1_sortby "!@rx ^\w+\W(ASC|DESC)$" "id:77220960,chain,msg:'IM360 WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,severity:2,tag:'other_apps'"
SecRule Request_FILENAME "moduleinterface\.php"

SecRule REQUEST_COOKIES:/fusion\w+user/ "@rx [^a-z0-9\.]" "id:77221190,msg:'IM360 WAF: SQL injection vulnerability in PHP-Fusion 7.02.01 through 7.02.05 (CVE-2013-7375)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"

SecRule REQUEST_COOKIES:dc_passwd "!@rx ^a:\d+:{(?:i:\d+;s:\d+:\x22.*?\x22;)*}$" "id:77221200,msg:'IM360 WAF: RCE vulnerability in Dotclear before 2.6.2 (CVE-2014-1613)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith user/edit.php" "id:77221560,chain,msg:'IM360 WAF: XSS vulnerability in Moodle through 2.3.11 2.4.x before 2.4.11 2.5.x before 2.5.7 2.6.x before 2.6.4 and 2.7.x before 2.7.1 (CVE-2014-3544)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_COOKIES_NAMES "@streq MoodleSession" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:skype "!@rx ^(?:live:|[a-z0-9,\._\-]){6,32}$|^$" "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,multiMatch"

SecRule REQUEST_FILENAME "@endsWith pkg_edit.php" "id:77221631,chain,msg:'IM360 WAF: Absolute path traversal vulnerability in pfSense before 2.1.4 (CVE-2014-4689)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:xml "@rx [\\\\|\//\.|\0]" "t:none,t:urlDecodeUni,multiMatch"

SecRule &ARGS:do "!@eq 0" "id:77222060,chain,msg:'IM360 WAF: SQL injection vulnerability in Kasseler CMS (CVE-2013-3727)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,severity:2,tag:'other_apps'"
SecRule ARGS:module "@pm sendmail news voting forum account categories" "chain,t:none,t:lowercase,multiMatch"
SecRule ARGS:desc|ARGS:dok|ARGS:fid|ARGS:groups[]|ARGS:id|ARGS:module|ARGS:nid|ARGS:tid|ARGS:tid|ARGS:vid "@rx [\'\,]" "chain,t:none,t:urlDecodeUni,multiMatch"
SecRule REQUEST_FILENAME "@pm admin.php index.php" "t:none,t:urlDecodeUni,t:lowercase,multiMatch"

SecRule REQUEST_COOKIES:_ga "@rx ^ga(\d+\.*)+" "id:77240250,chain,phase:2,capture,pass,setsid:'%{TX.1}',nolog,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_URI "@contains /dashboard/users/create/" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule REQUEST_COOKIES_NAMES "@contains _ga" "id:77240251,chain,phase:2,pass,nolog,t:none,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_URI "@contains /dashboard/users/create/" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.TIMEOUT=300',setvar:'SESSION.articleFR=1',expirevar:'SESSION.articleFR=300',t:none,t:lowercase"

SecRule REQUEST_METHOD "@streq post" "id:77240253,chain,msg:'IM360 WAF: CSRF vulnerabilities in Free Reprintables ArticleFR 3.0.6 (CVE-2015-5530)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_post'"
SecRule ARGS_NAMES "@pm username name password email website blog membership isactive" "chain,t:none,t:lowercase"
SecRule &SESSION:articleFR "!@eq 1" "chain"
SecRule REQUEST_URI "@contains /dashboard/users/create/" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule REQUEST_FILENAME "@rx \/(plupload\.flash|moxie)\.swf$" "id:77240320,chain,msg:'IM360 WAF: XSS vulnerability in in the Plupload plugin for WordPress and other web apps (CVE-2013-0237 CVE-2015-3439)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule &ARGS:id|&ARGS:target "@gt 0" "t:none,t:lowercase"

SecRule &ARGS:token "@eq 0" "id:77240530,chain,msg:'IM360 WAF: CSRF protection bypass in Revive Adserver before 3.2.2 (CVE-2015-7364)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES:sessionID "@rx ^[a-z0-9]{32}$" "chain,t:none"
SecRule REQUEST_FILENAME "@rx (?:(?:advertiser|campaign|affiliate|zone|channel)\-edit|account\-user\-(?:name\-language|email|password))\.php$" "t:none,t:urlDecodeUni,t:lowercase"

