/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule QUERY_STRING "@rx (login|signup)" "id:77220080,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in Mintboard 0.3 (CVE-2013-4951)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,severity:2,tag:'service_im360'" SecRule ARGS:name|ARGS:pass "@rx </?script" "t:none,t:lowercase" SecRule &ARGS:cid "@ge 1" "id:77220430,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Remote command execution vulnerability in SkyBlueCanvas CMS before 1.1 r248-04 (CVE-2014-1683)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:pid "@ge 1" "chain,t:none" SecRule ARGS:email|ARGS:name|ARGS:subject "@rx \x22;" "t:none,t:urlDecode" SecRule ARGS:func "@within modinfonew modify_instance aliases assignprivileges" "id:77220530,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: XSS vulnerabilities in Xaraya 2.4.0-b1 and earlier (CVE-2013-3639)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:id|ARGS:interface|ARGS:name|ARGS:tabmodule "@contains <" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77220530" SecRule ARGS:text "<" "id:77220760,chain,block,nolog,auditlog,t:none,t:urlDecode,severity:2,msg:'IM360 WAF: Blocking XSS attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@contains /index.php/guestbook/index/newentry" "t:none" SecRule REQUEST_COOKIES:/^cmssessid/ "@rx ." "id:77220780,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in CMS Made Simple (CVE-2014-2092 and CVE-2014-0334)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx \/admin\/(?:add(?:group|htmlblob|bookmark|template|css)|copy(?:stylesheet|template)|edit(?:bookmark|event)|list(?:css|templates)|siteprefs|pagedefaults|myaccount|adminlog)\.php$" "chain,t:none,t:normalizePath" SecRule ARGS:group|ARGS:htmlblob|ARGS:title|ARGS:url|ARGS:stylesheet_name|ARGS:template_name|ARGS:template|ARGS:css_name|ARGS:metadata|ARGS:sitedownmessage|ARGS:page_metadata|ARGS:date_format_string|ARGS:filteruser|ARGS:handler "@contains <" "t:none,t:urlDecode" SecRule REQUEST_URI "@rx \/shared-apartments-rooms\/.{0,500}<" "id:77220930,phase:2,block,nolog,auditlog,t:none,t:lowercase,t:urlDecode,severity:2,msg:'IM360 WAF: XSS vulnerability in Open Classifieds 2 before 2.1.3 (CVE-2014-2024)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_HEADERS:Referer "@contains >" "id:77221330,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecode,severity:2,msg:'IM360 WAF: XSS vulnerability in concrete5 before 5.6.3 (CVE-2014-5108)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@contains index.php/download_file" "t:none,t:normalizePath" SecRule ARGS:leftmenu|ARGS:mainmenu|ARGS:dol_hide_leftmenu|ARGS:dol_hide_topmenu|ARGS:dol_no_mouse_hover|ARGS:dol_optimize_smallscreen|ARGS:dol_use_jmobile "@contains >" "id:77221360,phase:2,block,nolog,auditlog,t:none,t:urlDecode,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3991)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith viewimage.php" "id:77221364,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3991)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:file|ARGS:modulepart "@contains >" "t:none" SecRule &ARGS:do "!@eq 0" "id:77222070,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: XSS vulnerability in Kasseler CMS (CVE-2013-3728)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:module "@pm sendmail news voting forum account categories database" "chain,t:none,t:lowercase" SecRule ARGS:cat|ARGS:desc|ARGS:dok|ARGS:fid|ARGS:groups[]|ARGS:id|ARGS:module|ARGS:nid|ARGS:tid|ARGS:tid|ARGS:vid "@contains >" "chain,t:none,t:urlDecode" SecRule REQUEST_FILENAME "@pm admin.php index.php" "t:none" SecRule REQUEST_FILENAME "@contains phpliteadmin.php" "id:77240370,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in phpLiteAdmin 1.1 (CVE-2015-6518)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@contains '" "t:none,t:urlDecode" SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77240640,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Piwigo before 2.7.4 (CVE-2015-2035)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:page "@contains <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains www/admin/banner-edit" "id:77240700,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerabilities in the Revive Adserver before 3.2.2 (CVE-2015-7373)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:submit "@rx save\s*changes" "chain,t:none,t:lowercase" SecRule ARGS:url|ARGS:height|ARGS:width|ARGS:weight "@rx <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith error.php" "id:77240940,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:errorNo|ARGS:errorMsg "@rx \x22" "t:none,t:htmlEntityDecode" SecRule &ARGS:p "@gt 0" "id:77241051,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:sp|ARGS:ssp|ARGS:sssp|ARGS:ssssp "@rx \x22|<" "t:none,t:urlDecode" SecRule ARGS:submit "@contains send!" "id:77241090,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecodeUni,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in the CatBot 0.4.2 (CVE-2015-1367)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:lastcatbot "@rx \'" "chain,t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith index.php" "t:none,t:lowercase" SecRule ARGS:_mbox "@contains <" "id:77241210,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecode,severity:2,msg:'IM360 WAF: XSS vulnerability in Roundcube before 1.0.6 and 1.1.x before 1.1.2 (CVE-2015-8793)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:_action "@ge 1" "chain,t:none" SecRule &ARGS:_remote "@ge 1" "chain,t:none" SecRule REQUEST_COOKIES:/roundcube/ "@rx ." "t:none" SecRule REQUEST_FILENAME "@endsWith view_item.php" "id:77241520,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) (CVE-2015-2102)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:type "@ge 1" "chain,t:none" SecRule ARGS:item "@rx \'" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith cms/front_content.php" "id:77241750,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in Contenido before 4.9.6 (CVE-2014-9433)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:/1frontend/ "@rx ." "chain,t:none,t:lowercase" SecRule ARGS:idart|ARGS:lang|ARGS:idcat "@contains <" "t:none,t:lowercase,t:urlDecode" SecRule ARGS:serendipity[comment] "@contains <" "id:77241820,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,t:urlDecode,severity:2,msg:'IM360 WAF: XSS vulnerability in Serendipity before 2.0-rc2 (CVE-2014-9432)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:/^s9y_[a-f0-9]{32}$/ "@rx ." "t:none,t:lowercase" SecRule REQUEST_FILENAME "@contains textpattern/setup/index.php" "id:77241890,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: XSS vulnerability in Textpattern CMS before 4.5.7 (CVE-2014-4737)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_COOKIES:/yourls_/ "@rx ." "id:77242050,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the Yourls 1.7 (CVE-2014-8488)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:url|ARGS:title "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith editor.php" "id:77242090,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Network Weathermap before 0.97b (CVE-2013-2618)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:mapname "@ge 1" "chain,t:none" SecRule ARGS:map_title "@contains <" "t:none,t:urlDecode" SecRule REQUEST_COOKIES:/ostsessid/ "@rx ." "id:77242141,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: XSS vulnerability in the osTicket before 1.9.2 (CVE-2014-4744)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith account.php" "chain,t:none,t:lowercase" SecRule ARGS:do "@rx \x22" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77242141" SecRule REQUEST_COOKIES:/ostsessid/ "@rx ." "id:77242142,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the osTicket before 1.9.2 (CVE-2014-4744)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith account.php" "chain,t:none,t:lowercase" SecRule &ARGS:do "@ge 1" "chain,t:none" SecRule ARGS "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith register.php" "id:77242200,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in WeBid 1.1.1 (CVE-2014-5101)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:TPL_name|ARGS:TPL_nick|ARGS:TPL_email|ARGS:TPL_year|ARGS:TPL_address|ARGS:TPL_city|ARGS:TPL_prov|ARGS:TPL_zip|ARGS:TPL_phone|ARGS:TPL_pp_email|ARGS:TPL_authnet_id|ARGS:TPL_authnet_pass|ARGS:TPL_wordpay_id|ARGS:TPL_toocheckout_id|ARGS:TPL_moneybookers_email "@rx \x22" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith user_login.php" "id:77242201,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in WeBid 1.1.1 (CVE-2014-5101)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:username "@rx \x22" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith admin/changedata.php" "id:77242270,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,t:normalizePath,severity:5,msg:'IM360 WAF: Multiple XSS vulnerabilities in GetSimple CMS 3.1.2 and 3.2.3 (CVE-2013-7243)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:nonce "@ge 1" "chain,t:none" SecRule ARGS:post-menu "@contains <" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77242270" SecRule REQUEST_FILENAME "@endsWith web/magmi_import_run.php" "id:77242681,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,t:normalizePath,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Magento Mass Importer (CVE-2015-2068)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@contains <" "t:none,t:urlDecode" SecRule &REQUEST_COOKIES:ci_session "@eq 1" "id:77242720,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS in the Open Source Point Of Sale 2.3.1 (CVE-2015-0299)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@pm opensourcepos customers items item_kits suppliers employees config" "chain,t:none,t:lowercase" SecRule ARGS:first_name|ARGS:last_name|ARGS:item_number|ARGS:name|ARGS:category|ARGS:company_name|ARGS:company "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "@endsWith forum/viewthread.php" "id:77243160,chain,phase:2,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:/^fusion/ "@rx ." "chain,t:none" SecRule &ARGS:thread_id "@ge 1" "chain,t:none" SecRule ARGS:highlight "@contains '" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77243160" SecRule &ARGS:aid "@ge 1" "id:77243168,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith administration/articles.