| Current File : //29_Apps_Drupal.conf |
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------
SecRule &TX:XSS_SQLi "@eq 0" \
"id:232390,msg:'COMODO WAF: Track same forbidden symbols to Ignore signature for Drupal||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'IGNORE_SFS_SIG_XSS_SQLi_Drupal',rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &TX:drupal "@eq 0" \
"id:233030,msg:'COMODO WAF: Track unauthenticated request in Drupal||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'Drupal_Skip_URF_231000',rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule TX:drupal "@eq 1" \
"id:231000,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal (CVE-2016-1913)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains redhen/contact" \
"chain,t:none,t:lowercase"
SecRule ARGS:first_name|ARGS:middle_name|ARGS:last_name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231001,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal (CVE-2016-1913)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS:score "@ge 1" \
"chain,t:none"
SecRule ARGS:label "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@contains structure/redhen/engagement_scores/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:231002,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal (CVE-2016-1913)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@pm structure/taxonomy/note_type/ taxonomy/term" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:241790,chain,msg:'COMODO WAF: XSS vulnerability in the CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-7307)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains cms-updater" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:cmsu_payment_url "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231020,chain,msg:'COMODO WAF: XSS vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal (CVE-2015-6807)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq mass_contact_admin_edit" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:category "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@contains mass_contact" \
"t:none,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:231030,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Time Tracker module 7.x-1.x before 7.x-1.4 for Drupal (CVE-2015-6751)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@within time_tracker_activity_table_form time_tracker_time_entry_form" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:note|ARGS_POST:/activities\[\d+\]\[name\]/|ARGS_POST:add_new_activity[new_activity_name] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231050,chain,msg:'COMODO WAF: XSS vulnerability in the administration interface in the Path Breadcrumbs module 7.x-3.x before 7.x-3.3 for Drupal (CVE-2015-6754)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@within path_breadcrumbs_ui_edit_form path_breadcrumbs_ui_add_form" \
"chain,t:none"
SecRule ARGS_POST:name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@contains system/ajax" \
"t:none,t:urlDecodeUni,t:normalizePath"
SecRule TX:drupal "@eq 1" \
"id:231060,chain,msg:'COMODO WAF: XSS vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal (CVE-2016-3144)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@within block_add_block_form block_admin_configure" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:q|REQUEST_FILENAME "@contains /structure/block/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:css_class "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231070,chain,msg:'COMODO WAF: XSS vulnerability in the Camtasia Relay module 6.x-2.x before 6.x-3.2 and 7.x-2.x before 7.x-1.3 for Drupal (CVE-2015-5487)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq camtasia_relay_node_form" \
"chain,t:none"
SecRule ARGS_POST:title|ARGS_POST:'/^camtasia_relay_(?:date|profile|duration|presenter_(?:email|name)|recorder_(?:email|name))/' "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231080,chain,msg:'COMODO WAF: XSS vulnerability in the Smart Trim module 7.x-1.x before 7.x-1.5 for Drupal (CVE-2015-5489)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq field_ui_display_overview_form" \
"chain,t:none"
SecRule ARGS:q|REQUEST_FILENAME "@contains system/ajax" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:'/^fields.+(?:trim_suffix|more_text)/' "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231090,chain,msg:'COMODO WAF: XSS vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal (CVE-2015-5514)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /content/migrate/groups/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:field_mappings[name][default_value]|ARGS_POST:field_mappings[description][default_value]|ARGS_POST:field_mappings[parent][default_value]|ARGS_POST:field_mappings[parent_name][default_value]|ARGS_POST:field_mappings[format][default_value]|ARGS_POST:field_mappings[weight][default_value]|ARGS_POST:field_mappings[path][default_value] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231100,chain,msg:'COMODO WAF: XSS vulnerability in the Webform Matrix Component module 7.x-4.12 for Drupal (CVE-2015-5494)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /webform/components/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:/extra\[element\]\[element-\d+\]\[label_name\]/ "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231111,chain,msg:'COMODO WAF: XSS vulnerability in the Mobile sliding menu module 7.x-2.x before 7.x-2.1 for Drupal (CVE-2015-5495)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI|REQUEST_FILENAME|ARGS:q "@contains /admin/structure/menu/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:link_title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &TX:drupal "@ge 1" \
"id:231140,chain,msg:'COMODO WAF: XSS vulnerability in the Navigate module 6.x-1.1 for Drupal (CVE-2015-5500)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_FILENAME "@contains /navigate/process" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:module|ARGS_POST:name "@pm navigate_favorites navigate_custom set-export set-import" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:content|ARGS_POST:value "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &TX:drupal "@ge 1" \
"id:231150,chain,msg:'COMODO WAF: XSS vulnerability in the EntityBulkDelete module 7.x-1.0 for Drupal (CVE-2015-4386)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|ARGS_GET:destination|REQUEST_FILENAME "@contains admin/structure/taxonomy/tags" \
"chain,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath"
SecRule ARGS_POST:form_id "@streq taxonomy_form_term" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231151,chain,msg:'COMODO WAF: XSS vulnerability in the EntityBulkDelete module 7.x-1.0 for Drupal (CVE-2015-4386)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|ARGS_GET:destination|REQUEST_FILENAME "@pm node/add/article node node/add/page" \
"chain,t:none,t:urlDecodeUni,t:normalizePath"
SecRule ARGS_POST:form_id "@pm page_node_form article_node_form" \
"chain,t:none"
SecRule ARGS_POST:title|ARGS_POST:field_tags[und] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231152,chain,msg:'COMODO WAF: XSS vulnerability in the EntityBulkDelete module 7.x-1.0 for Drupal (CVE-2015-4386)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq comment_node_article_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx comment\/\d+\/edit|comment\/reply\/\d+" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:subject "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &TX:drupal "@ge 1" \
