Mini File Manager

Edit File

# ------------------------------------------------------
# Imunify360 ModSecurity Rules
# Copyright (C) 2024 CloudLinux Inc All right reserved
# The Imunify360 ModSecurity Rules is distributed under
# IMUNIFY360 LICENSE AGREEMENT
# ------------------------------------------------------

# DEFA-4149
SecRule REQUEST_METHOD "@rx POST" "id:77316879,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: File upload vulnerability in Fancy Product Designer < 4.5.1 for WooCommerce for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'service_im360'"
SecRule REQUEST_URI "@contains fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule &ARGS:uploadsDir "@gt 0" "chain,t:none"
SecRule &ARGS:uploadsDirURL "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_METHOD "@rx ^POST$" "id:77142133,pass,nolog,auditlog,chain,t:none,severity:5,msg:'IM360 WAF: Track Spam via Contact Form for WordPress||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow'"
SecRule REQUEST_URI "@rx \/wp-json\/contact-form-7\/v\d\/contact-forms\/\d{1,3}\/feedback" "t:none,t:normalizePath,setvar:'tx.rbl_infectors=1'"

# DEFA-4149
SecRule REQUEST_URI "@contains fancy-product-designer/inc/custom-image-handler.php" "id:77316880,chain,phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: File upload vulnerability in Fancy Product Designer < 4.5.1 for WooCommerce for WordPress||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule &ARGS:url "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-2752
SecRule REQUEST_METHOD "^POST$" "chain,id:77142152,phase:2,severity:7,nolog,auditlog,pass,t:none,msg:'IM360 WAF: WordPress WP Private Content Plus plugin - unauthenticated options change (CVE-2019-15816)||T:APACHE||REMOTE_ADDR=%{tx.remote_addr}||class method=save_%{ARGS.wppcp_tab}',tag:'wp_plugin_wp_private_content_plus'"
SecRule ARGS:page "@rx ^wppcp" "chain,t:none"
SecRule &ARGS:wppcp_tab "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_URI "!@rx (?:\/(wp-spamfree|com_breezingforms|midway\/framework\/assets|wp-defender\/index\.php)|(\/wp-content\/uploads\/code-execution\.php))" "chain,id:77140878,phase:request,nolog,auditlog,pass,severity:7,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Infectors: Suspicious access attempt (webshell)!||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom'"
SecRule REQUEST_URI "@rx (\/(images|img(s)?|pictures|upload(s)?)\/[^\.]{0,108}\.(pht|phtml|php\d?$))" "t:none,t:urlDecodeUni,t:normalizePath,setvar:'tx.rbl_infectors=1'"

# DirectoryBruteForce infectors
SecRule REQUEST_FILENAME "@pmFromFile userdata_dirb_URLs.data" "id:77142160,phase:2,pass,nolog,auditlog,severity:7,t:urlDecode,t:normalizePath,msg:'IM360 WAF: Infectors. Dirb like fuzzing||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

SecRule RESPONSE_STATUS "@rx ^(?:401|403|404|500)$" "chain,id:77350237,phase:3,pass,nolog,auditlog,severity:2,msg:'IM360 WAF: Infectors. Dirb like fuzzing||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom'"
SecRule REQUEST_FILENAME "@pmFromFile userdata_dirb_URLs.data" "t:none,t:normalizePath"

# Infectors
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:textarea|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" "id:77140880,msg:'IM360 WAF: Infectors: PHP Injection Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||SC:%{SCRIPT_FILENAME}',phase:2,capture,pass,ctl:auditLogParts=+E,t:none,severity:7,setvar:'tx.rbl_infectors=1'"

#DEFA-5387 FP fix
SecRule REQUEST_URI "!@pm cpanel AdminTranslations /administrator/ post.php /wp-admin/admin.php" "id:77140882,chain,msg:'IM360 WAF: Infectors: OS File Access Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||SC:%{SCRIPT_FILENAME}',phase:2,block,severity:2,log,t:none,t:normalizePath"
SecRule ARGS|REQUEST_COOKIES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:/post/|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1 "(?:\W(?:\.(?:ht(?:group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|^/etc/)" "t:none,capture,t:cmdLine,setvar:'tx.rbl_infectors=1'"