SecRule ARGS:controller "@streq post" "id:77240561,chain,phase:2,pass,nolog,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:action "@streq new_simple" "chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq post" "setvar:'SESSION.TIMEOUT=300',setvar:'SESSION.nbblog=1',expirevar:'SESSION.nbblog=300',t:none,t:lowercase"

SecRule SESSION:nbblog "@eq 1" "id:77240562,phase:2,pass,nolog,skip:1,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@pm create_course.php edit_course.php" "id:77240880,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in ATutor before 2.2 (CVE-2014-9752)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"
SecRule FILES_NAMES "@streq customicon" "chain,t:none,t:lowercase"
SecRule FILES "!@rx \w+.(png|jpg|gif)" "t:none,t:lowercase"

SecRule ARGS:__vtrftk "@beginsWith sid:77" "id:77240890,chain,msg:'IM360 WAF: Shell upload vulnerability in VtigerCRM 6.4.0 and earlier (CVE-2016-1713 & CVE-2015-6000)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_COOKIES:PHPSESSID "@eq 26" "chain,t:none,t:length"
SecRule FILES "!@rx \.(?:gif|p?jpe?g|(?:x-)?png)$" "t:none,t:lowercase"

SecRule REQUEST_FILENAME "@pm show_rechis.php" "id:77240991,chain,msg:'IM360 WAF: Cross site scripting vulnerability in TYPO3 6.x before 6.2.15 7.x before 7.4.0 4.5.40 and earlier (CVE-2015-5956)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,severity:2,tag:'other_apps'"
SecRule ARGS:returnUrl "@rx data\:[\w\/]+\;base64" "t:none,t:lowercase,t:removeWhitespace"

SecRule REQUEST_FILENAME "@pm mod/lesson/view.php mod/lesson/mediafile.php" "id:77241121,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.moodle_ls=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_ls=300',t:none,t:lowercase"

SecRule SESSION:moodle_ls "@eq 1" "id:77241122,phase:2,pass,nolog,skip:1,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@pm mod/lesson/view.php mod/lesson/mediafile.php" "id:77241123,chain,msg:'IM360 WAF: CSRF vulnerability in Moodle through 2.6.11 2.7.x before 2.7.11 2.8.x before 2.8.9 and 2.9.x before 2.9.3 (CVE-2015-5338)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_post'"
SecRule &ARGS:id "@ge 1" "chain,t:none"
SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase"
SecRule &SESSION:moodle_ls "!@eq 1" "t:none"

SecRule ARGS:p "@streq user" "id:77241170,chain,phase:2,pass,nolog,t:none,t:lowercase,skip:1,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_METHOD "@streq get" "chain,setvar:'SESSION.gecko_cms=1',expirevar:'SESSION.gecko_cms=300',t:none,t:lowercase"
SecRule SESSION:gecko_cms "@eq 1" "t:none"

SecRule ARGS:p "@streq user" "id:77241171,chain,msg:'IM360 WAF: CSRF vulnerability in Gecko CMS 2.2 and 2.3 (CVE-2015-1424)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase"
SecRule &SESSION:gecko_cms "!@eq 1" "t:none"

SecRule REQUEST_FILENAME "@endsWith admin/registration/register.php" "id:77241180,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.moodle_rg=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_rg=300',t:none,t:lowercase"

SecRule SESSION:moodle_rg "@eq 1" "id:77241181,phase:2,pass,nolog,skip:1,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith admin/registration/register.php" "id:77241182,chain,msg:'IM360 WAF: CSRF vulnerability in Moodle through 2.6.11 2.7.x before 2.7.11 2.8.x before 2.8.9 and 2.9.x before 2.9.3 (CVE-2015-5335)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase"
SecRule &SESSION:moodle_rg "!@eq 1" "t:none"

SecRule REQUEST_FILENAME "@endsWith mod/glossary/editcategories.php" "id:77241230,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.moodle_gl=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_gl=300',t:none,t:lowercase"

SecRule SESSION:moodle_gl "@eq 1" "id:77241231,phase:2,pass,nolog,skip:1,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith mod/glossary/editcategories.php" "id:77241232,chain,msg:'IM360 WAF: CSRF vulnerability in Moodle through 2.5.9 2.6.x before 2.6.7 2.7.x before 2.7.4 and 2.8.x before 2.8.2 (CVE-2015-0213)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase"
SecRule &SESSION:moodle_gl "!@eq 1" "t:none"