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:body|ARGS:body2 "@contains <script" "t:none,t:urlDecode" SecRule &REQUEST_COOKIES:/cpg\d+x_data/ "@ge 1" "id:77243230,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the Coppermine Photo Gallery before 1.5.36 (CVE-2015-3921)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:referer "@rx \x22" "chain,t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith contact.php" "t:none,t:lowercase" SecRule &REQUEST_COOKIES:oc_sessionPassphrase "@ge 1" "id:77243330,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: XSS vulnerability in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 (CVE-2016-7419)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_METHOD "@streq mkcol" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@contains <" "chain,t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains remote.php" "chain,t:none,t:lowercase" SecRule REQUEST_COOKIES:/^([0-9a-z]{12})$/ "@rx ." "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77243330" SecRule ARGS:token "@rx \x22|>" "id:77243860,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecode,severity:2,msg:'IM360 WAF: XSS vulnerability in PayPal PHP Merchant SDK 3.9.1 (CVE-2017-6099)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_BASENAME "@streq getauthdetails.html.php" "t:none,t:lowercase" SecRule ARGS:lang "@contains '" "id:77244350,chain,phase:2,block,nolog,auditlog,t:none,t:urlDecode,severity:2,msg:'IM360 WAF: SQL injection vulnerability in Dolibarr ERP/CRM 4.0.4 (CVE-2017-7886)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith /theme/eldy/style.css.php" "t:none,t:normalizePath,t:lowercase" SecRule ARGS:sall "@contains <" "id:77244360,chain,phase:2,pass,nolog,auditlog,t:none,t:urlDecode,severity:5,msg:'IM360 WAF: XSS vulnerability in Dolibarr ERP/CRM 4.0.4 (CVE-2017-7887)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:/^dolsessid/ "@rx . " "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /societe/list.php" "t:none,t:normalizePath,t:lowercase,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77244360" SecRule &ARGS:/MODAUTH/ "@ge 1" "id:77244410,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: XSS vulnerability in the MODX Revolution before 2.5.7 (CVE-2017-9070)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none" SecRule REQUEST_FILENAME "@contains /connectors/" "chain,t:none,t:urlDecode,t:lowercase" SecRule ARGS:pagetitle "@contains <" "t:none,t:urlDecode" SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77244720,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the Piwigo through 2.9.1 (CVE-2017-9836)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:virtual_name|ARGS:name "@contains <" "chain,t:none,t:urlDecode" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule ARGS:page "@rx ^(?:cat_list|album\-\d+?\-properties)$" "t:none,t:lowercase" SecRule &ARGS:URLSegment "@ge 1" "id:77245300,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2 (CVE-2017-5197)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:SecurityID "@ge 1" "chain,t:none" SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none" SecRule ARGS:Title "@rx (?:\x22|>)" "chain,t:none,t:urlDecode" SecRule REQUEST_FILENAME "@rx (?:admin\/pages\/edit\/editform\/\d+?\/$)" "t:none,t:normalizePath,t:lowercase" SecRule &ARGS:/MODAUTH/ "@ge 1" "id:77245470,chain,phase:2,pass,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in the MODX Revolution 2.5.7 and earlier (CVE-2017-1000223 & CVE-2017-11744)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none" SecRule REQUEST_FILENAME "@contains /connectors/" "chain,t:none,t:normalizePath" SecRule ARGS:name|ARGS:description|ARGS:key|ARGS:value "@contains <" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@rx \/assets\/components\/formit\/tmp\/.{1,250}\.(php\d?|phtml|phar)" "id:77441792,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Arbitrary file upload in MODX FormIt - shell execution||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@contains /assets/components/formit/tmp/" "id:77133883,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Suspicious access to MODX FormIt tmp directory||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77245790,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: XSS vulnerability in Piwigo 2.9.3 (CVE-2018-7722)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:method "@streq pwg.categories.add" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq ws.php" "chain,t:none,t:lowercase" SecRule ARGS:name "@rx <|\x22" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77245790" SecRule &REQUEST_COOKIES:password "@ge 1" "id:77246060,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS vulnerability in Z-BlogPHP 2.0.0 (CVE-2018-11208)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@contains /zb_system/cmd.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:ZC_BLOG_COPYRIGHT "@contains <" "t:none,t:urlDecode" SecRule REQUEST_URI "@contains /settings/profile" "id:77246210,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in Chevereto Free before 1.0.13 (CVE-2018-12030)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none" SecRule &ARGS:auth_token "@ge 1" "chain,t:none" SecRule ARGS:name|ARGS:bio "@rx \x22|<" "t:none,t:urlDecode" SecRule REQUEST_COOKIES:/^senayan/ "@rx ." "id:77246220,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: XSS vulnerability in SLiMS 8 Akasia through 8.3.1 (CVE-2018-12654 CVE-2018-12655 CVE-2018-12656 CVE-2018-12657 CVE-2018-12658)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@rx admin\/modules\/(?:circulation|master_file|bibliography|membership|stock_take)\/" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:keywords "@contains <" "t:none,t:urlDecode" SecRule &ARGS:site_id "@ge 1" "id:77246260,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: XSS Vulnerability in ClipperCMS 1.3.3 (CVE-2018-11332 CVE-2018-13106)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@contains /manager/" "chain,t:none,t:lowercase" SecRule REQUEST_COOKIES:/^SN5[a-z0-9]{12}$/ "@rx ." "chain,t:none" SecRule ARGS "@rx <|\x22" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77246260" SecRule REQUEST_COOKIES:/^cmssessid/ "@rx ." "id:77246280,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: XSS vulnerability in CMS Made Simple in 2.2.6 (CVE-2018-7893 CVE-2018-8058)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:_sk_ "@ge 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq moduleinterface.php" "chain,t:none,t:lowercase" SecRule ARGS:metadata|ARGS:pagedata "@contains <" "t:none,t:urlDecode" SecRule REQUEST_COOKIES:/^dolsessid/ "@rx ." "id:77246800,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in Dolibarr ERP/CRM 8.0.2 (CVE-2018-19992 CVE-2018-19995)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:MAIN_INFO_SOCIETE_TOWN|ARGS:address|ARGS:town "@rx \x22|<" "chain,t:none,t:urlDecode" SecRule REQUEST_FILENAME "@rx (?:(?:(?:user|adherents)(?:\/card))|admin\/company)\.php$" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_BASENAME "@streq view.php" "id:77247690,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: SQL injection vulnerability in Machform 2 (CVE-2013-4948)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:/^element_\d+?$/ "@contains </script>" "t:none,t:lowercase,t:urlDecode" SecRule REQUEST_COOKIES:/^dolsessid/ "@rx ." "id:77211060,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQLi vulnerability in Dolibarr ERP/CRM 7.0.0 (CVE-2017-18260)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_BASENAME "@streq list.php" "chain,t:none,t:lowercase" SecRule ARGS:search_statut|ARGS:propal_statut|ARGS:viewstatut "@rx \x22|\x27|\)" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith view.php" "id:77220110,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in Machform 2 (CVE-2013-4948)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:id "@rx \d+" "chain,t:none" SecRule ARGS:form_id "@rx \D" "t:none" SecRule ARGS:cidToEdit|ARGS:module_id|ARGS:offset "@rx \D" "id:77220360,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in Claroline before 1.11.9 (CVE-2013-6267)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx \/admin\/(?:admin(?:registeruser|_user_course_settings)|module\/module|right\/profile_list)\.php$" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_BASENAME "@streq thumb.php" "id:77220440,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Remote command execution vulnerability in MediaWiki 1.22.x before 1.22.2 1.21.x before 1.21.5 and 1.19.x before 1.19.11 (CVE-2014-1610)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:f "@ge 1" "chain,t:none" SecRule ARGS:w "@rx \D" "t:none" SecRule ARGS:pm_email_notify|ARGS:pm_save_sent "!@rx ^(0|1)$" "id:77221292,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@contains administration/settings_messages.php" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_FILENAME "@endsWith admin/uploads.php" "id:77221650,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,t:normalizePath,severity:2,msg:'IM360 WAF: SQL injection vulnerability in The Digital Craft AtomCMS 2.0 (CVE-2014-4852)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:id "@rx \D+" "t:none" SecRule REQUEST_URI "@contains admin/admin.php" "id:77221820,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,t:normalizePath,severity:2,msg:'IM360 WAF: RCE vulnerability in Sphider 1.3.6 (CVE-2014-5194)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:_word_upper_bound "@rx \D" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" "id:77240500,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: SQL injection vulnerability in the Serendipity before 2.0.2 (CVE-2015-6943)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:serendipity[id] "@rx \D" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77240500" SecRule ARGS:serendipity[submit] "@streq submit comment" "id:77240520,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in the 2k11 theme in Serendipity before 2.0.2 (CVE-2015-6969)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:serendipity[name] "@rx \W" "chain,t:none" SecRule REQUEST_FILENAME "@endsWith index.php" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" "id:77240550,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: XSS vulnerability in Serendipity before 2.0.1 (CVE-2015-2289)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:serendipity[cat][name] "@rx \W" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77240550" SecRule REQUEST_URI "@rx user:([^\n]+)$" "id:77240950,chain,block,nolog,auditlog,phase:2,capture,severity:2,t:none,t:lowercase,msg:'IM360 WAF: XSS & SQL injection vulnerability in Pragyan CMS 3.0 (CVE-2015-1471)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule TX:1 "@rx \)[\):=]" "t:none" SecRule ARGS:subcats-included "@ge 1" "id:77241000,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: SQL injection vulnerability in the Piwigo before 2.5.6 2.6.x before 2.6.5 and 2.7.x before 2.7.3 (CVE-2015-1441)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith search.php" "chain,t:none,t:lowercase" SecRule ARGS:mode|ARGS:date_type|ARGS:search_author|ARGS:fields[] "@rx \W" "t:none" SecRule ARGS:subcats-included "@ge 1" "id:77241001,chain,msg:'IM360 WAF: SQL injection vulnerability in the Piwigo before 2.5.6 2.6.x before 2.6.5 and 2.7.x before 2.7.3 (CVE-2015-1441)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,severity:2,tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith search.php" "chain,t:none,t:lowercase" SecRule ARGS:start_day|ARGS:start_month|ARGS:start_year|ARGS:end_day|ARGS:end_month|ARGS:end_year|ARGS:subcats-included "@rx \D" "t:none" SecRule REQUEST_FILENAME "@contains /manager/" "id:77241980,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS & SQL injection vulnerability in the MODX Revolution before 2.2.14 (CVE-2014-2736)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "chain,t:none" SecRule ARGS:id "@rx [\(';]" "t:none" SecRule &REQUEST_COOKIES:SenayanAdmin "@ge 1" "id:77244940,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi vulnerability in SLiMS 8 Akasia through 8.3.1 (CVE-2017-12585)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_BASENAME "@within ajax_lookup_handler.php ajax_check_id.php ajax_vocabolary_control.php" "chain,t:none,t:lowercase" SecRule ARGS:tableName|ARGS:tableFields "!