Current File : //24_Apps_Joomla.conf

# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule REQUEST_URI|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_POST|ARGS_NAMES "@rx (?:<|\x22|'|>)" \
	"id:223230,msg:'COMODO WAF: Track same forbidden symbols to Ignore signature||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setvar:'TX.XSS_SQLi=1',nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,rev:2,severity:2,tag:'CWAF',tag:'Joomla'"

SecRule &TX:XSS_SQLi "@eq 0" \
	"id:223231,msg:'COMODO WAF: Track same forbidden symbols to Ignore signature for Joomla||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'IGNORE_SFS_XSS_SQLi_Joomla',rev:2,severity:2,tag:'CWAF',tag:'Joomla'"

SecRule &TX:Joomla "@eq 0" \
	"id:223370,msg:'COMODO WAF: Track unauthenticated request in Joomla||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'Joomla_Skip_URF_223010',rev:1,severity:2,tag:'CWAF',tag:'Joomla'"

SecRule TX:Joomla "@ge 1" \
	"id:223010,chain,msg:'COMODO WAF: XSS vulnerability in Joomla! before 3.8.12 (CVE-2018-15880)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS:option "@streq com_users" \
	"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:jform[name] "@contains <" \
	"t:none,t:urlDecodeUni"

SecRule TX:Joomla "@ge 1" \
	"id:223180,chain,msg:'COMODO WAF: XSS vulnerability in Joomla before 3.9.2 (CVE-2019-6263)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS_GET:option "@streq com_config" \
	"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:/^jform\[filters\]\[\d+\]\[filter_/ "@rx \x22" \
	"t:none,t:urlDecodeUni"

SecMarker IGNORE_SFS_XSS_SQLi_Joomla
SecRule TX:Joomla "@ge 1" \
	"id:221010,chain,msg:'COMODO WAF: SQL injection vulnerability in Joomla! 3.2 before 3.4.5 (CVE-2015-7297, CVE-2015-7857, CVE-2015-7858)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS:option "@streq com_contenthistory" \
	"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:list[select] "!@rx ^(?:h\.(?:version_(?:id|note|data)|ucm_(?:item|type)_id|save_date|editor_user_id|character_count|sha1_hash|keep_forever)(?:\,\ ?)?)+$" \
	"t:none,t:urlDecodeUni,t:lowercase"

SecRule TX:Joomla "@ge 1" \
	"id:222510,chain,msg:'COMODO WAF: Unauthorized account creation and modification in Joomla! before 3.6.4 (CVE-2016-8869, CVE-2016-9836, CVE-2016-9838)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:5,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS:task "@streq user.register" \
	"chain,t:none,t:lowercase"
SecRule ARGS:option "@streq com_users" \
	"t:none,t:lowercase"

SecRule TX:Joomla "@ge 1" \
	"id:222520,chain,msg:'COMODO WAF: Unauthorized account creation and modification in Joomla! before 3.6.4 (CVE-2016-8870, CVE-2016-9836)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:5,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS:task "@streq user.register" \
	"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains /component/users/" \
	"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"

SecRule TX:Joomla "@ge 1" \
	"id:223020,chain,msg:'COMODO WAF: Unrestricted file vulnerability in Joomla! before 3.8.12 (CVE-2018-15882)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS_GET:option "@streq com_installer" \
	"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule FILES "@rx \.phar$" \
	"t:none,t:urlDecodeUni,t:lowercase"

SecRule TX:Joomla "@ge 1" \
	"id:223300,chain,msg:'COMODO WAF: Directory Traversal vulnerability in Joomla before 3.9.5 (CVE-2019-10945)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS_GET:option "@streq com_media" \
	"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:folder "@contains .." \
	"t:none,t:urlDecodeUni"

SecMarker Joomla_Skip_URF_223010
SecRule REQUEST_FILENAME "@contains /images/stories/" \
	"id:240000,chain,msg:'COMODO WAF: Protecting Joomla folder||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule REQUEST_FILENAME "@endsWith .php" \
	"t:none,t:urlDecodeUni,t:lowercase"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx (?:JDatabaseDriverMysqli|[oOcC]\:\d+\:.+?\:\d+\:\{.{0,399}\})" \
	"id:222390,msg:'COMODO WAF: PHP Injection Attack: Serialized Object Injection in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 (CVE-2015-8562)||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,rev:6,severity:2,tag:'CWAF',tag:'Joomla'"

SecRule ARGS:option "@streq com_fields" \
	"id:222550,chain,msg:'COMODO WAF: SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 (CVE-2017-8917)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS:view "@streq fields" \
	"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "!@contains /administrator/" \
	"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_BASENAME "@within   index.php" \
	"chain,t:none,t:lowercase"
SecRule ARGS:list[fullordering] "@rx [^\w\ \.]" \
	"t:none,t:urlDecodeUni"

SecRule TX:Joomla "@ge 1" \
	"id:223430,chain,msg:'COMODO WAF: XSS vulnerability in Joomla before 3.9.3 (CVE-2019-7741)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS:option "@within com_users com_config" \
	"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:jform[params][helpsite]|ARGS_POST:jform[helpurl] "@rx \x22" \
	"t:none,t:urlDecodeUni"

SecRule REQUEST_FILENAME "@endsWith index.php" \
	"id:223520,chain,msg:'COMODO WAF: SQLi vulnerability in In Joomla! 3.5.0 through 3.8.5||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:urlDecode,rev:1,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS_GET:option "@streq  com_users" \
	"chain,t:none"
SecRule ARGS_GET:view "@streq  notes" \
	"chain,t:none"
SecRule ARGS_POST:filter[caregory_id] "@contains '" \
	"t:none,t:urlDecode"

SecRule TX:Joomla "@ge 1" \
	"id:223560,chain,msg:'COMODO WAF: XSS vulnerability in Joomla! from versions 1.7.3 to 3.7.2 (CVE-2017-9934)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:5,severity:2,tag:'CWAF',tag:'Joomla'"
SecRule ARGS:task "@streq item.settype" \
	"chain,t:none,t:lowercase"
SecRule ARGS:option "@streq com_menus" \
	"chain,t:none,t:lowercase"
SecRule ARGS:layout "@streq edit" \
	"chain,t:none,t:lowercase"
SecRule ARGS_POST:jform[type] "@rx [\'\x22]option[\'\x22]\:[\'\x22](.{0,399}?)[\'\x22]" \
	"chain,capture,t:none,t:base64DecodeExt,t:urlDecodeUni,t:removeWhitespace"
SecRule TX:1 "@contains <" \
	"t:none"

SecRule REQUEST_URI "@rx (?i:\/wp-admin\/load-(styles|scripts)\.php\?.{0,399}?(load%5B%5D|load\[\]|load%5B\]|load\[%5D)=([^&,]*,){20,})" \
	"id:223570,msg:'COMODO WAF: Unauthenticated attackers can cause a denial of service in WordPress through 4.9.2 (CVE-2018-6389)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:4,severity:2,tag:'CWAF',tag:'Joomla'"