SecRule &ARGS:yii_csrf_token "@ge 1" "id:77241430,chain,msg:'IM360 WAF: Arbitrary File Upload in X2Engine X2CRM before 5.0.9 (CVE-2015-5074)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule &REQUEST_COOKIES:phpsessid "@ge 1" "chain,t:none"
SecRule &REQUEST_COOKIES:yii_csrf_token "@ge 1" "chain,t:none"
SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)\W" "t:none,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith /libraries/sql-parser/autoload.php" "id:77241570,msg:'IM360 WAF: Information Disclosure in phpMyAdmin 4.5.x before 4.5.4 (CVE-2016-2044)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith graph_view.php" "id:77241580,chain,msg:'IM360 WAF: SQL Injection Vulnerability in Cacti 0.8.8g and earlier (CVE-2016-3659)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" "chain,setvar:'TX.cacti=1',t:none"
SecRule ARGS:host_group_data "!@rx ^(?:graph_template|data_query)\:\d+$" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:host_group_data "!@contains data_query_index" "t:none"

SecRule REQUEST_URI "@rx shop-\d+\/category:" "id:77241590,chain,msg:'IM360 WAF: SQL injection vulnerability in the Microweber CMS 0.95 before 20141209 (CVE-2014-9464)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,severity:2,tag:'other_apps'"
SecRule REQUEST_URI "!@rx category:\d+$" "t:none,t:lowercase"

SecRule REQUEST_HEADERS:X-HTTP-Method-Override "!@streq %{REQUEST_METHOD}" "id:77241600,chain,msg:'IM360 WAF: CSRF protection bypass in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_HEADERS:X-HTTP-Method-Override "@ge 1" "chain,t:none,t:length"
SecRule REQUEST_COOKIES_NAMES "@contains cakephp" "t:none,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith libraries/phpseclib/crypt/rijndael.php" "id:77241620,msg:'IM360 WAF: Information Disclosure in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 (CVE-2016-2042)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith libraries/phpseclib/crypt/aes.php" "id:77241621,msg:'IM360 WAF: Information Disclosure in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 (CVE-2016-2042)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith /libraries/config/messages.inc.php" "id:77241720,msg:'IM360 WAF: Information Disclosure in phpMyAdmin 4.0.x before 4.0.10.12 4.4.x before 4.4.15.2 and 4.5.x before 4.5.3.1 (CVE-2015-8669)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith /setup/lib/common.inc.php" "id:77242490,msg:'IM360 WAF: Information disclosure vulnerability in phpMyAdmin 4.0.x before 4.0.10.13 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 (CVE-2016-2038)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@pm admin/users/api-keys admin/users/add admin/settings/edit-security" "id:77242621,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps'"
SecRule REQUEST_COOKIES_NAMES "@rx ^[a-f0-9]{32}$" "capture,setsid:'%{TX.1}',t:none,t:lowercase"

SecRule REQUEST_FILENAME "@contains admin/users/api-keys" "id:77242622,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.omeka_api=1',expirevar:'SESSION.omeka_api=300',t:none,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith admin/users/add" "id:77242624,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.omeka_add=1',expirevar:'SESSION.omeka_add=300',t:none,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith admin/settings/edit-security" "id:77242626,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.omeka_sec=1',expirevar:'SESSION.omeka_sec=300',t:none,t:lowercase"

SecRule ARGS:referer "@contains :" "id:77242970,chain,msg:'IM360 WAF: Multiple open redirect vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 (CVE-2015-6012)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:3,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'other_apps'"
SecRule RESPONSE_STATUS "@streq 302" "chain,t:none"
SecRule REQUEST_BASENAME "@within user_login.php user_logout.php modify.php user_options_modify.php user_validation.php" "chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:Set-Cookie "@contains phpsessid" "t:none,t:lowercase"

SecRule &REQUEST_COOKIES:MoodleSession "!@ge 1" "id:77242990,phase:2,pass,nolog,t:none,skip:5,severity:2,tag:'other_apps'"

SecRule REQUEST_FILENAME "@endsWith mod/assign/adminmanageplugins.php" "id:77242993,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:2,severity:2,tag:'other_apps'"
SecRule &ARGS:subtype "@ge 1" "setvar:'SESSION.moodle_assignsubmission=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_assignsubmission=300',t:none,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith admin/plugins.php" "id:77242995,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:2,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.moodle_assignsubmission_unin=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_assignsubmission_unin=300',t:none,t:lowercase"

SecRule &REQUEST_COOKIES:/cpg\d+x_data/ "@ge 1" "id:77243220,chain,msg:'IM360 WAF: Open redirect vulnerability in the Coppermine Photo Gallery before 1.5.36 (CVE-2015-3922)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:referer "!@beginsWith index.php" "chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith mode.php" "t:none,t:lowercase"