# Uploader
SecRule REQUEST_URI "!@rx \/stats\/(?:alive|success|failure)$" "id:77140883,chain,phase:2,pass,nolog,auditlog,t:none,t:normalizePath,severity:7,msg:'IM360 WAF: RBL block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||ARGS.path:%{MATCHED_VAR}||ARGS.url:%{tx.140883_url}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom'"
SecRule ARGS:url "!@rx ^$" "chain,t:none,setvar:tx.140883_url=%{MATCHED_VAR}"
SecRule ARGS:path "!@rx ^$" "t:none,setvar:'tx.rbl_infectors=1'"

# S.A.P.
SecRule REQUEST_COOKIES:f_pp|ARGS:f_pp "!@rx ^$" "id:77140885,phase:2,nolog,auditlog,pass,severity:7,msg:'IM360 WAF: RBL block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

# z0
SecRule ARGS:z0 "!@rx ^$" "id:77140886,phase:2,nolog,auditlog,pass,severity:7,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: RBL block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

# DEFA-1964
SecRule REQUEST_METHOD "@pm GET POST" "id:77140942,chain,pass,auditlog,severity:7,phase:2,t:none,msg:'IM360 WAF: Block WordPress 5.3 User Enumeration attempts||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_core'"
SecRule REQUEST_URI "@contains wp-json/wp/v2/users" "t:none,t:normalizePath,setvar:'tx.rbl_infectors=1'"

# DEFA-2039
SecRule ARGS:up_auto_log "@streq true" "id:77140957,phase:2,pass,auditlog,t:none,severity:7,msg:'IM360 WAF: Block WordPress Userpro Authentication Bypass attempts||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_user_profiles',setvar:'tx.rbl_infectors=1'"

# DEFA-2298
SecRule &ARGS:sc "@gt 0" "id:77141009,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress ThemeREX Plugin RCE remote check||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{ARGS.sc}||',tag:'service_i360custom',tag:'service_wp_plugin'"
SecRule REQUEST_URI "@contains /trx_addons/v2/" "t:none,t:normalizePath,t:urlDecodeUni,t:lowercase,setvar:'tx.rbl_infectors=1'"

# DEFA-2338
SecRule REQUEST_FILENAME "@endsWith /adminer/inc/editor/index.php" "id:77141024,pass,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin Adminer <= 1.4.5 Security Bypass||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_adminer',setvar:'tx.rbl_infectors=1'"

# DEFA-2507
SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/brizy/admin/site-settings.php" "id:77141078,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: PHPMailer < 5.2.20 - Remote Code Execution||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_brizy',setvar:'tx.rbl_infectors=1'"

# DEFA-2540
SecRule REQUEST_METHOD "@streq GET" "chain,id:77141084,pass,t:none,severity:7,msg:'IM360 WAF: Tracking suspicious file access||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'"
SecRule REQUEST_URI "@contains /wordpress/license.txt" "t:none,t:urlDecodeUni,t:normalizePath,setvar:'tx.rbl_infectors=1'"

# DEFA-2676
SecRule REQUEST_URI "@pm /wp-admin/post.php /wp-admin/admin-ajax.php" "id:77142108,chain,phase:2,pass,nolog,auditlog,severity:5,t:normalizePath,msg:'IM360 WAF: Directory traversal via plugin for WordPress||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule ARGS "@contains ../" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-2927
SecRule ARGS:cffaction "@pm test_db_connection test_db_query get_data_from_database get_post_types get_posts get_available_taxonomies get_taxonomies get_users" "id:77142220,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unauthenticated SQL Injection in Payment Form For Paypal Pro < 1.1.65||T:APACHE||ARGS.cffaction:%{ARGS.cffaction}||',tag:'wp_plugin_payment_form_for_paypal_pro',setvar:'tx.rbl_infectors=1'"