"id:231160,chain,msg:'COMODO WAF: XSS vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-4381)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/system/invoice" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:form_id "@streq invoice_settings_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:default_supplier_company_name|ARGS_POST:default_supplier_coc_number|ARGS_POST:default_supplier_vat_number|ARGS_POST:supplier_company_name|ARGS_POST:supplier_coc_number|ARGS_POST:supplier_vat_number "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231170,chain,msg:'COMODO WAF: XSS vulnerability in the Inline Entity Form module 7.x-1.x before 7.x-1.6 for Drupal (CVE-2015-5507)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:instance[description] "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@contains field_ui_field_edit_form" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:231180,chain,msg:'COMODO WAF: XSS vulnerability in the MailChimp Signup submodule in the MailChimp module 7.x-3.x before 7.x-3.3 for Drupal (CVE-2015-5488)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq mailchimp_signup_form" \
"chain,t:none"
SecRule ARGS_POST:title|ARGS_POST:description|ARGS_POST:settings[confirmation_message] "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@contains mailchimp/signup" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:231190,chain,msg:'COMODO WAF: XSS vulnerability in the Shibboleth authentication module 6.x-4.x before 6.x-4.2 and 7.x-4.x before 7.x-4.2 for Drupal (CVE-2015-5513)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:shib_auth_link_text "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@within block_admin_configure shib_auth_admin_general" \
"chain,t:none"
SecRule ARGS:q|REQUEST_FILENAME "@contains shib_auth" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:231200,chain,msg:'COMODO WAF: XSS vulnerability in the Web Links module 6.x-2.x before 6.x-2.6 and 7.x-1.x before 7.x-1.0 for Drupal (CVE-2015-5497)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq weblinks_node_form" \
"chain,t:none"
SecRule ARGS_POST:title|ARGS_POST:/body\[und\]\[[0-9]+\]\[value\]/ "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231210,chain,msg:'COMODO WAF: XSS vulnerability in Taxonews module 7.x-1.0 for Drupal (CVE-2015-3369)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /structure/block/manage/taxonews/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:taxonews_empty_messages "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231220,chain,msg:'COMODO WAF: XSS vulnerability in MAYO theme 7.x-1.2 for Drupal (CVE-2014-8079)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /appearance/settings/mayo" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@streq system_theme_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:header_bg_file "@rx \x22" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231230,chain,msg:'COMODO WAF: XSS vulnerability in Touch theme 7.x-1.7 for Drupal (CVE-2014-4303)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /appearance/settings/touch" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@streq system_theme_settings" \
"chain,t:none"
SecRule ARGS_POST:twitter_username|ARGS_POST:facebook_username "@rx \x22" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231240,chain,msg:'COMODO WAF: XSS vulnerability in Simple Subscription module 7.x-1.0 for Drupal (CVE-2015-4367)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /block/manage/simple_subscription/subscribe/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:simple_subscription_form_header|ARGS_POST:simple_subscription_form_footer "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231250,chain,msg:'COMODO WAF: XSS vulnerability in the Registration codes module 7.x-1.1 for Drupal (CVE-2015-4359)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /config/people/regcode/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@pm regcode_admin_settings regcode_voucher_admin_form regcode_dynamic_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:regcode_field_title|ARGS_POST:regcode_field_description|ARGS_POST:regcode_voucher_fieldset_title|ARGS_POST:regcode_voucher_field_description|ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231270,chain,msg:'COMODO WAF: XSS vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal (CVE-2013-2715)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq search_api_admin_index_workflow" \
"chain,t:none,t:lowercase"
SecRule ARGS:/^callbacks\[search_api_alter_add_aggregation\]\[settings\]\[fields\]\[search_api_aggregation_[\d]+\]\[name\]$/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231280,chain,msg:'COMODO WAF: XSS vulnerability in the Custom Search module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.15 for Drupal (CVE-2014-8745)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq taxonomy_form_vocabulary" \
"chain,t:none,t:lowercase"
SecRule ARGS:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231290,chain,msg:'COMODO WAF: XSS vulnerability in the Site Banner module 7.x-4.0 for Drupal (CVE-2014-8376)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /structure/context/list/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:reactions[plugins][change_banner_text][site_banner_tag_prepend_text]|ARGS_POST:reactions[plugins][change_banner_text][site_banner_tag_delimiter_text]|ARGS_POST:reactions[plugins][change_banner_text][site_banner_tag_append_text] "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:210310,chain,msg:'COMODO WAF: XSS vulnerability in the Profile2 Privacy module 7.x-1.x before 7.x-1.5 for Drupal (CVE-2015-4376)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq profile2_privacy_level_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/people/profile2_privacy/level" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title|ARGS_POST:description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231310,chain,msg:'COMODO WAF: XSS vulnerability in the Webform module before 6.x-3.23, 7.x-3.x before 7.x-3.23, and 7.x-4.x before 7.x-4.5 for Drupal (CVE-2015-4374)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm webform_component_edit_form webform_components_form" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+\/webform|node\/\d+\/webform\/components" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:add[name] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231320,chain,msg:'COMODO WAF: XSS vulnerability in the Image Title module before 7.x-1.1 for Drupal (CVE-2015-4372)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:current_title_image_status|&ARGS_POST:/files\[image_title_upload]/ "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231331,chain,msg:'COMODO WAF: XSS vulnerabilities in Tribune module of Drupal-CMS (CVE-2014-8705)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq tribune_node_form" \
"chain,t:none"
SecRule REQUEST_URI "@pm tribune add edit" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231341,chain,msg:'COMODO WAF: XSS vulnerabilities in Nivo Slider module of Drupal-CMS (CVE-2014-8744)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI "@contains structure/nivo-slider" \
"chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS_POST:images[0][title] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231351,chain,msg:'COMODO WAF: XSS vulnerabilities in Google Doubleclick for Publishers module of Drupal-CMS (CVE-2014-8748)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI "@contains dfp_ads" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:slot "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231360,chain,msg:'COMODO WAF: XSS vulnerability in the Site Documentation module before 6.x-1.5 and Taxonomy Accordion module for Drupal (CVE-2015-4370 & CVE-2015-4365)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq taxonomy_form_term" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/content/taxonomy" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231370,chain,msg:'COMODO WAF: XSS vulnerability in the OG tabs module before 7.x-1.1 for Drupal (CVE-2015-4373)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:/^og_group_ref/ "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231380,chain,msg:'COMODO WAF: XSS vulnerability in the Room Reservations module before 7.x-1.0 for Drupal (CVE-2015-3359)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq room_reservations_category_node_form" \
"chain,t:none"
SecRule ARGS:q|REQUEST_URI "@pm add edit room-reservations-category" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231390,chain,msg:'COMODO WAF: XSS vulnerability in the Imagefield Info module 7.x-1.x before 7.x-1.2 for Drupal (CVE-2015-4385)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm image_style_add_form image_style_form" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/media/image-styles" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:label "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:210360,chain,msg:'COMODO WAF: XSS vulnerability in the Webform module 7.x-4.x before 7.x-4.4 for Drupal (CVE-2015-4356)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS:form_build_id "@ge 1" \
"chain,t:none"
SecRule ARGS:form_id "@beginsWith webform_client_form_" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:/submitted\[[\w]*\]/ "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231400,chain,msg:'COMODO WAF: XSS vulnerability in the Ajax Timeline module before 7.x-1.1 and Public Download Count module (pubdlcnt) 7.x-1.x-dev and earlier for Drupal (CVE-2015-3392 & CVE-2015-3389)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231411,chain,msg:'COMODO WAF: XSS vulnerabilities in AddressField Tokens module of Drupal-CMS (CVE-2014-3933)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq webform_node_form" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@pm webform add edit" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:field_address_title[und][0][thoroughfare]|ARGS_POST:field_address_title[und][0][premise] "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231430,chain,msg:'COMODO WAF: XSS vulnerability in the Ubercart Webform Integration module 7.x-2.3 for Drupal (CVE-2015-4354)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq product_node_form" \
"chain,t:none"
SecRule ARGS:q|REQUEST_URI "@pm add edit product" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:title|ARGS_POST:model "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231440,chain,msg:'COMODO WAF: XSS vulnerability in the Webform module before 6.x-3.22, 7.x-3.x before 7.x-3.22, and 7.x-4.x before 7.x-4.4 for Drupal (CVE-2015-4357)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq webform_node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS:op "@streq save" \
"chain,t:none,t:lowercase"
SecRule ARGS:menu[link_title] "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:210370,chain,msg:'COMODO WAF: XSS vulnerability in the Node Access Product module for Drupal (CVE-2015-3386)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm product_node_form views_ui_edit_display_form taxonomy_form_vocabulary taxonomy_form_term" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit|admin\/structure\/taxonomy|taxonomy\/term|admin\/structure\/views" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title|ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231480,chain,msg:'COMODO WAF: XSS vulnerabilities in Date module of Drupal-CMS (CVE-2014-5169)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq field_ui_field_overview_form" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@pm structures types fields" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:fields[_add_new_field][type]|ARGS_POST:fields[_add_new_field][widget_type] "@pm date datetime datestamp date_popup date_text" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:fields[_add_new_field][label] "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231481,chain,msg:'COMODO WAF: XSS vulnerabilities in AddressField Tokens module of Drupal-CMS (CVE-2014-5169)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq field_ui_field_edit_form" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@pm structures types fields" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:fields[_add_new_field][label]|ARGS_POST:instance[label] "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231490,chain,msg:'COMODO WAF: XSS vulnerability in the Node Invite module before 6.x-2.5 for Drupal (CVE-2015-3372)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:node_invites_enabled "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231500,chain,msg:'COMODO WAF: XSS vulnerability in the Quizzler module before 7-x.1.16 for Drupal (CVE-2015-3376)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:quizzler_qid "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title|ARGS_POST:/^quizzler_multi_option_\d_\d_value/|ARGS_POST:/^quizzler_multi_\d_question/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231520,chain,msg:'COMODO WAF: XSS vulnerability in the Classified Ads module before 6.x-3.1 and 7.x-3.x before 7.x-3.1 and Term Merge module before 7.x-1.2 for Drupal (CVE-2015-3368 & CVE-2015-3360)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq taxonomy_form_term" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231530,chain,msg:'COMODO WAF: XSS vulnerability in the Content Analysis module before 6.x-1.7 for Drupal (CVE-2015-3364)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains contentanalysis/analyze_js" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:/^ao_contentanalysis/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231540,chain,msg:'COMODO WAF: XSS vulnerability in the WikiWiki module before 6.x-1.2 for Drupal (CVE-2015-3346)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm wikiwiki_add_form wikiwiki_edit_form" \
"chain,t:none"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231550,chain,msg:'COMODO WAF: XSS vulnerability in the Field Display Label module before 7.x-1.3 for Drupal (CVE-2015-3353)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/structure/types/manage" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:instance[display_label] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231560,chain,msg:'COMODO WAF: XSS vulnerability in the Zen theme 7.x-3.2 for Drupal (CVE-2014-7980)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /appearance/settings/zen" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:var "@streq theme_zen_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:zen_jump_link_target|ARGS_POST:zen_jump_link_text "@rx \x22|<" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231570,chain,phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /appearance/settings/professional_theme" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:var "@streq theme_professional_theme_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:copyright_override "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231580,chain,msg:'COMODO WAF: XSS vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal (CVE-2015-3357)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq wishlist_node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:log "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231590,chain,msg:'COMODO WAF: XSS vulnerability in the Course module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal (CVE-2015-3344)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:course[outline] "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:form_id "@endsWith _node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231600,chain,msg:'COMODO WAF: XSS vulnerability in NewsFlash theme of Drupal-CMS (CVE-2014-8077)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI "@contains appearance" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:var|ARGS_POST:form_id "@pm theme_newsflash_settings system_theme_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:newsflash_customfont "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231620,chain,msg:'COMODO WAF: XSS vulnerability in the GD Infinite Scroll module before 7.x-1.4 for Drupal (CVE-2015-1567)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq gd_infinite_scroll_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/user-interface/gd-infinite-scroll" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:url "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231630,chain,msg:'COMODO WAF: XSS vulnerability in the Webform prepopulate block module before 7.x-3.1 for Drupal (CVE-2015-1621)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq webform_node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231650,chain,msg:'COMODO WAF: XSS vulnerability in the Easy Social module before 7.x-2.11 for Drupal (CVE-2014-8319)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@contains easy_social" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:/easy_social_block_[\d]_title/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231660,chain,msg:'COMODO WAF: XSS vulnerability in the Webform module before 6.x-3.19 for Drupal (CVE-2013-2129)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@contains webform_component" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:add[name]|ARGS:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlentityDecode"
SecRule TX:drupal "@eq 1" \
"id:231680,chain,msg:'COMODO WAF: XSS vulnerability in the Webform Validation module 7.x-1.3 for Drupal (CVE-2014-8317)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_URI "@pm webform components" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm webform_components_form webform_component_edit_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:add[name] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:242880,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Godwins Law module before 7.x-1.1 for Drupal (CVE-2014-9499)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq godwins_law_admin_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS:godwins_law_message|ARGS:godwins_law_message_noaction "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231910,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Taxonomy Tools module before 7.x-1.4 for Drupal (CVE-2015-3387)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq taxonomy_form_term" \
"chain,t:none,t:lowercase"
SecRule ARGS:name "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231920,chain,msg:'COMODO WAF: XSS vulnerability in the Webform Invitation module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.4 for Drupal (CVE-2014-9498)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq webform_node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS:title "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231930,chain,msg:'COMODO WAF: XSS vulnerability in the Panopoly Magic module before 7.x-1.17 for Drupal (CVE-2015-2086)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq panels_flexible_config_item_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231940,chain,msg:'COMODO WAF: XSS vulnerability in the Rules Link module 7.x-1.x before 7.x-1.1 for Drupal (CVE-2014-9740)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq rules_link_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:question|ARGS_POST:description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231950,chain,msg:'COMODO WAF: XSS vulnerability in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal (CVE-2014-9362)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq metatags_quick_admin_path_based_edit" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:path "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:243140,chain,msg:'COMODO WAF: XSS vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal (CVE-2013-0259)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq boxes_box_form" \
"chain,t:none,t:lowercase"
SecRule ARGS:op "@streq save" \
"chain,t:none,t:lowercase"
SecRule ARGS:title "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231960,chain,msg:'COMODO WAF: XSS vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal (CVE-2014-1611)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:/^field_anonymous_author/ "@contains <" \
"chain,t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"t:none,t:urlDecodeUni,t:normalizePath"
SecRule TX:drupal "@eq 1" \
"id:231970,chain,msg:'COMODO WAF: XSS vulnerability in the Marketo MA module before 7.x-1.5 for Drupal (CVE-2014-8379)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm webform_component_edit_form field_ui_field_edit_form webform_components_form field_ui_field_overview_form" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:instance[label]|ARGS_POST:add[name]|ARGS_POST:fields[_add_new_field][label] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231980,chain,msg:'COMODO WAF: XSS vulnerability in the User Ubercart Discount Coupons module 6.x-1.x before 6.x-1.8 for Drupal (CVE-2015-4358)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@pm taxonomy_form_vocabulary user_admin_role user_admin_new_role" \
"chain,t:none,t:lowercase"
SecRule ARGS:name "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:232770,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.4 for Drupal (CVE-2014-8743)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@pm content1_node_form user_admin_roles user_admin_role" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:name|ARGS:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:232780,chain,msg:'COMODO WAF: XSS vulnerability in the Poll Chart Block module 7.x-1.x before 7.x-1.2 for Drupal (CVE-2014-9501)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq poll_node_form" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:232790,chain,msg:'COMODO WAF: XSS vulnerability in the User Relationships module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-alpha5 for Drupal (CVE-2013-0225)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@contains user_relationships_admin_type_edit" \
"chain,t:none,t:lowercase"
SecRule ARGS:name "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:232800,chain,msg:'COMODO WAF: XSS vulnerability in the Linear Case module 6.x-1.x before 6.x-1.3 for Drupal (CVE-2015-4380)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@contains book_node_form" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "!@eq 1" \
"id:231300,phase:2,pass,nolog,t:none,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq petition_node_form" \