SecRule REQUEST_FILENAME "@streq /.profile" "id:77243320,msg:'IM360 WAF: Information disclosure vulnerability in Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP Buildpack Cf-release before 242 as used in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.38 and 1.7.x before 1.7.19 and other products (CVE-2016-6639)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,severity:2,tag:'other_apps'"

SecRule &REQUEST_COOKIES:sessionID "@ge 1" "id:77243341,chain,phase:2,pass,nolog,t:none,skip:1,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_METHOD "@streq get" "chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith www/admin/account-user-name-language.php" "setvar:'SESSION.revive-adserver=1',expirevar:'SESSION.revive-adserver=300',t:none,t:lowercase,t:urlDecodeUni,t:normalizePath"

SecRule &SESSION:revive-adserver "!@eq 1" "id:77243342,chain,msg:'IM360 WAF: CSRF vulnerability in the Revive Adserver before 3.2.2 (CVE-2015-7366)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'other_apps'"
SecRule &REQUEST_COOKIES:sessionID "@ge 1" "chain,t:none"
SecRule ARGS:submitsettings "@streq savechanges" "chain,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith www/admin/account-user-name-language.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule REQUEST_HEADERS:Content-Type "@gt 500" "id:77243930,chain,msg:'IM360 WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:removeWhitespace,t:length,severity:2,tag:'other_apps'"
SecRule REQUEST_HEADERS:Content-Type "!@rx ^(?:\w+\/[\w\-\.]+)(?:;(?:charset=[\w\-]{1,18}|boundary=[\w\-]+)?)?$" "t:none,t:urlDecodeUni,t:removeWhitespace"

SecRule &FILES "@gt 0" "id:77244050,chain,msg:'IM360 WAF: Possible arbitrary file upload using Uploadify||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_FILENAME "@endsWith uploadify/uploadify.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule REQUEST_COOKIES_NAMES "@beginsWith bigtree" "id:77244060,chain,msg:'IM360 WAF: Start tracking BigTree CMS||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,t:none,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_FILENAME "@contains admin/settings/edit/" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule MATCHED_VAR "@pm colophon nav-social" "chain,t:none"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.bigtree_settings=1',expirevar:'SESSION.bigtree_settings=300',t:none,t:lowercase"

SecRule REQUEST_FILENAME "@contains /admin/developer/" "id:77244500,chain,phase:2,pass,severity:2,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Start tracking Bigtree CMS||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'other_apps',tag:'im360_req_get'"
SecRule MATCHED_VAR "@rx (?:upgrade\/|packages\/view\/)$" "chain,t:none"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.bigtree_dev=1',expirevar:'SESSION.bigtree_dev=300',t:none,t:lowercase"

SecRule REQUEST_FILENAME "@contains /admin/developer/" "id:77244501,chain,msg:'IM360 WAF: CSRF vulnerability in the BigTree CMS through 4.2.18 (CVE-2017-9444)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule MATCHED_VAR "@rx (?:upgrade\/(?:ignore\/|set-ftp-directory\/)|packages\/delete\/\d+\/)$" "chain"
SecRule REQUEST_METHOD "@streq get" "chain,t:none,t:lowercase"
SecRule &SESSION:bigtree_dev "!@eq 1" "t:none"

SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77244640,chain,msg:'IM360 WAF: Start tracking Piwigo||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule ARGS:page "@streq cat_options" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.piwigo_cat=1',expirevar:'SESSION.piwigo_cat=300',t:none,t:lowercase"

SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77244641,chain,msg:'IM360 WAF: CSRF vulnerability in Piwigo through 2.9.1 (CVE-2017-10680 and CVE-2017-10681)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:page "@streq cat_options" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS:cat_true[]|&ARGS:cat_false[] "@ge 1" "chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &SESSION:piwigo_cat "!@eq 1" "t:none"

SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77244650,chain,msg:'IM360 WAF: Start tracking Piwigo||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule ARGS:page "@streq permalinks" "chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.piwigo_link=1',expirevar:'SESSION.piwigo_link=300',t:none,t:lowercase"

SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77244651,chain,msg:'IM360 WAF: CSRF vulnerability in Piwigo through 2.9.1 (CVE-2017-10678)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:page "@streq permalinks" "chain,t:none,t:lowercase"
SecRule &ARGS:cat_id "@ge 1" "chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &SESSION:piwigo_link "!@eq 1" "t:none"