# DEFA-2972
SecRule REQUEST_FILENAME "@endsWith /bamegamenu/ajax_phpcode.php" "chain,id:77142250,phase:2,severity:5,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: PrestaShop Responsive Mega Menu module < 1.7.2.5 arbitrary code execution (CVE-2018-8823)||T:APACHE||ARGS.code:%{ARGS.code}||',tag:'service_i360custom'"
SecRule &ARGS:code "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3027
SecRule ARGS:es "@streq open" "id:77316723,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: SQL Injection in Plugin Email Subscribers & Newsletters 4.2.2 for WordPress (CVE-2019-20361)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_plugin_email_subscribers'"
SecRule &ARGS:hash "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3027
SecRule ARGS:a "@pm fetch display" "id:77316725,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: File Upload/RCE in ThinkCMF||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'"
SecRule &ARGS:templateFile "@gt 0" "chain,t:none"
SecRule ARGS:prefix "@contains '" "t:none,t:htmlEntityDecode,t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3100
SecRule ARGS|REQUEST_URI|XML:/* "@rx ;[\s\+]?wget\shttps?:\/\/([^\s\+])" "id:77142263,phase:2,pass,nolog,auditlog,severity:5,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3100
SecRule ARGS|REQUEST_URI|XML:/* "@rx \$\{IFS\}" "id:77142266,pass,phase:2,nolog,auditlog,severity:7,t:none,t:htmlEntityDecode,msg:'IM360 WAF: Special shell symbol in request||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_URI "!@pm /wp-admin/admin-ajax.php /wp-json/wp/v2/media/ /configproducts.php" "id:77142267,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Special shell symbol in request||T:APACHE||',tag:'service_i360custom'"
SecRule ARGS|REQUEST_URI|XML:/* "@rx \$\{([^\}\)]+[\}\)])" "chain,t:none,t:htmlEntityDecode,capture,setvar:'tx.rbl_infectors=1'"
SecRule TX:1 "!@pm itemURL} innerHtml[index].link} eventId} city} term} api_itech} userSignature} href} name} endDate( startDate( Prospects" "t:none,setvar:'tx.rbl_infectors=1'"

SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "id:33341,pass,nolog,auditlog,severity:5,phase:2,t:none,ctl:ruleEngine=On,msg:'IM360 WAF: Track file upload for Infectors||T:APACHE||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||',tag:'service_im360',setvar:'tx.rbl_infectors=1'"

SecRule ARGS|ARGS_NAMES|REQUEST_URI|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:print|echo|eval|exec)\(" "id:77140881,msg:'IM360 WAF: Infectors: Arbitrary code execution vulnerability in Request URI||T:APACHE||SC:%{SCRIPT_FILENAME}',phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase,severity:7,setvar:'tx.rbl_infectors=1'"

# WSO
SecRule ARGS:a "!@rx ^$" "id:77140884,chain,phase:2,pass,nolog,auditlog,severity:7,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: RBL block known shells||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom'"
SecRule ARGS:p1 "!@rx ^$" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-2691
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142118,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: Logged suspicious request||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'"
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx ^$" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-2833
SecRule REQUEST_URI "@pm jquery-file-upload/server/php/index.php server/php/upload.class.php server/php/UploadHandler.php example/upload.php" "id:77142199,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: jQuery-File-Upload - Arbitrary File Upload (CVE-2018-9206)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core',setvar:'tx.rbl_infectors=1'"

# DEFA-2905
SecRule REQUEST_FILENAME "@endsWith index.php" "id:77142206,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,msg:'IM360 WAF: Joomla Com_Fabrik Vulnerabilities (RBL)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'joomla_plugin'"
SecRule ARGS:option "@streq com_fabrik" "setvar:'tx.rbl_infectors=1'"