@rx [\w:_]" "t:none" SecRule &REQUEST_COOKIES:/DOLSESSID_([0-9a-fA-f]{32})/ "@ge 1" "id:77245040,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.0 (CVE-2017-14238)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith /admin/menus/edit.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:menuId "@rx \D" "t:none" SecRule ARGS:_itemtype "@streq computer" "id:77245140,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in GLPI before 9.1.5.1 (CVE-2017-11474)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:_glpi_tab "@contains computer_softwareversion" "chain,t:none,t:lowercase" SecRule REQUEST_COOKIES:/^glpi_/ "@rx ." "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith ajax/common.tabs.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:criterion "@rx \D" "t:none" SecRule ARGS:page "@streq tags" "id:77245360,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in Piwigo 2.9.2 (CVE-2017-16893)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule ARGS:edit_list "@rx \D" "t:none" SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77245770,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: SQLi vulnerability in Piwigo Facetag plugin 0.0.3 (CVE-2017-9426)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:method "@within facetag.changetag facetag.listtags" "chain,t:none,t:lowercase" SecRule REQUEST_BASENAME "@streq ws.php" "chain,t:none,t:lowercase" SecRule ARGS:imageId "@rx [^-]\D" "t:none" SecRule &REQUEST_COOKIES:mydms_session "@ge 1" "id:77246530,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: SQL injection vulnerability in SeedDMS before 5.1.8 (CVE-2018-12942)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:userid "@rx \D" "chain,t:none" SecRule REQUEST_BASENAME "@rx ^(?:op|out)\.usrmgr\.php$" "t:none,t:lowercase" SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77247920,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: SQL Injection vulnerability in Piwigo before 2.7.4 (CVE-2015-2035)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:page "@streq history" "chain,t:none,t:lowercase" SecRule ARGS:user "@rx \D" "t:none" SecRule REQUEST_FILENAME "@endsWith web/ajax_pluginconf.php" "id:77210320,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,t:normalizePath,severity:2,msg:'IM360 WAF: Directory traversal vulnerability in Magento Mass Importer (CVE-2015-2067)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:plugintype "@ge 1" "chain,t:none" SecRule &ARGS:pluginclass "@ge 1" "chain,t:none" SecRule ARGS:file "@rx \.\.|^\/" "t:none,t:urlDecodeUni,t:htmlEntityDecode" SecRule REQUEST_FILENAME "admin/plugin-index\.php|admin/plugin-settings\.php|admin/plugin-preferences\.php" "id:77220060,chain,phase:2,block,nolog,auditlog,t:lowercase,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in OpenX Source 2.8.10 and earlier (CVE-2013-3515)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:action|ARGS:group|ARGS:package|ARGS:parent|ARGS:plugin "@rx [^a-zA-Z0-9\._-]" "t:none" SecRule REQUEST_FILENAME "libraries\/(?:error(?:_handler)?\.class|auth\/swekey\/swekey\.auth\.lib|bookmark\.lib|common\.inc|config\.class|config\.default|data_drizzle\.inc|data_mysql\.inc|dbi\/drizzle-wrappers\.lib|display_tbl\.lib|engines\/(?:bdb|berkeleydb|binlog|innobase|innodb|memory|merge|mrg_myisam|myisam|ndbcluster|pbms|pbxt)\.lib|list_database\.class|pdf\.class|pma|pmd_common|recenttable\.class|schema\/pdf_relation_schema\.class)\.php" "id:77220090,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Multiple vulnerabilities in phpMyAdmin (CVE-2013-4998 / CVE-2013-4999 / CVE-2013-5000)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith /recursos/agent.php" "id:77220450,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Multiple SQL injection vulnerabilities in Cubic CMS 5.1.1 5.1.2 and 5.2 (CVE-2014-1619)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:resource_id|ARGS:version_id "!@rx ^-?\d+$" "t:none" SecRule REQUEST_COOKIES:/fusion\w+user/ "@rx [^a-z0-9\.]" "id:77221190,phase:2,block,nolog,auditlog,t:none,t:htmlEntityDecode,t:lowercase,severity:2,msg:'IM360 WAF: SQL injection vulnerability in PHP-Fusion 7.02.01 through 7.02.05 (CVE-2013-7375)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:dc_passwd "!@rx ^a:\d+:{(?:i:\d+;s:\d+:\x22.{0,300}?\x22;)*}$" "id:77221200,phase:2,block,nolog,auditlog,t:none,t:urlDecode,t:lowercase,severity:2,msg:'IM360 WAF: RCE vulnerability in Dotclear before 2.6.2 (CVE-2014-1613)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith user/edit.php" "id:77221560,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in Moodle through 2.3.11 2.4.x before 2.4.11 2.5.x before 2.5.7 2.6.x before 2.6.4 and 2.7.x before 2.7.1 (CVE-2014-3544)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:MoodleSession "@rx ." "chain,t:none" SecRule ARGS:skype "!@rx ^(?:live:|[a-z0-9,\._\-]){6,32}$|^$" "t:none,t:urlDecode,t:lowercase" SecRule REQUEST_FILENAME "@endsWith pkg_edit.php" "id:77221631,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: Absolute path traversal vulnerability in pfSense before 2.1.4 (CVE-2014-4689)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:xml "@rx [\\\\|\//\.|\00]" "t:none,t:urlDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77221631" SecRule &ARGS:do "!@eq 0" "id:77222060,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: SQL injection vulnerability in Kasseler CMS (CVE-2013-3727)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:module "@pm sendmail news voting forum account categories" "chain,t:none,t:lowercase" SecRule ARGS:desc|ARGS:dok|ARGS:fid|ARGS:groups[]|ARGS:id|ARGS:module|ARGS:nid|ARGS:tid|ARGS:tid|ARGS:vid "@rx [\'\,]" "chain,t:none,t:urlDecode" SecRule REQUEST_FILENAME "@pm admin.php index.php" "t:none,t:urlDecode,t:lowercase" SecRule REQUEST_METHOD "@streq post" "id:77240253,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerabilities in Free Reprintables ArticleFR 3.0.6 (CVE-2015-5530)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS_NAMES "@pm username name password email website blog membership isactive" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "chain,t:none" SecRule REQUEST_URI "@contains /dashboard/users/create/" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_FILENAME "@rx \/(plupload\.flash|moxie)\.swf$" "id:77240320,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: XSS vulnerability in in the Plupload plugin for WordPress and other web apps (CVE-2013-0237 CVE-2015-3439)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:id|&ARGS:target "@gt 0" "t:none" SecRule &ARGS:token "@eq 0" "id:77240530,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF protection bypass in Revive Adserver before 3.2.2 (CVE-2015-7364)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_METHOD "@streq post" "chain,t:none,t:lowercase" SecRule REQUEST_COOKIES:sessionID "@rx ^[a-z0-9]{32}$" "chain,t:none" SecRule REQUEST_FILENAME "@rx (?:(?:advertiser|campaign|affiliate|zone|channel)\-edit|account\-user\-(?:name\-language|email|password))\.php$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@pm create_course.php edit_course.php" "id:77240880,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Unrestricted file upload vulnerability in ATutor before 2.2 (CVE-2014-9752)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule FILES_NAMES "@streq customicon" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule ARGS:__vtrftk "@beginsWith sid:88" "id:77240890,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Shell upload vulnerability in VtigerCRM 6.4.0 and earlier (CVE-2016-1713 & CVE-2015-6000)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:PHPSESSID "@eq 26" "chain,t:none,t:length" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@pm show_rechis.php" "id:77240991,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Cross site scripting vulnerability in TYPO3 6.x before 6.2.15 7.x before 7.4.0 4.5.40 and earlier (CVE-2015-5956)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:returnUrl "@rx \Wdata\s*\:\s*[\w\/]+\;\s*base64" "t:none,t:lowercase" SecRule REQUEST_METHOD "@streq post" "id:77241123,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerability in Moodle through 2.6.11 2.7.x before 2.7.11 2.8.x before 2.8.9 and 2.9.x before 2.9.3 (CVE-2015-5338)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@pm mod/lesson/view.php mod/lesson/mediafile.php" "chain,t:none,t:normalizePath" SecRule &ARGS:id "@ge 1" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@streq post" "id:77241171,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: CSRF vulnerability in Gecko CMS 2.2 and 2.3 (CVE-2015-1424)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:p "@streq user" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@streq post" "id:77241182,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerability in Moodle through 2.6.11 2.7.x before 2.7.11 2.8.x before 2.8.9 and 2.9.x before 2.9.3 (CVE-2015-5335)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith admin/registration/register.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@streq post" "id:77241232,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerability in Moodle through 2.5.9 2.6.x before 2.6.7 2.7.x before 2.7.4 and 2.8.x before 2.8.2 (CVE-2015-0213)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith mod/glossary/editcategories.