SecRule REQUEST_FILENAME "@contains /admin/dashboard/vitals-statistics/404/" "id:77244970,chain,msg:'IM360 WAF: Start tracking Bigtree CMS||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.bigtree_vitals_statistics=1',expirevar:'SESSION.bigtree_vitals_statistics=300',t:none,t:lowercase"

SecRule REQUEST_FILENAME "@endsWith /admin/developer/email/" "id:77245000,chain,phase:2,pass,nolog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Start tracking Bigtree CMS||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'other_apps',tag:'im360_req_get'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.bigtree_email=1',expirevar:'SESSION.bigtree_email=300',t:none,t:lowercase"

SecRule &ARGS:image_assetID "@ge 1" "id:77245290,chain,msg:'IM360 WAF: Unrestricted file upload vulnerability in Perch Content Management System 3.0.3 (CVE-2017-15948)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule &ARGS:resourceBucket "@ge 1" "chain,t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none"
SecRule REQUEST_FILENAME "@endsWith core/apps/assets/edit/" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule FILES "!@rx \.(?:jpe?g|gif|bmp|png)$" "t:none,t:lowercase"

SecRule ARGS:page "@within configuration batch_manager" "id:77245591,chain,msg:'IM360 WAF: CSRF vulnerability in the Piwigo through 2.9.2 (CVE-2017-17827)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule &ARGS:gallery_title|&ARGS:element_ids "@ge 1" "chain,t:none"
SecRule &REQUEST_COOKIES_NAMES:pwg_id "@ge 1" "chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase"
SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none"

SecRule TX:YzmCMS "@ge 1" "id:77247241,chain,phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_FILENAME "@endsWith admin_manage/add.html" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.yzmphp_user=1',expirevar:'SESSION.yzmphp_user=300',t:none,t:lowercase"

SecRule TX:FrontAccounting "@ge 1" "id:77247350,chain,phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_BASENAME "@streq users.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.FrontAccounting_user=1',expirevar:'SESSION.FrontAccounting_user=300',t:none,t:lowercase"

SecRule &ARGS:user_id "@ge 1" "id:77247351,chain,msg:'IM360 WAF: CSRF vulnerability in FrontAccounting 2.4.3 (CVE-2018-7176)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule TX:FrontAccounting "@ge 1" "chain,t:none"
SecRule REQUEST_BASENAME "@streq users.php" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &SESSION:FrontAccounting_user "!@eq 1" "t:none"

SecRule &REQUEST_COOKIES:cscms_session "@ge 1" "id:77247380,chain,phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_URI "@contains admin.php/links" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.cscms_session_user=1',expirevar:'SESSION.cscms_session_user=300',t:none,t:lowercase"

SecRule TX:YzmCMS "@ge 1" "id:77247530,chain,phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_FILENAME "@rx \/role\/(?:add|edit)" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.yzmphp_user=1',expirevar:'SESSION.yzmphp_user=300',t:none,t:lowercase"

SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "id:77247540,chain,phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule ARGS:case "@streq table" "chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.CMSEasy_user=1',expirevar:'SESSION.CMSEasy_user=300',t:none,t:lowercase"

SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "id:77247541,chain,msg:'IM360 WAF: CSRF vulnerability in CmsEasy 6.1 (CVE-2018-11679)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule &ARGS:catid "@ge 1" "chain,t:none"
SecRule ARGS:act "@streq add" "chain,t:none,t:lowercase"
SecRule &SESSION:CMSEasy_user "!@eq 1" "t:none"

SecRule &REQUEST_COOKIES:cscms_session "@ge 1" "id:77247670,chain,phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_URI "@endsWith admin.php/setting" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.cscms_session_user=1',expirevar:'SESSION.cscms_session_user=300',t:none,t:lowercase"

SecRule &REQUEST_COOKIES:dili_session "@ge 1" "id:77247810,chain,phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_FILENAME "@rx \/(?:role|user)\/view" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.delicms_user=1',expirevar:'SESSION.delicms_user=300',t:none,t:lowercase"

SecRule TX:YzmCMS "@ge 1" "id:77247860,chain,phase:2,pass,nolog,t:none,severity:2,tag:'other_apps',tag:'im360_req_get'"
SecRule REQUEST_FILENAME "@rx tag\/(?:add|init)\.html$" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.yzmphp_user=1',expirevar:'SESSION.yzmphp_user=300',t:none,t:lowercase"