# DEFA-2906
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142212,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Shell Upload in Joomla 3.x||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_core'"
SecRule REQUEST_FILENAME "@endsWith /administrator/index.php" "chain,t:none,t:normalizePath"
SecRule ARGS:option "@streq com_templates" "chain,t:none"
SecRule ARGS:view "@streq template" "chain,t:none"
SecRule &ARGS:id "@gt 0" "chain,t:none"
SecRule &ARGS:file "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2990
SecRule ARGS:tccj-update "@streq Update" "chain,id:77142228,phase:2,severity:7,pass,nolog,auditlog,t:none,msg:'IM360 WAF: WordPress plugin TC Custom JavaScript - Unauthenticated Stored Cross-Site Scripting (CVE-2020-14063) - direct exploitation variation||T:APACHE||ARGS.tccj-update:%{ARGS.tccj-update}||ARGS.tccj-content:%{ARGS.tccj-content}||',tag:'service_i360custom'"
SecRule &ARGS:tccj-content "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3163
SecRule FILES "@rx ^\." "id:77316727,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Suspicious file upload detection||T:APACHE||FILES:%{FILES}||',tag:'service_i360custom',setvar:'tx.rbl_infectors=1'"

# DEFA-3225
SecRule REQUEST_METHOD "POST" "id:77316731,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: File Upload in Front-end Editor plugin for WordPress||T:APACHE||Files:%{FILES}||',tag:'service_im360'"
SecRule REQUEST_FILENAME "@contains /wp-content/plugins/front-end-editor/lib/aloha-editor/plugins/extra/draganddropfiles/demo/" "chain,t:none,t:normalizePath"
SecRule FILES "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-3223
SecRule REQUEST_METHOD "POST" "id:77316732,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: File Upload Vulnerability in Awesome Support plugin for WordPress||WPU:%{TX.wp_user}||T:APACHE||Files:%{FILES}||',tag:'service_im360'"
SecRule REQUEST_FILENAME "@rx \/wp-content\/plugins\/awesome-support\/plugins\/jquery\.fineuploader-[^\/]\/server\/php\/" "chain,t:none,t:htmlEntityDecode,t:normalizePath"
SecRule FILES "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-3398
SecRule REQUEST_METHOD "^POST$" "id:77316797,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: RCE in uri used by KashmirBlack||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'"
SecRule REQUEST_URI "@pmFromFile rce_uri" "t:none,t:urlDecodeUni,t:normalizePath"

# DEFA-3699
SecRule REQUEST_METHOD "^POST$" "id:77316800,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: RCE in vBulletin (CVE-2019-16759)||Code:%{ARGS}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'"
SecRule ARGS:/subWidgets[\d][template]/ "@streq widget_php" "chain,t:none"
SecRule &ARGS:/subWidgets[\d][config][code]/ "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3951
SecRule REQUEST_METHOD "@rx POST" "id:77316832,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Suspicious Joomla plugin installation attempt||File:%{FILES}||T:APACHE||Install directory:%{ARGS.install_directory}||',tag:'joomla_plugin'"
SecRule REQUEST_FILENAME "@endsWith /administrator/index.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:option "@streq com_installer" "chain,t:none"
SecRule ARGS:task "@streq install.install" "setvar:'tx.rbl_infectors=1'"

# DEFA-3951
SecRule REQUEST_METHOD "@rx POST" "id:77316833,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Suspicious OpenCart plugin installation attempt||File:%{FILES}||T:APACHE||Install directory:%{ARGS.install_directory}||',tag:'service_im360'"
SecRule REQUEST_FILENAME "@endsWith /admin/index.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:route "@streq marketplace/installer/upload" "chain,t:none"
SecRule &ARGS:user_token "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3593
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316773,chain,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,msg:'IM360 WAF: Privilege escalation vulnerability in Orbit Fox < 2.10.2 WordPress plugin||T:APACHE||',tag:'service_i360custom'"
SecRule ARGS:actions "@rx save_builder" "chain,t:none,t:lowercase"
SecRule ARGS:actions "@rx user_role" "t:none,t:lowercase,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_METHOD "@pm GET POST" "id:77231170,chain,pass,nolog,auditlog,phase:2,severity:7,t:none,msg:'IM360 WAF: XSS vulnerability in the Inline Entity Form module 7.x-1.x before 7.x-1.6 for Drupal (CVE-2015-5507)||MV:%{ARGS.instance[description]}||T:APACHE||',tag:'drupal_core'"
SecRule ARGS:instance[description] "@contains <" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:form_id "@contains field_ui_field_edit_form" "setvar:'tx.rbl_infectors=1'"