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule &ARGS:yii_csrf_token "@ge 1" "id:77241430,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Arbitrary File Upload in X2Engine X2CRM before 5.0.9 (CVE-2015-5074)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &REQUEST_COOKIES:phpsessid "@ge 1" "chain,t:none" SecRule &REQUEST_COOKIES:yii_csrf_token "@ge 1" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /libraries/sql-parser/autoload.php" "id:77241570,phase:2,block,nolog,auditlog,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Information Disclosure in phpMyAdmin 4.5.x before 4.5.4 (CVE-2016-2044)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith graph_view.php" "id:77241580,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: SQL Injection Vulnerability in Cacti 0.8.8g and earlier (CVE-2016-3659)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &REQUEST_COOKIES:Cacti "@ge 1" "chain,setvar:'TX.cacti=1',t:none" SecRule ARGS:host_group_data "!@rx ^(?:graph_template|data_query)\:\d+$" "chain,t:none,t:urlDecode" SecRule ARGS:host_group_data "!@contains data_query_index" "t:none" SecRule REQUEST_URI "@rx shop-\d+\/category:" "id:77241590,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,severity:2,msg:'IM360 WAF: SQL injection vulnerability in the Microweber CMS 0.95 before 20141209 (CVE-2014-9464)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "!@rx category:\d+$" "t:none,t:lowercase" SecRule REQUEST_HEADERS:X-HTTP-Method-Override "!@streq %{REQUEST_METHOD}" "id:77241600,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF protection bypass in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_HEADERS:X-HTTP-Method-Override "@ge 1" "chain,t:none,t:length" SecRule REQUEST_COOKIES:/cakephp$/ "@rx ." "t:none,t:lowercase,chain" SecRule REQUEST_URI "!@contains /wp/v2/" "t:none" SecRule REQUEST_FILENAME "@endsWith libraries/phpseclib/crypt/rijndael.php" "id:77241620,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Information Disclosure in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 (CVE-2016-2042)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith libraries/phpseclib/crypt/aes.php" "id:77241621,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Information Disclosure in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 (CVE-2016-2042)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith /libraries/config/messages.inc.php" "id:77241720,phase:2,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Information Disclosure in phpMyAdmin 4.0.x before 4.0.10.12 4.4.x before 4.4.15.2 and 4.5.x before 4.5.3.1 (CVE-2015-8669)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith /setup/lib/common.inc.php" "id:77242490,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Information disclosure vulnerability in phpMyAdmin 4.0.x before 4.0.10.13 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 (CVE-2016-2038)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@pm admin/users/api-keys admin/users/add admin/settings/edit-security" "id:77242621,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerability in Omeka (CVE-2017-1002101)||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:/^[a-f0-9]{32}$/ "@rx ." "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule RESPONSE_STATUS "@streq 302" "id:77242970,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Multiple open redirect vulnerabilities in Web Reference Database (CVE-2015-6012)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule RESPONSE_HEADERS:Set-Cookie "@contains phpsessid" "chain,t:none" SecRule REQUEST_BASENAME "@within user_login.php user_logout.php modify.php user_options_modify.php user_validation.php" "chain,t:none,t:lowercase" SecRule ARGS:referer "!@contains %{SERVER_NAME}" "t:none" SecRule &REQUEST_COOKIES:/cpg\d+x_data/ "@ge 1" "id:77243220,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Open redirect vulnerability in the Coppermine Photo Gallery before 1.5.36 (CVE-2015-3922)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:referer "!@beginsWith index.php" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith mode.php" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@streq /.profile" "id:77243320,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Information disclosure vulnerability in Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP Buildpack Cf-release before 242 as used in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.38 and 1.7.x before 1.7.19 and other products (CVE-2016-6639)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &REQUEST_COOKIES:sessionID "@ge 1" "id:77243342,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in the Revive Adserver before 3.2.2 (CVE-2015-7366)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:submitsettings "@rx save\s*changes" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith www/admin/account-user-name-language.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_HEADERS:Content-Type "@gt 500" "id:77243930,chain,msg:'IM360 WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:length,severity:2,tag:'other_apps'" SecRule REQUEST_HEADERS:Content-Type "!@rx ^(?:\w+\/[\w\-\.]+)(?:;(?:charset=[\w\-]{1,18}|boundary=[\w\-]+)?)?$" "t:none,t:urlDecode" SecRule &FILES "@gt 0" "id:77244050,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Arbitrary file upload vulnerability in Uploadify (CVE-2018-9207)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@endsWith uploadify/uploadify.php" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_FILENAME "@pm /admin/developer/ admin/settings/edit/" "id:77244501,chain,phase:2,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: CSRF vulnerability in the BigTree CMS through 4.2.18 (CVE-2017-9444)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule MATCHED_VAR "@rx (?:upgrade\/(?:ignore\/|set-ftp-directory\/)|packages\/delete\/\d+\/)$" "chain" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule &REQUEST_COOKIES:pwg_id "@ge 1" "id:77244641,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in Piwigo through 2.9.1 (CVE-2017-10680 and CVE-2017-10681)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:page "@pm cat_options permalinks" "chain,t:none,t:lowercase" SecRule &ARGS:cat_true[]|&ARGS:cat_false[]|&ARGS:cat_id "@ge 1" "chain,t:none" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule ARGS:page "@within configuration batch_manager" "id:77245591,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: CSRF vulnerability in the Piwigo through 2.9.2 (CVE-2017-17827)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:gallery_title|&ARGS:element_ids "@ge 1" "chain,t:none" SecRule REQUEST_COOKIES:/pwg_id/ "@rx ." "chain,t:none" SecRule REQUEST_BASENAME "@streq admin.php" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule &ARGS:user_id "@ge 1" "id:77247351,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in FrontAccounting 2.4.3 (CVE-2018-7176)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:/^FA[a-f0-9]{32}$/ "@rx ." "chain,t:none" SecRule REQUEST_BASENAME "@streq users.php" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule &REQUEST_COOKIES:cscms_session "@ge 1" "id:77247380,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in CSCMS||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@rx admin.php\/(?:setting|links)" "chain,t:none,t:normalizePath,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule &REQUEST_COOKIES:yzmphp_adminid "@gt 0" "id:77247530,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in YzmCMS||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx (\/role\/(?:add|edit)|(?:admin_manage|tag)\/(?:add|init)\.html)" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "id:77247541,chain,phase:2,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: CSRF vulnerability in CmsEasy 6.1 (CVE-2018-11679)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:catid "@ge 1" "chain,t:none" SecRule ARGS:act "@streq add" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_BASENAME "@streq downloads.php" "id:77247910,chain,phase:2,block,nolog,auditlog,t:lowercase,severity:2,msg:'IM360 WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:orderby "!@rx ^download\_(?:id|user|title|count|datestamp)$" "t:none,t:lowercase" SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" "id:77248190,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Directory traversal vulnerability exists in BAGECMS (CVE-2019-5887)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:s "@endsWith /appminialipaylist/delete.html" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:id "@contains .." "t:none" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cf_ cfadmin cfexecute cfinternaldebug cfnewinternal cfusion" "id:77211020,chain,msg:'IM360 WAF: Injection of Undocumented ColdFusion Tags (CVE-2023-44350)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,capture,pass,t:none,t:lowercase,severity:2,tag:'service_im360'" SecRule MATCHED_VAR "@rx \bcf(?:_(?:setdatasource(?:password|username)|(?:getdatasourceusernam|iscoldfusiondatasourc)e)|admin_registry_(?:delete|set)|execute|internaldebug|newinternal(?:adminsecurit|registr)y|usion_(?:d(?:bconnections_flush|ecrypt)|encrypt|getodbc(?:dsn|ini)|set(?:odbcini|tings_refresh)|verifymail))\b" "t:none,t:htmlEntityDecode" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:i|!ARGS:i|!ARGS:/install\[values\]\[\w*]\[fileDenyPattern\]/|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm ( ) cn= homedirectory objectcategory objectclass uidnumber gidnumber" "id:77211030,chain,msg:'IM360 WAF: LDAP Injection Attack||RSV:8.02||T:APACHE||',phase:2,capture,pass,t:none,t:lowercase,severity:5,tag:'service_im360'" SecRule MATCHED_VAR "(?:\((?:[^\w]{0,99}?(?:cn|homedirectory|objectc(?:ategory|lass)|[gu]idnumber)\b[^\w]{0,99}?=|[^\w-]{0,99}?[!&|][^\w-]{0,99}?\()|\)[^\w-]{0,99}?\([^\w-]{0,99}?[!&|])" "chain,t:none,t:htmlEntityDecode" SecRule &ARGS:newspost.add "@eq 0" "t:none" SecRule &ARGS:id "@ge 1" "id:77215071,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: CSRF vulnerability in the BigTree CMS 4.1.18 and 4.2.16 (CVE-2017-6914)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_COOKIES:/^bigtree/ "@rx ." "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@pm admin/users admin/ajax/users/delete" "chain,t:none,t:normalizePath,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_FILENAME "@endsWith /mod/lti/auth.php" "id:77316827,chain,block,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: XSS in Moodle Auth Page||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'other_apps'" SecRule ARGS:/redirect_uri/ "@rx ^javascript" "t:none,t:urlDecodeUni" SecRule ARGS:id "@rx select(\x20|\x2f)" "id:77317978,msg:'IM360 WAF: Generic SQL injection in id parameter||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,t:normalizePath,t:lowercase,severity:5,tag:'other_apps'" SecRule REQUEST_URI "@contains /modules/bamegamenu/ajax_phpcode.php" "id:77350047,chain,block,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Remote Command Execution in Prestashop (CVE-2018-8823)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:code "@rx \s(?:exec|passthru|shell_exec|system)\s?