"id:231301,chain,msg:'COMODO WAF: XSS vulnerability in the Petition module 6.x-1.x before 6.x-1.3 for Drupal (CVE-2015-4377)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:title|ARGS_POST:menu[link_title]|ARGS_POST:body|ARGS_POST:appeal|ARGS_POST:thank_you_page "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_POST:form_id "@streq petition_signup_form_data" \
"id:231302,chain,msg:'COMODO WAF: XSS vulnerability in the Petition module 6.x-1.x before 6.x-1.3 for Drupal (CVE-2015-4377)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:comment "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecMarker Drupal_Skip_URF_231000
SecRule ARGS_POST:form_id "@streq spider_contacts_category_edit" \
"id:231890,chain,msg:'COMODO WAF: XSS vulnerability in the Spider Contacts module for Drupal (CVE-2015-4348)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:category_name|ARGS_POST:category_description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecMarker IGNORE_SFS_SIG_XSS_SQLi_Drupal
SecRule &TX:drupal "@eq 0" \
"id:233040,msg:'COMODO WAF: Track unauthenticated request in Drupal||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'Drupal_Skip_URF_221270',rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule TX:drupal "@eq 1" \
"id:221270,chain,msg:'COMODO WAF: XSS vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal (CVE-2013-4380)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI "@contains mediafront/preset/admin" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:player_settings[presentation][height]|ARGS_POST:player_settings[presentation][width] "@rx \D" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:221280,chain,msg:'COMODO WAF: RCE vulnerability in the Flag module 7.x-3.0, 7.x-3.5 and earlier for Drupal (CVE-2014-3453)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq flag_import_form" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:q|REQUEST_FILENAME "@contains flags/import" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:import "@rx \b(?:(?!array)(?!flags\[))(\$)*([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\s*(\[.{0,399}|\(.{0,399}))" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &TX:drupal "@ge 1" \
"id:231130,chain,msg:'COMODO WAF: Open redirect vulnerability in the Content Construction Kit 6.x-2.9 for Drupal (CVE-2015-5510)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /content/node-type/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS:/^destinations\[\d+\]/ "@contains //" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "!@eq 1" \
"id:231260,phase:2,pass,nolog,skip:8,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm admin/config/system/invoice node/add/invoice invoice/save/item invoice/edit/item" \
"id:231261,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,skip:3,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_invoice=1',expirevar:'SESSION.dp_invoice=300',t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm admin/config/system/invoice node/add/invoice invoice/save/item" \
"id:231262,chain,msg:'COMODO WAF: CSRF vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-4382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm invoice_settings_form invoice_node_form" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:dp_invoice "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm admin/config/system/invoice node/add/invoice invoice/save/item" \
"id:231263,chain,msg:'COMODO WAF: CSRF vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-4382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:token "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:dp_invoice "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains invoice/delete/item" \
"id:231264,chain,msg:'COMODO WAF: CSRF vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-4382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_GET:invoice_number "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule &SESSION:dp_invoice "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+\/delete&?|invoice\/delete\/item|node\/\d+\/edit" \
"id:231265,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:3,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_invoice_dl_et=1',expirevar:'SESSION.dp_invoice_dl_et=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@streq node_delete_confirm" \
"id:231266,chain,msg:'COMODO WAF: CSRF vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-4382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains invoice/delete/item" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:dp_invoice_dl_et "!@eq 1" \
"t:none"
SecRule ARGS_POST:form_id "@pm invoice_settings_form invoice_node_form" \
"id:231267,chain,msg:'COMODO WAF: CSRF vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-4382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:dp_invoice_dl_et "!@eq 1" \
"t:none"
SecRule &SESSION:dp_invoice_dl_et "!@eq 1" \
"id:231268,chain,msg:'COMODO WAF: CSRF vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-4382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm admin/config/system/invoice node/add/invoice invoice/save/item" \
"chain,t:none,t:urlDecodeUni,t:normalizePath"
SecRule &ARGS_POST:token "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"t:none,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:231460,chain,msg:'COMODO WAF: Open redirect vulnerability in the Node basket module for Drupal (CVE-2015-3383)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+\/(?:pick-up|throw-out)" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:destination "!@rx node\/\d+$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule TX:drupal "!@eq 1" \
"id:231470,phase:2,pass,nolog,t:none,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+$" \
"id:231471,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_node=1',expirevar:'SESSION.dp_node=300',t:none,t:lowercase"
SecRule &ARGS_GET:destination "@ge 1" \
"id:231472,chain,msg:'COMODO WAF: CSRF vulnerability in the Node basket module for Drupal (CVE-2015-3382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+\/(?:pick-up|throw-out)" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:dp_node "!@eq 1" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:210430,chain,msg:'COMODO WAF: Open redirect vulnerability in the Node Invite module before 6.x-2.5 for Drupal (CVE-2015-3371)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node_invite\/(?:revoke|resend|rsvp)\/\d" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:destination "!@pm admin/settings/node_invite/manage node/4/manage_invites" \
"t:none,t:urlDecodeUni,t:normalizePath"
SecRule TX:drupal "!@eq 1" \
"id:231510,phase:2,pass,nolog,t:none,skip:3,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm node_invite/invite admin/settings/node_invite admin/settings/node_invite/notifications node_invite/revoke node_invite/rsvp admin/settings/node_invite/manage manage_invites" \
"id:231511,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_node_invite=1',expirevar:'SESSION.dp_node_invite=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm node_invite_send node_invite_admin_settings_form node_invite_notifications_form node_invite_revoke node_invite_rsvp" \
"id:231512,chain,msg:'COMODO WAF: CSRF vulnerability in the Node Invite module before 6.x-2.5 for Drupal (CVE-2015-3370)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm node_invite/invite admin/settings/node_invite admin/settings/node_invite/notifications node_invite/revoke node_invite/rsvp" \
"chain,t:none,t:urlDecodeUni,t:normalizePath"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:dp_node_invite "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm node_invite/reinstate node_invite/resend" \