SecRule REQUEST_BASENAME "@streq downloads.php" "id:77247910,chain,msg:'IM360 WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'"
SecRule ARGS:orderby "!@rx ^download\_(?:id|user|title|count|datestamp)$" "t:none,t:urlDecodeUni,t:lowercase"

SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "id:77248190,chain,msg:'IM360 WAF: Directory traversal vulnerability exists in BAGECMS (CVE-2019-5887)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule ARGS:s "@endsWith /appminialipaylist/delete.html" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:id "@contains .." "t:none,t:urlDecodeUni"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bcf(?:_(?:setdatasource(?:password|username)|(?:getdatasourceusernam|iscoldfusiondatasourc)e)|admin_registry_(?:delete|set)|execute|internaldebug|newinternal(?:adminsecurit|registr)y|usion_(?:d(?:bconnections_flush|ecrypt)|encrypt|getodbc(?:dsn|ini)|set(?:odbcini|tings_refresh)|verifymail))\b" "id:77211020,msg:'IM360 WAF: Injection of Undocumented ColdFusion Tags||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,t:none,t:htmlEntityDecode,t:lowercase,severity:2,tag:'service_gen'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:i|!ARGS:i|!ARGS:/install\[values\]\[\w*]\[fileDenyPattern\]/|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?:$(?:[^a-zA-Z0-9_]{0,}?(?:cn|homedirectory|objectc(?:ategory|lass)|[gu]idnumber)\b[^a-zA-Z0-9_]{0,}?=|[^a-zA-Z0-9\-_]{0,}?[!&|][^a-zA-Z0-9\-_]{0,}?\()|$[^a-zA-Z0-9\-_]{0,}?\([^a-zA-Z0-9\-_]{0,}?[!&|])" "id:77211030,chain,msg:'IM360 WAF: LDAP Injection Attack||T:APACHE||',phase:2,capture,pass,t:none,t:htmlEntityDecode,t:lowercase,severity:5,tag:'service_gen',tag:'service_rbl_infectors'"
SecRule &ARGS:newspost.add "@eq 0"

SecRule REQUEST_COOKIES_NAMES "@beginsWith bigtree" "id:77215070,chain,msg:'IM360 WAF: Start tracking Bigtree CMS||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,t:none,t:lowercase,severity:2,tag:'service_gen',tag:'im360_req_get'"
SecRule REQUEST_FILENAME "@contains admin/users" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" "setvar:'SESSION.bigtree_user=1',expirevar:'SESSION.bigtree_user=300',t:none,t:lowercase"

SecRule &ARGS:id "@ge 1" "id:77215071,chain,msg:'IM360 WAF: CSRF vulnerability in the BigTree CMS 4.1.18 and 4.2.16 (CVE-2017-6914)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'other_apps'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith bigtree" "chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains admin/ajax/users/delete" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:bigtree_user "!@eq 1" "t:none"

#DEFA-3954
SecRule REQUEST_FILENAME "@endsWith /mod/lti/auth.php" "id:77316827,chain,block,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS in Moodle Auth Page||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'other_apps'"
SecRule ARGS:/redirect_uri/ "@rx ^javascript" "t:none,t:urlDecodeUni"

#DEFA-4414
SecRule ARGS:id "@rx select(\x20|\x2f)" "id:77317978,msg:'IM360 WAF: Generic SQL injection in id parameter||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,t:normalizePath,t:lowercase,severity:5,tag:'other_apps'"

# DEFA-4908
SecRule REQUEST_URI "@contains /modules/bamegamenu/ajax_phpcode.php" "id:77350047,chain,block,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Remote Command Execution in Prestashop (CVE-2018-8823)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'other_apps'"
SecRule ARGS:code "@rx \s(?:exec|passthru|shell_exec|system)\s?\(" "t:none"

# DEFA-4907
SecRule REQUEST_URI "@contains /modules/bamegamenu/ajax_phpcode.php" "id:77350052,chain,block,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: SQL Injection in Prestashop (CVE-2018-8824)||Code:%{ARGS.code}||T:APACHE||',tag:'other_apps'"
SecRule ARGS:code "@pm delete edit show" "t:none,t:lowercase"

# DEFA-4977
SecRule REQUEST_METHOD "POST" "id:77350059,chain,block,t:none,severity:2,msg:'IM360 WAF: CSRF in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /bitrix/tools/html_editor_action.php" "chain,t:none"
SecRule ARGS:action "@streq uploadfile" "chain,t:none"
SecRule &ARGS:/bxu_files "@gt 0" "chain,t:none"
SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none"