# DEFA-3987
SecRule &ARGS:action "@lt 1" "id:77316865,pass,phase:2,nolog,severity:5,skipAfter:MARKER_action_infectors,msg:'IM360 WAF: ARGS action optimization||T:APACHE||',tag:'noshow',tag:'service_gen'"

# DEFA-3891
SecRule REQUEST_METHOD "@rx POST" "id:77316822,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Privilege escalation in Store Locator Plus plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_i360custom',tag:'wp_core',tag:'noshow'"
SecRule REQUEST_URI "@contains /wp-admin/admin.php" "chain,t:none,t:normalizePath"
SecRule ARGS:page "^slp_" "chain,t:none"
SecRule ARGS:action "@streq update" "setvar:'tx.rbl_infectors=1'"

# DEFA-2760
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142189,chain,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Possible WordPress site takeover||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule &ARGS:action "@gt 0" "chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule ARGS:/option/ "@rx (users_can_register|default_role)" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-3837
SecRule REQUEST_METHOD "@rx POST" "id:77316818,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XSS vulnerability in WP Page Builder plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_im360',tag:'noshow'"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@pm wppb_page_save" "chain,t:none"
SecRule &ARGS:page_builder_data|&ARGS:wppb_page_css "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3951
SecRule REQUEST_METHOD "@rx POST" "id:77316831,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Suspicious WordPress plugin installation attempt||File:%{FILES}||WPU:%{TX.wp_user}||T:APACHE||',tag:'service_im360'"
SecRule REQUEST_FILENAME "@endsWith wp-admin/update.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@streq upload-plugin" "chain,t:none"
SecRule &ARGS:install-plugin-submit "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3977
SecRule REQUEST_METHOD "@rx POST" "id:77316834,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Unauthenticated Redirect Import/Export in Simple 301 Redirects by BetterLinks for WordPress||File:%{FILES}||T:APACHE||',tag:'wp_core'"
SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-admin/admin-post.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@pm admin_init" "setvar:'tx.rbl_infectors=1'"

# DEFA-3973
SecRule REQUEST_METHOD "@rx POST" "id:77316839,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Remote file upload in Fancy Product Designer for WordPress||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'"
SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@rx fpd_custom_uplod_file" "setvar:'tx.rbl_infectors=1'"

# DEFA-4099
SecRule REQUEST_METHOD "POST" "id:77316855,chain,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Authenticated Privilege Escalation in WP User Avatar plugin for WordPress||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" "chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS:action "@streq update" "setvar:'tx.rbl_infectors=1'"

# DEFA-2323
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141017,chain,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress GDPR Cookie Consent < 1.8.3 Improper Access Controls||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_wp_cookie_law_info'"
SecRule ARGS:action "@streq cli_policy_generator" "chain,t:none,t:lowercase"
SecRule ARGS:cli_policy_generator_action "@streq save_contentdata" "t:none,t:lowercase,setvar:'tx.rbl_infectors=1'"

# DEFA-2394
SecRule REQUEST_FILENAME "@endsWith admin-post.php" "id:77141049,chain,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress popup-builder Authenticated Settings Modification||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'wp_plugin_popup_builder'"
SecRule ARGS:action "@pm sgpbSaveSettings csv_file sgpb_system_info" "setvar:'tx.rbl_infectors=1'"