"id:231513,chain,msg:'COMODO WAF: CSRF vulnerability in the Node Invite module before 6.x-2.5 for Drupal (CVE-2015-3370)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_GET:destination "@ge 1" \
"chain,t:none"
SecRule &SESSION:dp_node_invite "!@eq 1" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:231610,chain,msg:'COMODO WAF: CSRF vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal (CVE-2015-3354)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx wishlist\/item\/\d+\/return" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule &SESSION:dp_node "!@eq 1" \
"t:none"
SecRule TX:drupal "!@eq 1" \
"id:231640,phase:2,pass,nolog,skip:4,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/user-interface/gd-infinite-scroll" \
"id:231641,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_gd_infinite=1',expirevar:'SESSION.dp_gd_infinite=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@streq gd_infinite_scroll_form" \
"id:231642,chain,msg:'COMODO WAF: CSRF vulnerability in the GD Infinite Scroll module before 7.x-1.4 for Drupal (CVE-2015-1568)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/user-interface/gd-infinite-scroll" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:dp_gd_infinite "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@endsWith admin/config/user-interface/gd-infinite-scroll" \
"id:231643,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_gd_infinite_del=1',expirevar:'SESSION.dp_gd_infinite_del=300',t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/user-interface/gd-infinite-scroll/delete" \
"id:231644,chain,msg:'COMODO WAF: CSRF vulnerability in the GD Infinite Scroll module before 7.x-1.4 for Drupal (CVE-2015-1568)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule &SESSION:dp_gd_infinite_del "!@eq 1" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:231670,chain,msg:'COMODO WAF: Directory traversal vulnerability in the Avatar Uploader module before 7.x-1.0-beta6 for Drupal (CVE-2014-9155)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI|ARGS:q "@contains au/view" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:file "@contains .." \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "!@eq 1" \
"id:231690,phase:2,pass,nolog,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+\/submission\/\d+\/(multifile_)?delete" \
"id:231691,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_webform_mul=1',expirevar:'SESSION.dp_webform_mul=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm webform_multifile_delete_form webform_submission_delete_form" \
"id:231692,chain,msg:'COMODO WAF: CSRF vulnerability in the Webform Multiple File Upload module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 (CVE-2015-4379)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+\/submission\/\d+\/(multifile_)?delete" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:dp_webform_mul "!@eq 1" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:231700,chain,msg:'COMODO WAF: Open redirect vulnerability in the Perfecto module before 7.x-1.2 for Drupal (CVE-2015-3371)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/settings/perfecto/delete" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:destination "!@streq admin/settings/perfecto" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "!@eq 1" \
"id:231710,phase:2,pass,nolog,skip:3,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/content/kwresearch/keyword_list" \
"id:231711,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_kwresearch=1',expirevar:'SESSION.dp_kwresearch=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@streq kwresearch_site_keywords_edit_form" \
"id:231712,chain,msg:'COMODO WAF: CSRF vulnerability in the Keyword Research module 6.x-1.x before 6.x-1.2 for Drupal (CVE-2015-4396)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/content/kwresearch/keyword_list/edit" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:dp_kwresearch "!@eq 1" \
"t:none"
SecRule ARGS_POST:form "@streq admin_keyword_list" \
"id:231713,chain,msg:'COMODO WAF: CSRF vulnerability in the Keyword Research module 6.x-1.x before 6.x-1.2 for Drupal (CVE-2015-4396)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:kwresearch_keyword "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm toggle_site_keyword_js delete_site_keyword_js" \
"chain,t:none"
SecRule &SESSION:dp_kwresearch "!@eq 1" \
"t:none"
SecRule TX:drupal "!@eq 1" \
"id:231720,phase:2,pass,nolog,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/xc/ncip/provider" \
"id:231721,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_xc_ncip=1',expirevar:'SESSION.dp_xc_ncip=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm xc_ncip_provider_form xc_ncip_provider_delete_form" \
"id:231722,chain,msg:'COMODO WAF: CSRF vulnerability in the XC NCIP Provider module in the eXtensible Catalog (XC) Drupal Toolkit (CVE-2015-5508)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/xc\/ncip\/provider\/(?:add|\d\/(?:edit|delete))" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:dp_xc_ncip "!@eq 1" \
"t:none"
SecRule TX:drupal "!@eq 1" \
"id:231730,phase:2,pass,nolog,skip:3,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/structure/tracking_code" \
"id:231731,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_tracking_code=1',expirevar:'SESSION.dp_tracking_code=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@streq tracking_code_edit_form" \
"id:231732,chain,msg:'COMODO WAF: CSRF vulnerability in the Tracking Code module 7.x-1.x before 7.x-1.6 for Drupal (CVE-2015-4362)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/structure/tracking_code" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:dp_tracking_code "!@eq 1" \
"t:none"
SecRule ARGS_POST:ajax_html_ids[] "@streq tracking-code-overview-form" \
"id:231733,chain,msg:'COMODO WAF: CSRF vulnerability in the Tracking Code module 7.x-1.x before 7.x-1.6 for Drupal (CVE-2015-4362)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/structure/tracking_code" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:dp_tracking_code "!@eq 1" \
"t:none"
SecRule TX:drupal "!@eq 1" \
"id:231740,phase:2,pass,nolog,t:none,skip:3,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@endsWith admin/config/search/custom-sitemap" \
"id:231741,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_custom_sitemap=1',expirevar:'SESSION.dp_custom_sitemap=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@streq custom_sitemap_files_list_form" \
"id:231742,chain,msg:'COMODO WAF: CSRF vulnerability in the Custom Sitemap module for Drupal (CVE-2015-4353)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_custom_sitemap "!@eq 1" \
"t:none"
SecRule &SESSION:dp_custom_sitemap "!@eq 1" \
"id:231743,chain,msg:'COMODO WAF: CSRF vulnerability in the Custom Sitemap module for Drupal (CVE-2015-4353)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_GET:destination "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/config\/search\/custom-sitemap\/\d+\/delete" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "!@eq 1" \
"id:231750,phase:2,pass,nolog,t:none,skip:4,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm admin/settings/spider_catalog/products admin/settings/spider_catalog/categories" \
"id:231751,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_spider_catalog=1',expirevar:'SESSION.dp_spider_catalog=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm spider_catalog_product_edit_ratings spider_catalog_product_edit_reviews spider_catalog_category_edit spider_catalog_product_edit" \