SecRule REQUEST_METHOD "POST" "id:77350060,chain,block,t:none,severity:2,msg:'IM360 WAF: CSRF in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /bitrix/tools/html_editor_action.php" "chain,t:none"
SecRule ARGS:action "@streq uploadfile" "chain,t:none"
SecRule &ARGS:/bxu_files "@gt 0" "chain,t:none"
SecRule &REQUEST_COOKIES:/bitrix_sessid "@eq 0"

SecRule REQUEST_METHOD "POST" "id:77350061,chain,block,t:none,severity:2,msg:'IM360 WAF: Possible RCE in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@contains /bitrix/tools/vote/uf.php" "chain,t:none"
SecRule ARGS:attachId[ENTITY_TYPE] "@streq CFileUploader" "chain,t:none"
SecRule &ARGS:/bxu_files "@gt 0" "chain,t:none"
SecRule ARGS|REQUEST_BODY "@contains \Bitrix\Main\Analytics\CounterDataTable::submitData()" "chain,t:none,t:normalizePath"
SecRule MATCHED_VAR "@contains <?php" "t:none"

SecRule REQUEST_METHOD "POST" "id:77350062,chain,block,t:none,severity:2,msg:'IM360 WAF: Possible RCE in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /bitrix/tools/html_editor_action.php" "chain,t:none"
SecRule ARGS:action "@streq uploadfile" "chain,t:none"
SecRule &ARGS:/bxu_files "@gt 0" "chain,t:none"
SecRule ARGS|REQUEST_BODY "@contains \00Bitrix\5CMain\5CDB\5CResultIterator\00currentData" "chain,t:none"
SecRule ARGS|REQUEST_BODY "@contains Bitrix\Main\DB\ArrayResult" "chain,t:none"
SecRule ARGS|REQUEST_BODY "@rx \x22WriteFinalMessage\x22;\}\}\}" "chain,t:none"
SecRule ARGS|REQUEST_BODY "@contains <?php" "t:none"

SecRule REQUEST_METHOD "POST" "id:77350063,chain,block,t:none,severity:2,msg:'IM360 WAF: Possible RCE in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /bitrix/tools/html_editor_action.php" "chain,t:none"
SecRule ARGS:action "@streq uploadfile" "chain,t:none"
SecRule &ARGS:/bxu_files "@gt 0" "chain,t:none"
SecRule FILES "@rx \.php" "t:none"

# DEFA-5014
SecRule REQUEST_METHOD "@pm HEAD POST" "id:77350089,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: SQLi in PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.7 (CVE-2022-36408)||SC:%{SCRIPT_FILENAME}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /blm.php" "chain,t:none,t:normalizePath"
SecRule ARGS:z|ARGS:payment_intent "@pm <?php file_put_contents base64_decode( exit(md5( /controllers/admin/AdminLoginController.ph" "t:none,t:urlDecode"

SecRule REQUEST_METHOD "@pm HEAD POST" "id:77350090,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: SQLi in PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.7 (CVE-2022-36408)||SC:%{SCRIPT_FILENAME}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'other_apps',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /index.php" "chain,t:none,t:normalizePath"
SecRule ARGS:cacheFile "@streq blm.php" "chain,t:none"
SecRule ARGS:s "@contains index/\think\template\driver\file/write" "chain,t:none"
SecRule ARGS:content "@pm <?php @eval $_POST" "t:none,t:urlDecode"

# DEFA-5088
SecRule REQUEST_METHOD "POST" "id:77350100,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Write in Bitrix CMS||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /tools/html_editor_action.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@rx uploadfile" "chain,t:none"
SecRule ARGS:bxu_info[packageIndex] "@contains ../" "chain,t:none"
SecRule ARGS:bxu_info[CID] "@contains <?" "t:none"
# DEFA-5088
SecRule REQUEST_URI "@rx /upload/tmp/BXTEMP[^b]+bxu/main/" "id:77350101,phase:2,pass,log,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Suspicious File Access in Bitrix CMS||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'"
# DEFA-5088
SecRule REQUEST_METHOD "POST" "id:77350102,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: RCE via PHP Object Injection in Bitrix CMS||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /tools/html_editor_action.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@rx uploadfile" "chain,t:none"
SecRule ARGS:/bxu_files.*\[default\] "!@rx ^$" "t:none"
# DEFA-5088
SecRule REQUEST_METHOD "POST" "id:77350103,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: RCE via PHP Object Injection in Bitrix CMS||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'"
SecRule REQUEST_URI "@contains /tools/html_editor_action.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@rx uploadfile" "chain,t:none"
SecRule ARGS:bxu_info[packageIndex] "@contains /deault" "t:none"