# DEFA-2549 - privilege escalation
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141083,phase:2,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_klarna_checkout_for_woocommerce'"
SecRule ARGS:action "^change_klarna_addon_status$" "t:none,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2552
SecRule REQUEST_FILENAME "@endsWith wp-admin/admin-ajax.php" "id:77141088,chain,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: WordPress Responsive Poll through 1.3.4 - Unauthenticated endpoints manipulation (CVE-2020-11673)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_poll_wp'"
SecRule ARGS:action "@pm TotalSoftPoll_Clone TotalSoftPoll_Del TotalSoftPoll_Edit TotalSoftPoll_Edit_Q_M TotalSoftPoll_Edit_Ans TotalSoftPoll_Theme_Clone TotalSoftPoll_Theme_Edit TotalSoftPoll_Theme_Edit1 TotalSoftPoll_1_Vote TotalSoftPoll_1_Results TotalSoftPoll_Clone_Set TotalSoftPoll_Edit_Set TotalSoftPoll_Del_Set TS_PTable_New_MTable_DisMiss_Callback_Poll TS_Poll_Question_DisMiss Total_Soft_Poll_Prev" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-2475
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142104,chain,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_elementor'"
SecRule ARGS:action "@streq elementor_ajax" "chain,t:none,t:lowercase"
SecRule ARGS:actions "@contains enable_safe_mode" "setvar:'tx.rbl_infectors=1'"

# DEFA-2711
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142130,chain,pass,nolog,auditlog,severity:7,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Revslider Revolution UpdatedCaptionsCSS Content Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule ARGS:action "@streq revslider_ajax_action" "chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule ARGS:client_action "@streq get_captions_css" "t:none,t:lowercase,t:urlDecodeUni,setvar:'tx.rbl_infectors=1'"

# DEFA-2572
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77142140,chain,pass,nolog,auditlog,severity:7,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress Plugin UpdraftPlus SSRF (CVE-2017-16870)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_plugin_updraftplus'"
SecRule ARGS:action "@streq updraft_ajax" "chain,t:none,t:lowercase"
SecRule ARGS:subaction "@streq httpget" "chain,t:none,t:lowercase"
SecRule &ARGS:curl "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-2800
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142177,phase:2,severity:7,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: WordPress PageLayer <= 1.1.1 - Unprotected AJAX endpoints||T:APACHE||endpoint = %{TX.1}||',tag:'wp_plugin_pagelayer'"
SecRule ARGS:action "@rx (?s)^pagelayer" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-2985
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,id:77142234,phase:2,severity:7,pass,nolog,auditlog,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (astra-sites-import-widgets v1)||T:APACHE||ARGS.action:%{ARGS.action}||ARGS.widgets_data:%{ARGS.widgets_data}||',tag:'service_i360custom'"
SecRule ARGS:action "@streq astra-sites-import-widgets" "chain,t:none"
SecRule &ARGS:widgets_data "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-3266
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77316734,chain,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:7,msg:'IM360 WAF: Unprotected AJAX Action in XCloner Backup and Restore Plugin||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule ARGS:action "@rx restore_backup" "t:none,t:lowercase,setvar:'tx.rbl_infectors=1'"

# DEFA-2702
SecRule REQUEST_METHOD "@rx ^POST$" "id:77142124,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: Block WordPress registration flood||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'wp_core'"
SecRule REQUEST_URI "@contains wp-login.php" "chain,t:none,t:urlDecode"
SecRule ARGS:action "@contains register" "setvar:'tx.rbl_infectors=1'"

# DEFA-4468
SecRule REQUEST_METHOD "@rx ^POST$" "id:77317986,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Authenticated Block Import to Stored XSS in Starter Templates Plugin for WordPress (CVE-2021-42360)||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'wp_core'"
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath"
SecRule ARGS:action "@streq astra-page-elementor-batch-process" "chain,t:none"
SecRule &ARGS:id "@gt 0" "chain,t:none"
SecRule &ARGS:url "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-3987
SecMarker MARKER_action_infectors

# DEFA-4327
SecRule REQUEST_METHOD "@rx ^POST$" "id:77316931,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: REST-API in the ninja-forms plugin for WordPress to Sensitive Information Disclosure (CVE-2021-34647)||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||',tag:'wp_core'"
SecRule REQUEST_URI "@contains /wp-json/ninja-forms-submissions/export" "chain,t:none,t:urlDecode"
SecRule &ARGS:form_ids "@gt 0" "chain,t:none"
SecRule &ARGS:start_date "@gt 0" "chain,t:none"
SecRule &ARGS:end_date "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_METHOD "@rx ^POST$" "id:77316932,chain,pass,nolog,auditlog,t:none,severity:7,msg:'IM360 WAF: REST-API in the ninja-forms plugin for WordPress to Email Injection (CVE-2021-34647)||WPU:%{TX.wp_user}||T:APACHE||MVN:%{MATCHED_VAR_NAME}||',tag:'wp_core'"
SecRule REQUEST_URI "@contains /wp-json/ninja-forms-submissions/email-action" "chain,t:none,t:urlDecode"
SecRule &ARGS:submission "@gt 0" "chain,t:none"
SecRule &ARGS:action_settings "@gt 0" "t:none,setvar:'tx.rbl_infectors=1'"