"id:231752,chain,msg:'COMODO WAF: CSRF vulnerability in the Spider Catalog module for Drupal (CVE-2015-4350)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_spider_catalog "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/settings\/spider_catalog(\/products(\/edit\/(?:reviews|ratings))?)?$" \
"id:231753,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_spider_catalog_del=1',expirevar:'SESSION.dp_spider_catalog_del=300',t:none,t:lowercase"
SecRule &SESSION:dp_spider_catalog_del "!@eq 1" \
"id:231754,chain,msg:'COMODO WAF: CSRF vulnerability in the Spider Catalog module for Drupal (CVE-2015-4350)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_GET:product_id|&ARGS_GET:category_id "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/settings\/spider_catalog\/(?:products|categories)\/(?:edit|delete)(\/(?:reviews|ratings)\/delete)?$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:231760,chain,msg:'COMODO WAF: Arbitrary files delete vulnerability in the Spider Video Player module for Drupal (CVE-2015-4351)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:tag_id|ARGS_GET:playlist_id|ARGS_GET:video_id "@rx \D" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/settings\/spider_video_player\/(?:tags|videos|playlists)\/delete$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "!@eq 1" \
"id:231770,phase:2,pass,nolog,t:none,skip:4,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/settings/spider_video_player" \
"id:231771,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_spider_video_player=1',expirevar:'SESSION.dp_spider_video_player=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm spider_video_player_tag_edit spider_video_player_video_edit spider_video_player_playlist_edit spider_video_player_add_video_form" \
"id:231772,chain,msg:'COMODO WAF: CSRF vulnerability in the Spider Video Player module for Drupal (CVE-2015-4352)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_spider_video_player "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/settings\/spider_video_player(?:\/tags|\/videos)?$" \
"id:231773,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_spider_video_player_del=1',expirevar:'SESSION.dp_spider_video_player_del=300',t:none,t:lowercase"
SecRule &ARGS_GET:tag_id|&ARGS_GET:playlist_id|&ARGS_GET:video_id "@ge 1" \
"id:231774,chain,msg:'COMODO WAF: CSRF vulnerability in the Spider Video Player module for Drupal (CVE-2015-4352)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_spider_video_player_del "!@eq 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/settings\/spider_video_player\/(?:tags|videos|playlists)\/delete$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "!@eq 1" \
"id:231780,phase:2,pass,nolog,t:none,skip:4,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm admin/settings/spider_contacts/categories admin/settings/spider_contacts/contacts" \
"id:231781,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_spider_contacts=1',expirevar:'SESSION.dp_spider_contacts=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm spider_contacts_categories spider_contacts_category_edit spider_contacts_contact_edit spider_contacts_contacts" \
"id:231782,chain,msg:'COMODO WAF: CSRF vulnerability in the Spider Contacts module for Drupal (CVE-2015-4349)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_spider_contacts "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/settings\/spider_contacts\/(?:categories|contacts)$" \
"id:231783,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_spider_contacts_del=1',expirevar:'SESSION.dp_spider_contacts_del=300',t:none,t:lowercase"
SecRule &SESSION:dp_spider_contacts_del "!@eq 1" \
"id:231784,chain,msg:'COMODO WAF: CSRF vulnerability in the Spider Contacts module for Drupal (CVE-2015-4349)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_GET:contact_id|&ARGS_GET:category_id "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/settings\/spider_contacts\/(?:contacts|categories)\/delete$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "!@eq 1" \
"id:231790,phase:2,pass,nolog,t:none,skip:3,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@pm admin/config/people/shib_auth/new admin/config/people/shib_auth/edit admin/config/people/shib_auth/rules" \
"id:231791,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_shib_auth=1',expirevar:'SESSION.dp_shib_auth=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm shib_auth_new_rule shib_auth_edit_rule" \
"id:231792,chain,msg:'COMODO WAF: CSRF vulnerability in the Shibboleth Authentication module before 6.x-4.1 and 7.x-4.x before 7.x-4.1 for Drupal (CVE-2015-3375)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_shib_auth "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/people/shib_auth/delete" \
"id:231793,chain,msg:'COMODO WAF: CSRF vulnerability in the Shibboleth Authentication module before 6.x-4.1 and 7.x-4.x before 7.x-4.1 for Drupal (CVE-2015-3375)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule &SESSION:dp_shib_auth "!@eq 1" \
"t:none"
SecRule TX:drupal "!@eq 1" \
"id:231800,phase:2,pass,nolog,t:none,skip:4,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/config\/user-interface\/jammer_(?:messages|generic)$|admin\/settings\/jammer\/(?:generic|jammer_messages)$" \
"id:231801,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_jammer_del=100',expirevar:'SESSION.dp_jammer_del=300',t:none,t:lowercase"
SecRule &SESSION:dp_jammer_del "!@eq 1" \
"id:231802,chain,msg:'COMODO WAF: CSRF vulnerability in the Jammer module before 6.x-1.8 and 7.x-1.x before 7.x-1.4 for Drupal (CVE-2015-3352)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/config\/user-interface\/jammer_(?:generic|messages)\/delete\/\d+$|admin\/settings\/jammer\/(?:generic|jammer_messages)\/delete\/\d+$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/config\/user-interface\/(?:jammer|shortcut)|admin\/settings\/jammer(?:\/generic|\/jammer_messages)?$" \
"id:231803,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_jammer=1',expirevar:'SESSION.dp_jammer=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm _jammer_generic_admin_settings jammer_admin_settings _jammer_messages_settings shortcut_set_add_form shortcut_link_delete" \
"id:231804,chain,msg:'COMODO WAF: CSRF vulnerability in the Jammer module before 6.x-1.8 and 7.x-1.x before 7.x-1.4 for Drupal (CVE-2015-3352)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_jammer "!@eq 1" \
"t:none"
SecRule TX:drupal "!@eq 1" \
"id:231810,phase:2,pass,nolog,t:none,skip:4,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/build/corner" \
"id:231811,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_corner=1',expirevar:'SESSION.dp_corner=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@streq corner_admin_configure" \
"id:231812,chain,msg:'COMODO WAF: CSRF vulnerability in the Corner module for Drupal (CVE-2015-3374)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_corner "!@eq 1" \
"t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@endsWith admin/build/corner" \
"id:231813,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_corner_config=1',expirevar:'SESSION.dp_corner_config=300',t:none,t:lowercase"
SecRule &SESSION:dp_corner_config "!@eq 1" \
"id:231814,chain,msg:'COMODO WAF: CSRF vulnerability in the Corner module for Drupal (CVE-2015-3374)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/build\/corner\/\d+\/(?:enable|disable|delete|clone)$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "!@eq 1" \
