# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule REQUEST_METHOD "@pm GET POST" "id:77231002,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal (CVE-2016-1913)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule ARGS:name "@contains <" "chain,t:none,t:urlDecode" SecRule ARGS:q|REQUEST_FILENAME "@pm structure/taxonomy/note_type/ taxonomy/term" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm GET POST" "id:77231400,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: XSS vulnerability in the Ajax Timeline module before 7.x-1.1 and Public Download Count module (pubdlcnt) 7.x-1.x-dev and earlier for Drupal (CVE-2015-3392 & CVE-2015-3389)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule ARGS:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" "chain,t:none,t:lowercase" SecRule ARGS:title "@contains <" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm GET POST" "id:77231960,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal (CVE-2014-1611)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule ARGS:/^field_anonymous_author/ "@contains <" "chain,t:none,t:urlDecode" SecRule ARGS:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" "t:none,t:normalizePath" SecRule ARGS|REQUEST_HEADERS:Cookie|REQUEST_BODY "@pm exec passthru" "id:77231990,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: RCE vulnerability in Drupal before 7.58 8.x before 8.3.9 8.4.x before 8.4.6 and 8.5.x before 8.5.1 (CVE-2018-7600 CVE-2018-7602)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule ARGS|REQUEST_HEADERS:Cookie|REQUEST_BODY "@rx ^(?:\[?[\'\x22]?)?#|(?:\[)(?:[\'\x22]?)?#" "chain,t:none,t:urlDecode" SecRule REQUEST_FILENAME "@rx index\.php$|\/$" "chain,t:none" SecRule TX:drupal "@eq 1" "chain" SecRule ARGS:controller "!@streq AdminTranslations" "t:none" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "id:77231011,chain,phase:2,pass,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Brute-Force Amplification in Drupal 6.x before 6.38 and 7.x before 7.43 (CVE-2016-3163)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule REQBODY_ERROR "@eq 0" "chain,t:none" SecRule XML://methodName/text() "@contains system.multicall" "chain,t:none,t:lowercase" SecRule &XML://member[*][name='methodName'] "@ge 10" "t:none" SecRule ARGS:pp "@contains =" "id:77241910,chain,phase:2,block,nolog,auditlog,severity:2,t:none,setvar:'TX.drupal_pp=%{MATCHED_VAR}||',msg:'IM360 WAF: Attempt to modify the $_REQUEST superglobal array in the The Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal (CVE-2016-3187)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule REQUEST_FILENAME|ARGS:q "@pm node/ /admin/" "chain,t:none" SecRule TX:drupal_pp "!@streq %{ARGS.pp}" "t:none" SecRule ARGS:_format "@streq hal_json" "id:77232380,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Arbitrary code execution vulnerability in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 (CVE-2019-6340)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule &TX:drupal "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "@rx \/node\/\d+$" "chain,t:none,t:normalizePath" SecRule REQUEST_METHOD "@rx ^(?:get|head|options|trace)$" "t:none,t:lowercase" SecRule ARGS:_wrapper_format "@streq drupal_ajax" "id:77232980,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: RCE vulnerability in Drupal before 7.58 8.x before 8.3.9 8.4.x before 8.4.6 and 8.5.x before 8.5.1 (CVE-2018-7602)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule &ARGS:ajax_form "@ge 1" "chain,t:none" SecRule ARGS "@pm exec passthru" "chain,t:none" SecRule REQUEST_FILENAME "@contains user/register" "chain,t:none,t:lowercase" SecRule ARGS "@rx \/[a-z]+\/#value" "t:none,t:urlDecode,t:lowercase" SecRule &ARGS:form_build_id "@ge 1" "id:77232981,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Data leakage vulnerability in Drupal before 7.58 8.x before 8.3.9 8.4.x before 8.4.6 and 8.5.x before 8.5.1 (CVE-2018-7600)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'drupal_core'" SecRule ARGS:q "@rx ^file\/ajax\/name\/#value\/" "chain,t:none,t:urlDecode,t:lowercase" SecRule REQUEST_FILENAME "@rx index\.php$|\/$" "t:none"