# DEFA-4370
SecRule REQUEST_METHOD "@rx ^POST$" "id:77317952,chain,pass,nolog,auditlog,severity:5,phase:2,t:none,msg:'IM360 WAF: Authenticated File Upload vulnerability in Access Demo Importer WordPress plugin (CVE-2021-39317)||File:%{FILES}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core'"
SecRule &ARGS:file_location "@gt 0" "chain"
SecRule &ARGS:file "@gt 0" "chain"
SecRule &ARGS:host_type "@gt 0" "chain"
SecRule &ARGS:class_name "@gt 0" "chain"
SecRule &ARGS:slug "@gt 0" "setvar:'tx.rbl_infectors=1'"

# DEFA-4434
SecRule REQUEST_URI "@contains /wp-json/omapp/v1/" "id:77317977,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,setvar:'tx.rbl_infectors=1',msg:'IM360 WAF: Sensitive Information Disclosure in OptinMonster plugin for WordPress (CVE-2021-39341)||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'wp_core'"

# DEFA-4537
SecRule REQUEST_METHOD "@rx POST" "id:77317990,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authentication Bypass Vulnerability in User Registration Plugin for WordPress (CVE-2021-4073)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||T:APACHE||',tag:'wp_core',tag:'noshow'"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "chain,t:none,t:normalizePath"
SecRule ARGS:action "@streq rm_login_social_user" "chain,t:none"
SecRule ARGS:email "!@rx ^$" "setvar:'tx.rbl_infectors=1'"

# DEFA-4651
SecRule REQUEST_URI "@contains /wp-json/whm/v3/themesettings" "id:77318031,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: XSS Vulnerability in HTML Email Template Designer Plugin for WordPress (CVE-2022-0218)||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core',setvar:'tx.rbl_infectors=1'"

# WPT-131
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77350196,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Essential Addons for Elementor < 5.7.2 - Privilege Escalation (CVE-2023-32243)||T:APACHE||',tag:'wp_core'"
SecRule ARGS:action "@streq login_or_register_user" "chain,t:none,t:lowercase"
SecRule ARGS:eael-resetpassword-submit "@streq true" "chain,t:none,t:lowercase"
SecRule &ARGS:eael-pass1 "@eq 1" "t:none,t:lowercase,setvar:'tx.rbl_infectors=1'"

SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/essential-addons-for-elementor-lite/readme.txt" "id:77350197,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Essential Addons for Elementor < 5.7.2 - Vulnerable version discovery (CVE-2023-32243)||T:APACHE||',setvar:'tx.rbl_infectors=1',tag:'wp_core'"

# DEFA-3987
# RBL whitelist DEFA-3987
SecRule TX:rbl_whitelist_check "@gt 0" "id:77316900,phase:2,pass,nolog,severity:5,t:none,skipAfter:RBL_WHITELIST"

SecRule TX:rbl_infectors "!@eq 0" "chain,id:77316861,block,log,severity:2,msg:'IM360 WAF: Block IP which is in the infectors RBL||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom'"
SecRule &REQUEST_HEADERS:Referer|&REQUEST_HEADERS:Content-Type|&REQUEST_COOKIES "@eq 0" "chain,t:none,setvar:tx.rbl_perf=1"
SecRule TX:RBL_IP "@rbl infectors.v2.rbl.imunify.com." "chain,t:none"
SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,setvar:tx.rbl_perf=1"

# DEFA-4256
SecMarker RBL_WHITELIST