# Rule is used for test purposes. Protects against RCE through CSRF in Magento
SecRule REQUEST_FILENAME "@rx /pub/media/tmp/catalog/product/_/h/\.h\w*" "id:33330,deny,log,status:403,phase:2,severity:2,t:none,t:urlDecode,t:normalizePath,t:lowercase,ctl:RuleEngine=on,msg:'IM360 WAF: Magento 2.1.6 and below access to uploaded file DC-2017-04-003||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'"

# DEFA-5515
SecRule REQUEST_URI "@contains /modules/appagebuilder/apajax.php" "id:77350160,chain,block,log,severity:2,t:none,t:normalizePath,phase:2,msg:'IM360 WAF: SQLi in PrestaShop AP Page Builder module (CVE-2022-22897)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'service_i360'"
SecRule ARGS:product_all_one_img|ARGS:image_product "@rx [^\d,]" "t:none"

SecRule REQUEST_URI "@contains /modules/appagebuilder/apajax.php" "id:77350161,chain,block,log,severity:2,t:none,t:normalizePath,phase:2,msg:'IM360 WAF: SQLi in PrestaShop AP Page Builder module (CVE-2022-22897)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'service_i360'"
SecRule ARGS:product_manufacture "@rx [^\w,-]" "t:none"

SecRule REQUEST_COOKIES:lgcookieslaw|REQUEST_COOKIES:__lglaw "@rx \x22|\x27|\x28|\x7c\x7c|--|=" "id:77350162,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: SQLi in EU Cookie Law GDPR module for PrestaShop (CVE-2022-44727)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin'"

SecRule REQUEST_COOKIES:lgcookieslaw_accepted_purposes "@rx \x27|\x28|\x7c\x7c|--|=" "id:77350163,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: SQLi in PrestaShop (CVE-2022-31181)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'wp_plugin'"

# WPT-16
SecRule REQUEST_METHOD "POST" "id:77350168,chain,pass,log,severity:5,phase:2,t:none,msg:'IM360 WAF: Track WHMCS file upload||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360',tag:'im360_req_post',tag:'noshow'"
SecRule &REQUEST_COOKIES:/^WHMCS/ "@gt 0" "chain,t:none"
SecRule FILES "!@rx ^$" "t:none"

#WPT-93
SecRule REQUEST_URI "@contains /paypal/ipn.php" "id:77350178,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQL Injection Vulnerability in PayPal module for Prestashop 1.5 and 1.6 (CVE-2023-28843)||T:APACHE||MW:%{ARGS:receiver_email}||',tag:'other_apps'"
SecRule ARGS:receiver_email "@rx \);" "t:none"

# WPT-126
SecRule REQUEST_METHOD "POST" "id:77350192,chain,block,log,severity:2,phase:2,t:none,msg:'IM360 WAF: RCE in SPIP before 4.2.1 (CVE-2023-27372)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360',tag:'im360_req_post'"
SecRule REQUEST_FILENAME "@rx \/spip[^\.]*\.php" "chain,t:none,t:normalizePath"
SecRule ARGS:page "@streq spip_pass" "chain,t:none"
SecRule ARGS:oubli "@rx \x22<" "t:none,t:removeWhitespace"

# WPT-158
SecRule REQUEST_URI "@rx \/cpanelwebcall\/[^<]*<[^\s.]+\s[^=.]+=[^(]+$[^)]+$" "id:77350202,phase:2,block,log,severity:2,t:none,t:urlDecode,t:compressWhitespace,msg:'IM360 WAF: XSS on the cPanel cpsrvd error page (CVE-2023-29489)||MV:%{REQUEST_URI}||T:APACHE||',tag:'other_apps'"

# WPT-227
SecRule REQUEST_METHOD "@rx POST" "id:77350242,chain,block,log,severity:2,phase:2,t:none,msg:'IM360 WAF: SQLi to file upload vulnerability in SQL manager for PrestaShop (CVE-2023-39526)||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360',tag:'im360_req_post'"
SecRule REQUEST_URI "@rx admin[^\/]+\/index\.php" "chain,t:none,t:normalizePath"
SecRule ARGS:controller "@streq AdminRequestSql" "chain,t:none"
SecRule ARGS:sql "@pm outfile dumpfile" "t:none"