"id:231820,phase:2,pass,nolog,t:none,skip:4,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@endsWith admin/build/contact/manage" \
"id:231821,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_contact_del=1',expirevar:'SESSION.dp_contact_del=300',t:none,t:lowercase"
SecRule &SESSION:dp_contact_del "!@eq 1" \
"id:231822,chain,msg:'COMODO WAF: CSRF vulnerability in the Contact Form Fields module before 6.x-2.3 for Drupal (CVE-2015-3363)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/build\/contact\/field_\w{1,128}\/delete$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/build/contact" \
"id:231823,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_contact=1',expirevar:'SESSION.dp_contact=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm contact_field_list_field contact_field_add_field_" \
"id:231824,chain,msg:'COMODO WAF: CSRF vulnerability in the Contact Form Fields module before 6.x-2.3 for Drupal (CVE-2015-3363)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_contact "!@eq 1" \
"t:none"
SecRule TX:drupal "!@eq 1" \
"id:231870,phase:2,pass,nolog,t:none,skip:4,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@endsWith admin/patterns" \
"id:231871,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_patterns=1',expirevar:'SESSION.dp_patterns=300',t:none,t:lowercase"
SecRule &SESSION:dp_patterns "!@eq 1" \
"id:231872,chain,msg:'COMODO WAF: CSRF vulnerability in the Patterns module before 7.x-2.2 for Drupal (CVE-2015-3367)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/patterns\/(?:publish|unpublish|restore)\/\d+$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/patterns" \
"id:231873,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_patterns_edit=1',expirevar:'SESSION.dp_patterns_edit=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm patterns_trash_pattern patterns_edit patterns_enable_pattern patterns_quickrun patterns_import_source" \
"id:231874,chain,msg:'COMODO WAF: CSRF vulnerability in the Patterns module before 7.x-2.2 for Drupal (CVE-2015-3367)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_patterns_edit "!@eq 1" \
"t:none"
SecRule TX:drupal "!@eq 1" \
"id:231880,phase:2,pass,nolog,t:none,skip:3,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@endsWith admin/reports/logwatcher" \
"id:231881,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:2,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_logwatcher=1',expirevar:'SESSION.dp_logwatcher=300',t:none,t:lowercase"
SecRule &SESSION:dp_logwatcher "!@eq 1" \
"id:231882,chain,msg:'COMODO WAF: CSRF vulnerability in the Log Watcher module before 6.x-1.2 for Drupal (CVE-2015-3351)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/reports\/logwatcher\/(?:(de)?activate|delete)\/\d+$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:form_id "@streq _logwatcher_admin_settings" \
"id:231883,chain,msg:'COMODO WAF: CSRF vulnerability in the Log Watcher module before 6.x-1.2 for Drupal (CVE-2015-3351)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_logwatcher "!@eq 1" \
"t:none"
SecRule TX:drupal "!@eq 1" \
"id:231900,phase:2,pass,nolog,t:none,skip:4,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@endsWith admin/config/system/htaccess/deployment" \
"id:231901,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_htaccess=1',expirevar:'SESSION.dp_htaccess=300',t:none,t:lowercase"
SecRule &SESSION:dp_htaccess "!@eq 1" \
"id:231902,chain,msg:'COMODO WAF: CSRF vulnerability in the Htaccess module before 7.x-2.3 for Drupal (CVE-2015-3349)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/config\/system\/htaccess\/deployment\/(?:delete|download|deploy)\/\d+$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@endsWith admin/config/system/htaccess/generate" \
"id:231903,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.dp_htaccess_generate=1',expirevar:'SESSION.dp_htaccess_generate=300',t:none,t:lowercase"
SecRule ARGS_POST:form_id "@streq htaccess_generate" \
"id:231904,chain,msg:'COMODO WAF: CSRF vulnerability in the Htaccess module before 7.x-2.3 for Drupal (CVE-2015-3349)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &SESSION:dp_htaccess_generate "!@eq 1" \
"t:none"
SecMarker Drupal_Skip_URF_221270
SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" \
"id:231010,chain,msg:'COMODO WAF: Set request body processor to be XML||%{tx.domain}|%{tx.mode}|2',phase:1,pass,setvar:'TX.drupal_xmlrpc=1',nolog,ctl:requestBodyProcessor=XML,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_HEADERS:Content-Type "@within text/xml application/xml" \
"t:none,t:normalizePath,t:lowercase"
SecRule TX:drupal_xmlrpc "@eq 1" \
"id:231011,chain,msg:'COMODO WAF: Brute-Force Amplification in Drupal 6.x before 6.38 and 7.x before 7.43 (CVE-2016-3163)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQBODY_ERROR "@eq 0" \
"chain,t:none"
SecRule XML://methodName/text() "@contains system.multicall" \
"chain,t:none,t:lowercase"
SecRule &XML://member[*][name='methodName'] "@ge 10" \
"t:none"
SecRule ARGS|REQUEST_COOKIES|REQUEST_BODY "@pm exec passthru" \
"id:231990,chain,msg:'COMODO WAF: RCE vulnerability in Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 (CVE-2018-7600, CVE-2018-7602)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES|REQUEST_BODY "@rx ^(?:\[?[\'\x22]?)?#|(?:\[)(?:[\'\x22]?)?#" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@rx index\.php$|\/$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:pp "@contains =" \
"id:241910,chain,msg:'COMODO WAF: Attemp to modify the $_REQUEST superglobal array in the The Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal (CVE-2016-3187)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,setvar:'TX.pp=%{ARGS:pp}',setvar:'TX.drupal_pp=%{MATCHED_VAR}',log,t:none,t:urlDecodeUni,t:base64DecodeExt,rev:3,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule TX:drupal_pp "!@streq %{ARGS:pp}" \
"t:none,t:urlDecodeUni"
SecRule ARGS:destination|ARGS:edit[destination] "@contains //" \
"id:241860,chain,msg:'COMODO WAF: Open redirect vulnerability in Drupal 6.x before 6.38 (CVE-2016-3167)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:urlDecodeUni,rev:5,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule RESPONSE_HEADERS:Set-Cookie "@rx ^sess[0-9a-f]{32}\=[0-9a-z]{26}\;" \
"t:none,t:lowercase"
SecRule ARGS_GET:_format "@streq hal_json" \
"id:232380,chain,msg:'COMODO WAF: Arbitrary code execution vulnerability in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 (CVE-2019-6340)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &TX:drupal "@eq 0" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx \/node\/\d+$" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@rx ^(?:get|head|options|trace)$" \
"t:none,t:lowercase"
SecRule ARGS:_wrapper_format "@streq drupal_ajax" \
"id:232980,chain,msg:'COMODO WAF: RCE vulnerability in Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 (CVE-2018-7600, CVE-2018-7602)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS:ajax_form "@ge 1" \
"chain,t:none"
SecRule ARGS "@pm exec passthru" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains user/register" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS "@rx \/[a-z]+\/#value" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS_POST:form_build_id "@ge 1" \
"id:232981,chain,msg:'COMODO WAF: data leakage vulnerability in Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 (CVE-2018-7600, CVE-2018-7602)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q "@rx ^file\/ajax\/name\/#value\/" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@rx index\.php$|\/$" \
"t:none,t:urlDecodeUni,t:lowercase"