\(" "t:none" SecRule REQUEST_URI "@contains /modules/bamegamenu/ajax_phpcode.php" "id:77350052,chain,block,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: SQL Injection in Prestashop (CVE-2018-8824)||Code:%{ARGS.code}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:code "@pm delete edit show" "t:none,t:lowercase" SecRule REQUEST_METHOD "POST" "id:77350059,chain,block,t:none,severity:2,msg:'IM360 WAF: CSRF in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@contains /bitrix/tools/html_editor_action.php" "chain,t:none" SecRule ARGS:action "@streq uploadfile" "chain,t:none" SecRule &ARGS:/bxu_files/ "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "POST" "id:77350060,chain,block,t:none,severity:2,msg:'IM360 WAF: CSRF in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@contains /bitrix/tools/html_editor_action.php" "chain,t:none" SecRule ARGS:action "@streq uploadfile" "chain,t:none" SecRule &ARGS:/bxu_files/ "@gt 0" "chain,t:none" SecRule &REQUEST_COOKIES:/bitrix_sessid/ "@eq 0" "t:none" SecRule REQUEST_METHOD "POST" "id:77350061,chain,block,t:none,severity:2,msg:'IM360 WAF: Possible RCE in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@contains /bitrix/tools/vote/uf.php" "chain,t:none" SecRule ARGS:attachId[ENTITY_TYPE] "@streq CFileUploader" "chain,t:none" SecRule &ARGS:/bxu_files/ "@gt 0" "chain,t:none" SecRule ARGS|REQUEST_BODY "@contains \Bitrix\Main\Analytics\CounterDataTable::submitData()" "chain,t:none,t:normalizePath" SecRule MATCHED_VAR "@contains <?php" "t:none" SecRule REQUEST_METHOD "POST" "id:77350062,chain,block,t:none,severity:2,msg:'IM360 WAF: Possible RCE in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@contains /bitrix/tools/html_editor_action.php" "chain,t:none" SecRule ARGS:action "@streq uploadfile" "chain,t:none" SecRule &ARGS:/bxu_files/ "@gt 0" "chain,t:none" SecRule ARGS|REQUEST_BODY "@contains \00Bitrix\5CMain\5CDB\5CResultIterator\00currentData" "chain,t:none" SecRule ARGS|REQUEST_BODY "@contains Bitrix\Main\DB\ArrayResult" "chain,t:none" SecRule ARGS|REQUEST_BODY "@rx \x22WriteFinalMessage\x22;\}\}\}" "chain,t:none" SecRule ARGS|REQUEST_BODY "@contains <?php" "t:none" SecRule REQUEST_METHOD "POST" "id:77350063,chain,block,t:none,severity:2,msg:'IM360 WAF: Possible RCE in Bitrix CRM||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@contains /bitrix/tools/html_editor_action.php" "chain,t:none" SecRule ARGS:action "@streq uploadfile" "chain,t:none" SecRule &ARGS:/bxu_files/ "@gt 0" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "@pm HEAD POST" "id:77350089,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi in PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.7 (CVE-2022-36408)||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "@contains /blm.php" "chain,t:none,t:normalizePath" SecRule ARGS:z|ARGS:payment_intent "@pm <?php file_put_contents base64_decode( exit(md5( /controllers/admin/AdminLoginController.ph" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@pm HEAD POST" "id:77350090,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi in PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.7 (CVE-2022-36408)||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "@contains /index.php" "chain,t:none,t:normalizePath" SecRule ARGS:cacheFile "@streq blm.php" "chain,t:none" SecRule ARGS:s "@contains index/\think\template\driver\file/write" "chain,t:none" SecRule ARGS:content "@pm <?php @eval $_POST" "t:none,t:urlDecode" SecRule REQUEST_METHOD "POST" "id:77350100,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Arbitrary File Write in Bitrix CMS||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'other_apps'" SecRule REQUEST_URI "@contains /tools/html_editor_action.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS:action "@rx uploadfile" "chain,t:none" SecRule ARGS:bxu_info[packageIndex] "@contains ../" "chain,t:none" SecRule ARGS:bxu_info[CID] "@contains <?" "t:none" SecRule REQUEST_FILENAME "@rx \/pub\/media\/tmp\/catalog\/product\/_\/h\/\.h\w?" "id:33330,pass,nolog,auditlog,phase:2,severity:2,t:none,t:normalizePath,t:lowercase,ctl:ruleEngine=on,msg:'IM360 WAF: Magento 2.1.6 and below access to uploaded file DC-2017-04-003||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "@contains /modules/appagebuilder/apajax.php" "id:77350160,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,phase:2,msg:'IM360 WAF: SQLi in PrestaShop AP Page Builder module (CVE-2022-22897)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:product_all_one_img|ARGS:image_product "@rx [^\d,]" "t:none" SecRule REQUEST_URI "@contains /modules/appagebuilder/apajax.php" "id:77350161,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,phase:2,msg:'IM360 WAF: SQLi in PrestaShop AP Page Builder module (CVE-2022-22897)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:product_manufacture "@rx [^\w,-]" "t:none" SecRule REQUEST_COOKIES:lgcookieslaw|REQUEST_COOKIES:__lglaw "@rx (?:^[^{])\x22|\x27|\x28|\x7c\x7c|--|=" "id:77350162,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi in EU Cookie Law GDPR module for PrestaShop (CVE-2022-44727)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_COOKIES:lgcookieslaw_accepted_purposes "@rx (?:^[^{])\x27|\x28|\x7c\x7c|--|=" "id:77350163,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi in PrestaShop (CVE-2022-31181)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /module/\w{1,50}/" "id:77552068,chain,phase:2,block,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: SQLi in PrestaShop module (CVE-2022-31181)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:order|ARGS:sort|ARGS:orderby "@rx (?i)(?:;|--|ps_configuration|ps_smarty|update\s{1,10}\w{1,50}\s{1,10}set|(?:update|insert|delete|drop)\s)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77552069,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Eval Injection in PrestaShop (CVE-2022-31181)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:z|ARGS:payment_intent "@pm <?php file_put_contents( base64_decode( eval( exit(md5" "t:none,t:urlDecode" SecRule REQUEST_COOKIES:/__lglaw/|REQUEST_COOKIES:/lgcookieslaw/ "@rx (?:^[^{])(?:\x27|\x22|\x28|\x7c\x7c|--|=|;)" "id:77552070,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: SQLi in PrestaShop cookies (CVE-2022-31181)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "POST" "id:77350168,chain,pass,nolog,auditlog,severity:5,phase:2,t:none,msg:'IM360 WAF: Track WHMCS file upload||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule &REQUEST_COOKIES:/^WHMCS/ "@gt 0" "chain,t:none" SecRule FILES "!@rx ^$" "t:none" SecRule REQUEST_METHOD "POST" "id:77350370,chain,pass,nolog,auditlog,severity:5,phase:2,t:none,msg:'IM360 WAF: Track files upload to WHMCS client area||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule &REQUEST_COOKIES:/^WHMCS/ "@gt 0" "chain,t:none,t:normalizePath" SecRule REQUEST_URI "@contains /img/clients/" "chain,t:none" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "t:none" SecRule REQUEST_METHOD "POST" "id:77350371,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track files upload to WHMCS client area||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &REQUEST_COOKIES:/^WHMCS/ "@gt 0" "chain,t:none,t:normalizePath" SecRule REQUEST_URI "@contains /img/clients/" "chain,t:none" SecRule REQUEST_HEADERS:content-type "!@rx ^image" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350371" SecRule REQUEST_METHOD "POST" "id:77350372,chain,block,nolog,auditlog,severity:2,phase:2,t:none,msg:'IM360 WAF: Track files upload to WHMCS client area||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &REQUEST_COOKIES:/^WHMCS/ "@gt 0" "chain,t:none,t:normalizePath" SecRule REQUEST_URI "@contains /img/clients/" "chain,t:none" SecRule FILES "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "chain,t:none" SecRule REQUEST_HEADERS:content-type "@rx ^multipart" "t:none" SecRule REQUEST_URI "@contains /paypal/ipn.php" "id:77350178,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQL Injection Vulnerability in PayPal module for Prestashop 1.5 and 1.6 (CVE-2023-28843)||RSV:8.02||T:APACHE||MW:%{ARGS.receiver_email}||',tag:'service_im360'" SecRule ARGS:receiver_email "@rx \);" "t:none" SecRule REQUEST_METHOD "POST" "id:77350192,chain,block,nolog,auditlog,severity:2,phase:2,t:none,msg:'IM360 WAF: RCE in SPIP before 4.2.1 (CVE-2023-27372)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx \/spip[^\.]*\.php" "chain,t:none,t:normalizePath" SecRule ARGS:page "@streq spip_pass" "chain,t:none" SecRule ARGS:oubli "@rx \x22\s*<" "t:none" SecRule REQUEST_URI "@rx \/cpanelwebcall\/[^<]*<[^\s.]+\s+[^=.]+=[^(]+\([^)]+\)" "id:77350202,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: XSS on the cPanel cpsrvd error page (CVE-2023-29489)||MV:%{REQUEST_URI}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@rx POST" "id:77350242,chain,block,nolog,auditlog,severity:2,phase:2,t:none,msg:'IM360 WAF: SQLi to file upload vulnerability in SQL manager for PrestaShop (CVE-2023-39526)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx admin[^\/]+\/index\.php" "chain,t:none,t:normalizePath" SecRule ARGS:controller "@streq AdminRequestSql" "chain,t:none" SecRule ARGS:sql "@pm outfile dumpfile" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350320,phase:2,block,nolog,auditlog,severity:2,chain,t:none,msg:'IM360 WAF: Block suspicious endpoints||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "!@pm /lang/overrides/english /lang/overrides/hungarian /lang/overrides/spanish" "chain,t:none,t:normalizePath" SecRule REQUEST_FILENAME "@rx \/lang\/overrides\/[^\n]+\.php\d?" