Current File : //08_Global_Other.conf

# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bcf(?:_(?:setdatasource(?:password|username)|(?:getdatasourceusernam|iscoldfusiondatasourc)e)|admin_registry_(?:delete|set)|execute|internaldebug|newinternal(?:adminsecurit|registr)y|usion_(?:d(?:bconnections_flush|ecrypt)|encrypt|getodbc(?:dsn|ini)|set(?:odbcini|tings_refresh)|verifymail))\b" \
	"id:211020,msg:'COMODO WAF: Injection of Undocumented ColdFusion Tags||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Other'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:i|!ARGS:i|!ARGS:/install\[values\]\[\w*]\[fileDenyPattern\]/|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?:\((?:[^a-zA-Z0-9_]{0,}?(?:cn|homedirectory|objectc(?:ategory|lass)|[gu]idnumber)\b[^a-zA-Z0-9_]{0,}?=|[^a-zA-Z0-9\-_]{0,}?[!&|][^a-zA-Z0-9\-_]{0,}?\()|\)[^a-zA-Z0-9\-_]{0,}?\([^a-zA-Z0-9\-_]{0,}?[!&|])" \
	"id:211030,chain,msg:'COMODO WAF: LDAP Injection Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'Other'"
SecRule &ARGS:newspost.add "@eq 0"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:panels_data|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx http:\/\/[a-z0-9._]{1,}?\/.{0,}?\.pdf\b[^\n\r]{0,}#" \
	"id:211050,msg:'COMODO WAF: Universal PDF XSS URL Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'Other'"

SecRule RESPONSE_BODY "@rx \Q{varbuffer='\x41'for(i=0;i<=100;++i){buffer+=buffer+bufferdocument.write(buffer);}}\E" \
	"id:220130,msg:'COMODO WAF: DoS attack vulnerabikity in RealNetworks RealPlayer 16.0.2.32 and earlier (CVE-2013-3299)||%{tx.domain}|%{tx.mode}|2',phase:4,deny,status:403,log,t:none,t:removeWhitespace,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'Other'"

SecRule ARGS_POST:Locale|ARGS_POST:FailedLoginCount "@rx \x22|<" \
	"id:215030,chain,msg:'COMODO WAF: XSS Vulnerability in the SilverStripe CMS &amp; Framework v3.1.15 (CVE-2015-8606)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,rev:1,severity:2,tag:'CWAF',tag:'Other'"
SecRule REQUEST_FILENAME "@contains /admin/security/editform/field/members/" \
	"chain,t:none,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^SESS([0-9a-f]{32})$" \
	"t:none"

SecRule ARGS_GET:returnURL "@contains //" \
	"id:215040,chain,msg:'COMODO WAF: Open Redirect vulnerability in the SilverStripe CMS &amp; Framework v3.1.13 (CVE-2015-5062)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'Other'"
SecRule REQUEST_FILENAME "@contains /index.php/dev/build" \
	"chain,t:none,t:lowercase,t:normalizePath"
SecRule REQUEST_COOKIES_NAMES "@rx ^SESS([0-9a-f]{32})$" \
	"t:none"

SecRule REQUEST_COOKIES_NAMES "@beginsWith bigtree" \
	"id:215070,chain,msg:'COMODO WAF: Start tracking Bigtree CMS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Other'"
SecRule REQUEST_FILENAME "@contains admin/users" \
	"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
	"setvar:'SESSION.bigtree_user=1',expirevar:'SESSION.bigtree_user=300',t:none,t:lowercase"

SecRule &ARGS_POST:id "@ge 1" \
	"id:215071,chain,msg:'COMODO WAF: CSRF vulnerability in the BigTree CMS 4.1.18 and 4.2.16 (CVE-2017-6914)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Other'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith bigtree" \
	"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains admin/ajax/users/delete" \
	"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:bigtree_user "!@eq 1" \
	"t:none"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES_NAMES:scarab.profile|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf bl_os_files" \
	"id:210580,msg:'COMODO WAF: OS File Access Attempt||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'Other'"

SecRule REQUEST_FILENAME "@pmf userdata_bl_URLs" \
	"id:215090,msg:'COMODO WAF: Restricted File Access Attempt||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,rev:3,severity:2,tag:'CWAF',tag:'Other'"

SecRule ARGS_GET:type "@rx \x22" \
	"id:215100,chain,msg:'COMODO WAF: XSS vulnerability in Gazelle before 2017-03-19 (CVE-2017-7248)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'Other'"
SecRule REQUEST_FILENAME "@endsWith /sections/better/transcode.php" \
	"t:none,t:normalizePath,t:urlDecodeUni,t:lowercase"

SecRule ARGS_GET:type "@rx \x22" \
	"id:215110,chain,msg:'COMODO WAF: XSS vulnerability in Gazelle before 2017-03-19 (CVE-2017-7248)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'Other'"
SecRule REQUEST_FILENAME "@endsWith /sections/better/transcode.php" \
	"t:none,t:normalizePath,t:urlDecodeUni,t:lowercase"

SecRule ARGS_GET:action|ARGS_GET:userid "@rx \x22" \
	"id:215120,chain,msg:'COMODO WAF: XSS vulnerability in Gazelle before 2017-03-19 (CVE-2017-7249)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'Other'"
SecRule REQUEST_FILENAME "@endsWith /sections/tools/data/ocelot_info.php" \
	"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule ARGS_GET:action "@contains <" \
	"id:215130,chain,msg:'COMODO WAF: XSS vulnerability in Gazelle before 2017-03-19 (CVE-2017-7250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'Other'"
SecRule REQUEST_FILENAME "@endsWith /sections/tools/finances/bitcoin_balance.php" \
	"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"