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350321,chain,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Prevent high-risk action||URI:%{REQUEST_URI}||WPU:%{TX.wp_user}||V1:%{TX.1}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx \/modules\/addons\/(hostx|cloudx|clientx)\/includes\/languagemanagement.php" "t:none,t:normalizePath" SecRule REQUEST_URI "@rx \/modules\/addons\/(\S+)\/includes\/languagemanagement.php" "id:77350322,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Monitoring high-risk action||URI:%{REQUEST_URI}||WPU:%{TX.wp_user}||V1:%{TX.1}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_HEADERS:User-Agent "@pm bytedancewebview" "id:77350582,skip:1,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,msg:'IM360 WAF: Bytedancewebview detected||UA:%{REQUEST_HEADERS.User-Agent}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@pm bytespider" "id:77350374,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Scan attempt by bytespider crawler||UA:%{REQUEST_HEADERS.User-Agent}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "id:77350583,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Rate limit exceeded for Claudebot Crawler Bot||Count:%{SESSION.cld_limit}||Range:%{REQUEST_HEADERS.Range}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@pm claudebot" "chain,t:none,initcol:session=%{REQUEST_HEADERS.Host}.claudebot" SecRule SESSION:cld_bot_block "@eq 1" "t:none" SecRule REQUEST_HEADERS:User-Agent "@pm claudebot" "id:77360582,chain,phase:2,block,nolog,auditlog,severity:2,initcol:session=%{REQUEST_HEADERS.Host}.claudebot,msg:'IM360 WAF: Rate limit exceeded for Claudebot Crawler Bot||Count:%{MATCHED_VAR}||Range:%{REQUEST_HEADERS.Range}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "chain,t:none,t:lowercase" SecRule SESSION:cld_limit "@gt 30" "t:none,setvar:session.cld_limit=0,setvar:session.cld_bot_block=1,expirevar:session.cld_bot_block=40,setvar:session.timeout=60" SecRule REQUEST_HEADERS:User-Agent "@pm claudebot" "id:77360581,chain,phase:2,pass,skip:1,nolog,severity:5,t:none,tag:'service_im360'" SecRule &REQUEST_HEADERS:Range "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "t:none,t:lowercase,initcol:session=%{REQUEST_HEADERS.Host}.claudebot,setvar:session.cld_limit=+1,setvar:session.timeout=60" SecRule REQUEST_HEADERS:User-Agent "@pm claudebot" "chain,id:77360580,phase:2,pass,nolog,severity:5,t:none,tag:'service_im360'" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "chain,t:none,t:lowercase" SecRule &REQUEST_HEADERS:Range "@eq 0" "t:none,initcol:session=%{REQUEST_HEADERS.Host}.claudebot,setvar:session.cld_limit=+1,expirevar:session.cld_limit=20,setvar:session.timeout=60" SecRule REQUEST_URI "@contains /module/blockwishlist" "id:77350402,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible SQLi in PrestaShop module (CVE-2022-31101)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:order "@detectSQLi" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@streq /blm.php" "id:77350403,phase:2,block,nolog,auditlog,severity:2,t:none,status:403,msg:'IM360 WAF: [RBL] Possible SQLi in PrestaShop module (CVE-2022-31101)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@streq POST" "id:77552072,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Direct access to Smarty internals in PrestaShop (CVE-2022-36408)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /tools/smarty/(?:sysplugins|plugins)/" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS "@rx ." "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77552073,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: SQLi via smartsearch in PrestaShop (CVE-2022-36408)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:smartsearch "@rx (?i)(?:\x27\s{0,10}\)|;\s{0,10}select|0x[0-9a-f]{20,})" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@endsWith /install/index.php.bak" "id:77142111,chain,msg:'IM360 WAF: DedeCMS variable coverage leads to getshell (CVE-2015-4553)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,tag:'other_apps'" SecRule ARGS:install_demo_name "@streq ../data/admin/config_update.php" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /php-cgi/php-cgi.exe" "id:77350496,phase:2,block,severity:2,nolog,auditlog,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: RCE through argument injection in PHP CGI (CVE-2024-4577)||URI:%{REQUEST_URI}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@contains /wp-json/notificationx/v1/analytics" "id:77350538,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:normalizePath,t:urlDecodeUni,msg:'IM360 WAF: Unauthenticated SQL Injection in NotificationX <= 2.8.2 (CVE-2024-1698)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS|ARGS_NAMES "@detectSQLi" "t:none,t:lowercase,t:normalizePath,t:urlDecode" SecRule REQUEST_FILENAME "@contains /estimate-shipping-methods" "id:77350556,chain,phase:2,block,nolog,auditlog,severity:2,t:normalizePath,msg:'IM360 WAF: Unauthenticated XXE in Adobe Commerce and Magento Open Source <= 2.4.7 (CVE-2024-7031)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@contains /guest-carts/" "chain,t:none" SecRule ARGS:address.totalsReader.collectorList.totalCollector.sourceData.options "@eq 16" "chain,t:normalizePath" SecRule ARGS:address.totalsReader.collectorList.totalCollector.sourceData.data "\/\/" "t:none" SecRule REQUEST_FILENAME "@contains /estimate-shipping-methods" "id:77350557,phase:2,chain,block,nolog,auditlog,severity:2,t:normalizePath,msg:'IM360 WAF: Adobe Commerce and Magento Open Source <= 2.4.7 - unauthenticated XXE (CVE-2024-7031)||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@contains /guest-carts/" "chain" SecRule ARGS:address.totalsReader.collectorList.totalCollector.sourceData.dataIsURL "@contains true" "t:normalizePath,chain" SecRule ARGS:address.totalsReader.collectorList.totalCollector.sourceData.data "\/\/" "t:none" SecRule REQUEST_URI|REQUEST_BODY|ARGS|REQUEST_HEADERS "@rx \b__proto__\b=([^\n\r]+)" "id:77140766,phase:2,pass,nolog,auditlog,severity:5,t:urlDecodeUni,msg:'IM360 WAF: Object.prototype pollution in jQuery JavaScript library before 3.4.0 (CVE-2019-11358)||RSV:8.02||T:APACHE||proto_value=%{TX.1}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_URI "@contains /dataBases/upgrademysqlstatus" "id:77350564,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:urlDecodeUni,msg:'IM360 WAF: RCE vulnerability in CyberPanel (CVE-2024-51567)||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_METHOD "@rx PUT" "id:77666029,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: XXE in Magento <= 2.4.7 (CVE-2024-34102)||MVN:%{tx.mvn}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d" "chain,t:none,t:normalizePath" SecRule ARGS|REQUEST_BODY "@rx (?i)(<script>\s*(function _0x[0-9a-f]{6}\)|var\s+\w+\s*=\s*\x22\w{999,}))" "chain,t:none,setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "@rx (?i)(while\(\!\!\[\]|\/\*\*\/function\/\*\*\/\(\w+\)\s*\[\x22)" "chain,t:none" SecRule MATCHED_VAR "@rx =\s*parseInt\((?:_0x[0-9a-f]{6}\(|\w\d{5}\[\d+\],\d+\))" "t:none" SecRule REQUEST_METHOD "@rx PUT" "id:77418344,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XXE in Magento <= 2.4.7 (CVE-2024-34102)||MVN:%{tx.mvn}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d|/V1/guest-carts/[^\/]+/estimate-shipping-methods" "chain,t:none,t:normalizePath" SecRule ARGS|REQUEST_BODY "@rx (?i).{0,50}<!ENTITY\s+(?:\x25\s[^\s]+|sp)\s+SYSTEM\s+\W+https?:\/\/" "t:none" SecRule REQUEST_METHOD "@rx PUT|POST" "id:77816158,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: XXE in Magento <= 2.4.7 (CVE-2024-34102)||MVN:%{tx.mvn}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d|/V1/guest-carts/[^\/]+/estimate-shipping-methods" "chain,t:none,t:normalizePath" SecRule ARGS|REQUEST_BODY "@rx (?i)(<script>\s*(function _0x[0-9a-f]{1,8}|var\s+_0x[a-f0-9]+\s*=\s*_0x[0-9a-f]{1,8}|var\s+_0x[a-f0-9]{1,8}\s*=\s*_0x)|function\(\)\{var _0x[0-9a-f]{1,8}=_0x[0-9a-f]{1,8})" "chain,t:none,setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "@rx (while\(\!\!\[\]\)\{try\{var\s+_0x[a-fA-F0-9]{1,8}\s*=\s*\WparseInt\s*\(_0x[a-fA-F0-9]{6}\(0x[a-fA-F0-9]{1,8}\)\)/0x[a-fA-F0-9]{1,8}\W+parseInt\s*\(_0x[a-fA-F0-9]{6}\(0x[a-fA-F0-9]{1,8}\)\)/0x[a-fA-F0-9]{1,8}\W+parseInt\s*\(_0x[a-fA-F0-9]{6}\(0x[a-fA-F0-9]{1,8}\)\)/0x[a-fA-F0-9]{1,8}\W+)" "t:none" SecRule REQUEST_METHOD "@rx PUT|POST" "id:77816159,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: XXE in Magento <= 2.4.7 (CVE-2024-34102)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d|/V1/guest-carts/[^\/]+/estimate-shipping-methods" "chain,t:none,t:normalizePath" SecRule ARGS|REQUEST_BODY "@rx (?i)(<script>\s*(function _0x[0-9a-f]{1,8}|var\s+_0x[a-f0-9]+\s*=\s*_0x[0-9a-f]{1,8}|var\s+_0x[a-f0-9]{1,8}\s*=\s*_0x)|function\(\)\{var _0x[0-9a-f]{1,8}=_0x[0-9a-f]{1,8})" "chain,t:none,t:base64Decode,setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "@rx (while\(\!\!\[\]\)\{try\{var\s+_0x[a-fA-F0-9]{1,8}\s*=\s*\WparseInt\s*\(_0x[a-fA-F0-9]{6}\(0x[a-fA-F0-9]{1,8}\)\)/0x[a-fA-F0-9]{1,8}\W+parseInt\s*\(_0x[a-fA-F0-9]{6}\(0x[a-fA-F0-9]{1,8}\)\)/0x[a-fA-F0-9]{1,8}\W+parseInt\s*\(_0x[a-fA-F0-9]{6}\(0x[a-fA-F0-9]{1,8}\)\)/0x[a-fA-F0-9]{1,8}\W+)" "" SecRule REQUEST_METHOD "@rx PUT|POST" "id:77816160,chain,phase:2,pass,nolog,auditlog,severity:6,t:none,msg:'IM360 WAF: XXE in Magento <= 2.4.7 (CVE-2024-34102)||MVN:%{tx.mvn}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_COOKIES:__mage_static "@rx ." "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77816160'" SecRule REQUEST_METHOD "@rx PUT|POST" "id:77816161,chain,phase:2,pass,nolog,auditlog,severity:6,t:none,msg:'IM360 WAF: XXE in Magento <= 2.4.7 (CVE-2024-34102)||MVN:%{tx.mvn}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d|/V1/guest-carts/[^\/]+/estimate-shipping-methods" "t:none,t:normalizePath,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77816161'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d|/V1/guest-carts/[^\/]+/estimate-shipping-methods" "id:77649683,chain,phase:2,skipAfter:REST_V1_MARKER,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: XXE tracking in Adobe Commerce API||MV:%{TX.1}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS "@rx (?i)(.{0,40}(<!ENTITY|SYSTEM\s+\W+http|while\(\!\!\[\]).{20,500})" "t:none,t:urlDecode,capture" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d|/V1/guest-carts/[^\/]+/estimate-shipping-methods" "id:77666032,chain,phase:2,skipAfter:REST_V1_MARKER,pass,nolog,auditlog,severity:5,t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77666032',msg:'IM360 WAF: [RBL] XXE tracking in Adobe Commerce API||MV:%{TX.1}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS "@rx (?i)(.{0,40}(?:<script>\s*(?:function |var\s+\w+\s*=\s*\x22\w{999,})|=\s*parseInt\(_0x[0-9a-f]{6}\(|<!ENTITY|SYSTEM \x22|while\(\!\!\[\]|\/\*\*.function.\*\*\/\().{20,500})" "t:none,t:urlDecode,capture" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d|/V1/guest-carts/[^\/]+/estimate-shipping-methods" "id:77924301,chain,phase:2,skipAfter:REST_V1_MARKER,pass,nolog,auditlog,severity:5,t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77924301',msg:'IM360 WAF: [RBL] XXE tracking in Adobe Commerce API||MV:%{TX.1}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS "@rx (?i)(.{0,40}(?:<script>\s*(?:function |var\s+\w+\s*=\s*\x22\w{999,})|=\s*parseInt\(_0x[0-9a-f]{6}\(|<!ENTITY|SYSTEM \x22|while\(\!\!\[\]|\/\*\*.function.\*\*\/\().{20,500})" "t:none,t:urlDecode,t:base64Decode,capture" SecRule REQUEST_URI "@rx /rest/V1/" "id:77666031,chain,phase:2,pass,skipAfter:REST_V1_MARKER,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XXE tracking in Adobe Commerce API||MV:%{TX.1}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS "@rx (?i)(.{0,40}(?:<script>\s*(?:function |var\s+\w+\s*=\s*\x22\w{999,})|=\s*parseInt\(_0x[0-9a-f]{6}\(|<!ENTITY|SYSTEM \x22|while\(\!\!\[\]|\/\*\*.function.\*\*\/\().{20,500})" "t:none,t:urlDecode,capture" SecRule REQUEST_URI "@rx /rest/V1/" "id:77924302,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XXE tracking in Adobe Commerce API||MV:%{TX.1}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS "@rx (?i)(.{0,40}(?:<script>\s*(?:function |var\s+\w+\s*=\s*\x22\w{999,})|=\s*parseInt\(_0x[0-9a-f]{6}\(|<!ENTITY|SYSTEM \x22|while\(\!\!\[\]|\/\*\*.function.\*\*\/\().{20,500})" "t:none,t:urlDecode,t:base64Decode,capture" SecMarker REST_V1_MARKER SecRule REQUEST_METHOD "@rx POST" "id:77726863,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XSS vulnerability in Pkp Ojs v3.3 (CVE-2024-25434,CVE-2024-25436,CVE-2024-25438)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@rx -grid/update-(author|query)" "chain,t:none" SecRule ARGS:/preferredPublicName/|ARGS:subject "@detectXSS" SecRule REQUEST_URI "@rx /users_edit\.php$" "id:77314957,phase:2,chain,pass,nolog,auditlog,severity:5,t:normalizePath,msg:'IM360 WAF: ISPConfig RCE typ[] bypass detected - admin creation attempt via manipulated parameters',tag:'service_im360'" SecRule ARGS:typ[] "@rx ^admin$" "chain" SecRule ARGS:typ[] "@rx ^$" "" SecRule REQUEST_URI "@rx /users_edit\.php$" "id:77314958,phase:2,chain,pass,nolog,auditlog,severity:5,t:normalizePath,msg:'IM360 WAF: ISPConfig RCE typ[] bypass detected - admin creation attempt via manipulated parameters',tag:'service_im360'" SecRule ARGS:typ[] "!@rx ^(user|admin)$" "" SecRule REQUEST_METHOD "@rx ^POST$" "id:77837143,phase:2,chain,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Magento admin takeover via menu injection (CVE-2025-47110)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@rx /email_template/edit/id/" "chain,t:normalizePath" SecRule ARGS:template_text|ARGS:template_styles "@detectXSS" "t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77837143" SecRule REQUEST_METHOD "^POST$" "id:77238628,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Remote code execution in CraftCMS 3.0.0-RC1 - 3.9.14, 4.0.0-RC1 - 4.14.14, 5.0.0-RC1 - 5.6.16 (CVE-2025-32432)||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'other_apps'" SecRule REQUEST_URI "@contains actions/assets/generate-transform" "chain,t:normalizePath" SecRule ARGS|REQUEST_BODY "@rx .{0,100}__class.{0,200}" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "POST" "id:77609288,phase:2,block,chain,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Improper Input Validation vulnerability in Adobe commerce <= 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 (CVE-2025-54236) - file upload attempt||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@contains /customer/address_file/upload" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Content-Type "multipart/form-data" "t:none,t:lowercase,chain" SecRule ARGS:custom_attributes[country_id] "." "t:none,chain" SecRule MATCHED_VAR "@pm .phar .php /tmp/sess_" "t:none" SecRule REQUEST_METHOD "POST" "id:77498676,phase:2,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: [monitor] SessionReaper file upload in Adobe Commerce (CVE-2025-54236)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@contains /customer/address_file/upload" "chain,t:none,t:normalizePath" SecRule ARGS:custom_attributes[country_id] "." "t:none,chain" SecRule MATCHED_VAR "@pm .phar .php /tmp/sess_" "t:none" SecRule REQUEST_METHOD "PUT" "id:77609289,phase:2,block,chain,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Improper Input Validation vulnerability in Adobe commerce <= 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 (CVE-2025-54236) - RCE attempt||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_HEADERS:Content-Type "application/json" "t:none,t:lowercase,chain" SecRule REQUEST_FILENAME "@rx /rest/[^/]{1,99}/V1/guest-carts/[^/]{1,99}/order" "chain,t:none,t:normalizePath" SecRule ARGS:/paymentMethod\.paymentData\.context(\.urlDecoder)?\.urlBuilder\..+?session\.sessionConfig\.savePath/ "." "t:none,chain" SecRule MATCHED_VAR "@pm invalid test fake exist" "t:none" SecRule REQUEST_METHOD "@rx ^(?:PUT|POST)$" "id:77609296,phase:2,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Monitor Guzzle serialized object in Magento guest-carts order||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx /rest/[^/]{1,99}/V1/guest-carts/[^/]{1,99}/order" "chain,t:none,t:normalizePath" SecRule REQUEST_BODY "@rx O:\d+:\x22[^\x22]*(?:FileCookieJar|CookieJar|SetCookie|GuzzleHttp)" "t:none,t:urlDecodeUni,setvar:tx.guzzle_poi=1" SecRule REQUEST_METHOD "@rx ^(?:PUT|POST)$" "id:77129795,phase:2,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: [monitor] Guzzle serialized object in Magento guest-carts order (CVE-2025-54236 POP chain)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx /rest/[^/]{1,99}/V1/guest-carts/[^/]{1,99}/order" "chain,t:none,t:normalizePath" SecRule ARGS "@rx O:\d+:\x22[^\x22]*(?:FileCookieJar|CookieJar|SetCookie|GuzzleHttp)" "t:none,t:urlDecodeUni,setvar:tx.guzzle_poi_v2=1" SecRule TX:guzzle_poi|TX:guzzle_poi_v2 "@gt 0" "id:77609297,phase:2,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: PHP Object Injection via Guzzle FileCookieJar - webshell upload attempt (Magento POP chain)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS "@rx \.ph(?:p[3-8]?|tml|ar|t|s)\x22|<\?(?:php|=)" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^(?:PUT|POST)$" "id:77609298,phase:2,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Monitor Smarty serialized object in Magento guest-carts order||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx /rest/[^/]{1,99}/V1/guest-carts/[^/]{1,99}/order" "chain,t:none,t:normalizePath" SecRule REQUEST_BODY "@rx O:\d+:\x22[^\x22]*Smarty_(?:Internal|Template)" "t:none,t:urlDecodeUni,setvar:tx.smarty_poi=1" SecRule REQUEST_METHOD "@rx ^(?:PUT|POST)$" "id:77609618,phase:2,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: [monitor] Smarty serialized object in Magento guest-carts order (CVE-2025-54236 POP chain)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx /rest/[^/]{1,99}/V1/guest-carts/[^/]{1,99}/order" "chain,t:none,t:normalizePath" SecRule ARGS "@rx O:\d+:\x22[^\x22]*Smarty_(?:Internal|Template)" "t:none,t:urlDecodeUni,setvar:tx.smarty_poi_v2=1" SecRule TX:smarty_poi|TX:smarty_poi_v2 "@gt 0" "id:77609299,phase:2,pass,chain,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: PHP Object Injection via Smarty POP chain - .htaccess manipulation attempt (Magento)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS "@rx \.htaccess" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@rx ^(?:PUT|POST)$" "id:77710732,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Unrestricted file upload in Magento guest-carts API before 2.4.9 (CVE-2025-54265)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx /rest/(?:[^/]{1,99}/)?V1/guest-carts/[^/]{1,99}/items" "chain,t:none,t:normalizePath" SecRule ARGS:/name/|ARGS:/file_info\.type/ "@rx \.ph(?:p[3-8]?|tml|ar|t|s)$" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_FILENAME "@rx /\.?accesson[^/]{0,20}\.php" "id:77264624,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Polyshell accesson backdoor access (CVE-2025-54265 post-exploit)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@rx ^(?:PUT|POST)$" "id:77886006,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: File upload via Magento guest-carts custom_options API (CVE-2025-54265 polyglot variant)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx /rest/(?:[^/]{1,99}/)?V1/guest-carts/[^/]{1,99}/items" "chain,t:none,t:normalizePath" SecRule ARGS:/base64_encoded_data/ "@rx ." "t:none" SecRule REQUEST_METHOD "@rx ^(?:PUT|POST)$" "id:77308183,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: PHP code in Magento guest-carts file upload (CVE-2025-54265 polyglot webshell)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx /rest/(?:[^/]{1,99}/)?V1/guest-carts/[^/]{1,99}/items" "chain,t:none,t:normalizePath" SecRule ARGS:/base64_encoded_data/ "@rx <\?php|<\?=|eval\s*\(|system\s*\(|passthru\s*\(|shell_exec\s*\(|exec\s*\(|base64_decode\s*\(|md5\s*\(\s*\$_|error_reporting\s*\(\s*0|@copy\s*\(\s*\$_FILES|\$_(?:REQUEST|GET|POST|COOKIE|FILES)\s*\[" "t:none,t:base64Decode,t:lowercase" SecRule REQUEST_METHOD "@rx ^(?:POST|GET)" "id:77609300,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible phishing page detected||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@rx \/\.\d{15}\.php" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77093094,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE via prototype pollution in React Server Components < 19.0.1/19.1.2/19.2.1 or Next.js < 15.0.5/16.0.7 (CVE-2025-55182, CVE-2025-66478)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:/next-action/|REQUEST_HEADERS:/rsc-action-id/|REQUEST_HEADERS:/rsc/ "@rx ." "t:none,t:lowercase,chain" SecRule ARGS:/^\d+$/|ARGS:_response|ARGS:_prefix|ARGS:_formData|ARGS:/^\$ACTION_\d+/ "@rx (?:(?:constructor:constructor|__proto__)|(?:child_process|fs|vm|process)#(?:exec|read|write|runIn)|resolved_model)" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@streq POST" "id:77093096,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: RCE via prototype pollution in React Server Components < 19.0.1/19.1.2/19.2.1 or Next.js < 15.0.5/16.0.7 (CVE-2025-55182, CVE-2025-66478)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS_NAMES "@rx ^(?:next-action|rsc-action-id|rsc)$" "t:none,t:lowercase,chain" SecRule ARGS "@rx (?:\$\d+:(?:__proto__|constructor:constructor):)|(?:process\.mainModule\.require|vm#runIn(?:This|New)Context)" "chain,t:none" SecRule ARGS "@rx (exec|spawnSync|execSync|readFileSync)\(.{1,3}(pwd|php|find|ls|eval|cat|export|process.cwd|id|cd|whoami|printenv|echo|ping|node|powershell|set|curl|cmd|wget|chmod|sh|nslookup|uname|grep|bin/|test|hostname|printf|env|if|Buffer.from)'" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77093095,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: RCE via RSC Flight payload in React Server Components < 19.0.1/19.1.2/19.2.1 or Next.js < 15.0.5/16.0.7 (CVE-2025-55182, CVE-2025-66478)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:/next-action/|REQUEST_HEADERS:/rsc-action-id/|REQUEST_HEADERS:/rsc/ "@rx ." "t:none,t:lowercase,chain" SecRule ARGS "@rx (?:\$\d+:(?:__proto__|constructor:constructor):)|(?:process\.mainModule\.require|vm#runIn(?:This|New)Context)" "t:none" SecRule REQUEST_METHOD "@pm POST PUT" "id:77055163,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: RCE backdoor in MGT Varnish module for Magento <= 1.0.10||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_URI "@rx /(?:mgt_?varnish|mgt|varnish)/feed/update" "t:none,t:lowercase,t:normalizePath,chain" SecRule REQUEST_BODY "@rx ." "t:none,capture" SecRule REQUEST_METHOD "@streq POST" "id:77412225,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: DoS via nested Promise deserialization in React Server Components < 19.2.2 (CVE-2025-55184)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_HEADERS:Accept "@contains text/x-component" "chain,t:none,t:lowercase" SecRule REQUEST_BODY "@rx \"type\":\s{0,16}\"Promise\",\s{0,16}\"value\":\s{0,16}\{\s{0,16}\"type\":\s{0,16}\"Promise\"" "t:none" SecRule REQUEST_URI "@rx /remote\.php/(webdav|dav)/" "id:77370748,chain,phase:2,pass,nolog,auditlog,t:none,t:lowercase,severity:5,msg:'IM360 WAF: Authentication Bypass in ownCloud Server < 10.13.1 (CVE-2023-49105)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule &ARGS:OC-Credential "@ge 1" "chain,t:none" SecRule &ARGS:OC-Verb "@ge 1" "chain,t:none" SecRule &ARGS:OC-Expires "@ge 1" "chain,t:none" SecRule ARGS:OC-Date "@rx ^$" "chain,t:none" SecRule ARGS:OC-Signature "@rx ^[a-f0-9]{64}$" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith /admin/ajax.php" "id:77092064,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Command Injection in FreePBX filestore before 17.0.3 (CVE-2025-64328)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:module "@streq filestore" "t:none,chain" SecRule ARGS:command "@streq testconnection" "t:none,chain" SecRule ARGS "@rx [\x60\x24\x28\x29\x3b\x7c\x26\x3e\x3c]" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "@streq POST" "id:77150924,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: EncystPHP web shell file dropper activity (CVE-2025-64328)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:get_url "@rx ^https?://" "t:none,t:urlDecodeUni,chain" SecRule ARGS:dpath "@rx ^/" "t:none,t:urlDecodeUni" SecRule REQUEST_METHOD "POST|PUT" "id:77093097,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Suspicious code in request||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS "<\?php if \(!function_exists\('wp_enqueue_async_script'\)|\(user_login: '[^']+(?:admin|fox)|if \(isset\(\$_COOKIE\['WORDPRESS_ADMIN_USER'\]\) |\{ die\('WP ADMIN USER EXISTS'\); \}|wp_insert_user\(\$params\); update_option\('_pre_user_id', \$id\);|user_login: '[^,]+, user_pass: '[^,]+, role: '[^']+administrator'|wp_add_custom_meta_box\(\)|wp_schedule_event_action\(\)|wp_generate_dynamic_cache\(\$views\)|str_replace\('WHERE \w+=\w+', \x22WHERE \{\$id\}=\{\$id\} AND \{\$wpdb->users\}\.ID<>\{\$id\}\x22, \$user_search->query_where\)|function wp_enqueue_async_script\(\$user_search\) \{|add_action\('pre_user_query', 'wp_enqueue_async_script'\);|if \(!function_exists\('wp_enqueue_async_script'\) && function_exists\('add_action'|\$HOME/\.systemd-utils|/tmp/vim \x22/usr/lib/polkit-1/polkitd --no-debug|export PATH=\$PATH:\$\(pwd\)|/sys/kernel/mm/transparent_hugepage/hpage_pmd_size|/proc/self/auxv|socket5Quick.StopProxy|ShellLinux.Shell|ShellLinux.Exec_shell|ProcessLinux.sendBody|ProcessLinux.ProcessTask" "t:none,t:urlDecode" SecRule ARGS:sSort "@rx (?:<[a-z/]|javascript:|on(?:error|load|click|mouseover|focus|blur)\s*=)" "id:77890001,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'IM360 WAF: Reflected XSS in Quick.Cart via sSort parameter (CVE-2025-67683)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith admin.php" "id:77890002,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: RCE via LFI/Path Traversal in Quick.Cart theme selection (CVE-2025-67684)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS "@rx (?:(?:\.\./|\.\.\\\\).{0,100}(?:wp-config\.php|etc/passwd|win\.ini|system\.ini|\.(?:sqlite|db|env)|config\.php)|(?:php|data|expect|zip)://)" "t:none,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_COOKIES:sLanguage "@rx (?:\.\./|\.\.\\\\|\x00)" "id:77890003,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: LFI via sLanguage cookie in Quick.Cart (CVE-2025-67684)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@streq POST" "id:77890004,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: CSRF in Quick.Cart admin forms (CVE-2025-10317)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith admin.php" "chain,t:none,t:lowercase" SecRule ARGS:sOption "@streq save" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77890005,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Session Fixation in Quick.Cart admin login (CVE-2026-23796)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith admin.php" "chain,t:none,t:lowercase" SecRule ARGS:p "@streq login" "chain,t:none,t:lowercase" SecRule &ARGS:sLogin "@ge 1" "chain,t:none" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77924303,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: WebsiteBaker CMS dangerous file upload to admin media (<=2.8.1)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule REQUEST_FILENAME "@contains /admin/media/upload.php" "chain,t:none,t:lowercase,t:normalizePath" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|phar|inc|htaccess|module)(?:\W|$)" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_FILENAME "@contains /admin/pages/modify.php" "id:77924304,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: WebsiteBaker CMS SQLi in admin page modify (2.8.x public exploits)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:id|ARGS:page_id "@detectSQLi" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "@contains /account/preferences.php" "id:77924305,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,t:normalizePath,msg:'IM360 WAF: WebsiteBaker CMS SQLi in account language preference||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'other_apps'" SecRule ARGS:language "@detectSQLi" "t:none,t:urlDecodeUni" SecRule REQUEST_URI "@rx ^/(?:cpsess\d+/)?json-api/" "id:77060778,chain,phase:1,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WHM auth bypass — stripped session cookie + forged Basic Auth payload (WPT-2497)||MV:%{REQUEST_URI}||AuthB64:%{TX.imun_authb64}||SpoofedUser:%{TX.imun_claimed_user}||StrippedCookie:%{REQUEST_COOKIES.whostmgrsession}||UA:%{REQUEST_HEADERS.User-Agent}||Method:%{REQUEST_METHOD}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "!@rx /v\d+/" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Authorization "@rx ^[Bb]asic\s+([A-Za-z0-9+/=]+)\s*$" "chain,capture,t:none,setvar:'tx.imun_authb64=%{TX.1}'" SecRule TX:imun_authb64 "@rx ^([^:\r\n]{1,64}):[^\r\n]*\r?\nsuccessful_external_auth_with_timestamp=\d+\r?\ntfa_verified=1\r?\ncp_security_token=/?cpsess\d+" "chain,capture,t:none,t:base64Decode,setvar:'tx.imun_claimed_user=%{TX.1}'" SecRule REQUEST_COOKIES:whostmgrsession "!@rx %2[Cc]" "t:none" SecRule REQUEST_URI "@rx ^/(?:cpsess\d+/)?json-api/" "id:77538918,chain,phase:1,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: WHM auth bypass via stripped session cookie (cookie-strip-only variant, WPT-2497)||MV:%{REQUEST_URI}||StrippedCookie:%{REQUEST_COOKIES.whostmgrsession}||UA:%{REQUEST_HEADERS.User-Agent}||Method:%{REQUEST_METHOD}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "!@rx /v\d+/" "chain,t:none,t:normalizePath" SecRule &REQUEST_COOKIES:whostmgrsession "@gt 0" "chain,t:none" SecRule REQUEST_COOKIES:whostmgrsession "!@rx (?:%2[Cc]|,)" "t:none" SecRule REQUEST_URI "@rx ^/cpsess\d+/json-api/(importsshkey|authorizesshkey|deletesshkey)\b" "id:77061214,chain,phase:2,pass,nolog,auditlog,severity:5,capture,t:none,t:normalizePath,setvar:'tx.imun_endpoint=%{TX.1}',msg:'IM360 WAF: WHM SSH-key API call (post-exploit IOC, WPT-2497)||Endpoint:%{TX.imun_endpoint}||MV:%{REQUEST_URI}||SessUser:%{TX.imun_sess_user}||UA:%{REQUEST_HEADERS.User-Agent}||Method:%{REQUEST_METHOD}||Referer:%{REQUEST_HEADERS.Referer}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_COOKIES:whostmgrsession "@rx ^(?:([a-z0-9._-]{1,32})(?:%3[Aa]|:)|.{0,1})" "capture,t:none,setvar:'tx.imun_sess_user=%{TX.1}'" SecRule REQUEST_URI "@rx ^/cpsess\d+/json-api/(createacct|wwwacct|passwd|chpass|chrootpasswd|setresellerlimits|setacls|restoreacct|pkgacct)\b" "id:77061262,chain,phase:2,pass,nolog,auditlog,severity:5,capture,t:none,t:normalizePath,setvar:'tx.imun_endpoint=%{TX.1}',msg:'IM360 WAF: WHM persistence/privilege API call (post-exploit IOC, WPT-2497)||Endpoint:%{TX.imun_endpoint}||MV:%{REQUEST_URI}||SessUser:%{TX.imun_sess_user}||TargetUser:%{ARGS.username}%{ARGS.user}||UA:%{REQUEST_HEADERS.User-Agent}||Method:%{REQUEST_METHOD}||Referer:%{REQUEST_HEADERS.Referer}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_COOKIES:whostmgrsession "@rx ^(?:([a-z0-9._-]{1,32})(?:%3[Aa]|:)|.{0,1})" "capture,t:none,setvar:'tx.imun_sess_user=%{TX.1}'"
.
Edit
..
Edit
000_i360_init.conf
Edit
001_i360_pass.conf
Edit
002_i360_basic.conf
Edit
003_i360_wp_logic.conf
Edit
004_i360_vectors.conf
Edit
005_i360_bruteforce.conf
Edit
006_i360_malware.conf
Edit
007_i360_custom.conf
Edit
008_i360_wordpress.conf
Edit
009_i360_joomla.conf
Edit
010_i360_drupal.conf
Edit
011_i360_otherapps.conf
Edit
012_i360_spam.conf
Edit
013_i360_generic.conf
Edit
014_i360_infectors.conf
Edit
015_i360_filescan.conf
Edit
016_i360_monitor.conf
Edit
017_i360_weak_pass.conf
Edit
018_Disable_WP_Redirect.conf
Edit
IM360-LICENSE.txt
Edit
RELEASE
Edit
VERSION
Edit
bl_agents
Edit
bl_chains
Edit
bl_db_list
Edit
bl_db_list_ext
Edit
bl_ips
Edit
bl_os_files
Edit
bl_path_files
Edit
bl_scanners
Edit
bl_uri
Edit
bl_web_files
Edit
bl_wpboost_uri
Edit
bl_xss_input
Edit
changelog.json
Edit
changelog.txt
Edit
cloudav_list
Edit
crawlers-google-iplist.data
Edit
crawlers-iplist.data
Edit
crawlers-ualist.data
Edit
danme_top100
Edit
detectlua.lua
Edit
inspectfile.lua
Edit
ip-record.db
Edit
java_data
Edit
malware_found.list
Edit
malware_found_b64.list
Edit
malware_standalone.list
Edit
malware_standalone_b64.list
Edit
path_traversal
Edit
php_data
Edit
rbl_whitelist
Edit
rce_uri
Edit
risky-actions.list
Edit
trap.lua
Edit
trap_cookie.lua
Edit
userdata_dirb_URLs.data
Edit