| Current File : //30_Apps_OtherApps.conf |
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------
SecRule &REQUEST_COOKIES:MoodleSession "@ge 1" \
"id:247891,msg:'COMODO WAF: start track MoodleSession||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{REQUEST_COOKIES.MoodleSession}',nolog,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:/^glpi_/ "@rx ^[a-z0-9]{26}$" \
"id:247892,msg:'COMODO WAF: Start tracking GLPI||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{MATCHED_VAR}',setvar:'TX.GLPI=1',nolog,t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:SenayanAdmin "@ge 1" \
"id:247893,msg:'COMODO WAF: Start track SLiMS 8 Akasia||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{REQUEST_COOKIES.SenayanAdmin}',setvar:'TX.SLiMS_Akasia=1',nolog,t:none,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:/^INTELLI_/ "@rx ^[a-z0-9]{26}$" \
"id:247894,msg:'COMODO WAF: Start track Subrion CMS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{MATCHED_VAR}',setvar:'TX.Subrion_CMS=1',nolog,t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith s9y_" \
"id:247895,chain,msg:'COMODO WAF: Start track Serendipity||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,t:urlDecodeUni,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule MATCHED_VAR "@rx ^s9y_([0-9a-fA-f]{32})$" \
"capture,setsid:'%{TX.1}',setvar:'TX.serendipity_admin=1'"
SecRule &REQUEST_COOKIES:CONCRETE5 "@ge 1" \
"id:247896,msg:'COMODO WAF: Start track CONCRETE5||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{REQUEST_COOKIES.CONCRETE5}',nolog,t:none,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:/^ADMIDIO_/ "@rx ^[0-9a-z]{26}$" \
"id:247897,msg:'COMODO WAF: Start track ADMIDIO||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{MATCHED_VAR}',setvar:'TX.ADMIDIO=1',nolog,t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:247898,msg:'COMODO WAF: Start track Piwigo||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{REQUEST_COOKIES.pwg_id}',nolog,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:yzmphp_adminid "@ge 1" \
"id:247899,msg:'COMODO WAF: Start track YzmCMS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{REQUEST_COOKIES.yzmphp_adminid}',setvar:'TX.YzmCMS=1',nolog,t:none,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@rx ^FA[a-f0-9]{32}$" \
"id:247900,msg:'COMODO WAF: Start track FrontAccounting||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{MATCHED_VAR}',setvar:'TX.FrontAccounting=1',nolog,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:cscms_session "@ge 1" \
"id:247901,msg:'COMODO WAF: Start track CScms||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{REQUEST_COOKIES.cscms_session}',nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:dili_session "@ge 1" \
"id:247902,msg:'COMODO WAF: Start track DiliCMS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setsid:'%{REQUEST_COOKIES.dili_session}',nolog,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:clickheat "@ge 1" \
"id:247906,phase:2,pass,setsid:'%{REQUEST_COOKIES.clickheat}',nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:GeniXCMS "@ge 1" \
"id:247907,phase:2,pass,setsid:'%{REQUEST_COOKIES.GeniXCMS}',nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:sid "@ge 1" \
"id:247908,phase:2,pass,setsid:'%{REQUEST_COOKIES.sid}',nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:sessionID "@ge 1" \
"id:247909,phase:2,pass,setsid:'%{REQUEST_COOKIES.sessionID}',nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &TX:XSS_SQLi "@eq 0" \
"id:247460,msg:'COMODO WAF: Track same forbidden symbols to Ignore signature for Other Apps||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'IGNORE_SFS_XSS_SQLi_OtherApps',rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith xml.php" \
"id:210440,chain,msg:'COMODO WAF: XSS vulnerability in the Search module in Kajona 4.4 (CVE-2014-4743)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:module|ARGS_GET:action "@pm search dosearch" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:searchterm "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:OLCsid "@ge 1" \
"id:210450,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 (CVE-2014-5104)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith olcommerce/admin/create_account.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:entry_country_id "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:action "@ge 1" \
"id:210451,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 (CVE-2014-5104)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith olcommerce/create_account.php" \
"chain,t:none,t:urlDecodeuni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:country "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith olcommerce/affiliate_signup.php" \
"id:210452,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 (CVE-2014-5104)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeuni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:a_country "@contains '" \
"t:none,t:urlDecodeuni"
SecRule REQUEST_FILENAME "@contains /public/external/pydio/plugins/editor.webodf/frame.php" \
"id:210540,chain,msg:'COMODO WAF: XSS vulnerability in Phalcon Eye through 0.4.1 (CVE-2017-5960)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:token "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p|ARGS_GET:c "@pm comms admin" \
"id:210660,chain,msg:'COMODO WAF: XSS vulnerability in Sourcebans++ v1.5.4.7 (CVE-2017-7891)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:rebanid "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /script/editor/markitup/preview/markdown.php" \
"id:210670,chain,msg:'COMODO WAF: XSS vulnerability in pi-engine/pi 2.5.0 (CVE-2017-7251)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:preview "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:page_meta_title "@contains <" \
"id:210960,chain,msg:'COMODO WAF: XSS in Monstra CMS through 3.0.4 (CVE-2018-6550)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id "@streq pages" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"t:none"
SecRule &ARGS_GET:state "@ge 1" \
"id:211260,chain,msg:'COMODO WAF: XSS vulnerability in MiniCMS v1.10 (CVE-2018-15899, CVE-2018-16298)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:mc_token "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:date|ARGS_GET:tag "@rx \x22|<" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx mc\-admin\/(?:post|page)\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/auth_config.php" \
"id:215020,chain,msg:'COMODO WAF: Multiple XSS ulnerabilities in Moodle-LMS through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 (CVE-2016-2152)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES_NAMES:MoodleSession "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:auth "@streq db" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS:m1_title "@contains <" \
"id:215080,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple v2.1.6 (CVE-2017-7255)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:cms_passhash "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /admin/moduleinterface.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule QUERY_STRING "@rx (login|signup)" \
"id:220080,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Mintboard 0.3 (CVE-2013-4951)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:name|ARGS_POST:pass "@rx </?script" \
"t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace"
SecRule REQUEST_FILENAME "@endsWith save.php" \
"id:220120,chain,msg:'COMODO WAF: XSS vulnerability in view.php in Machform 2 (CVE-2013-4950)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:form "@rx ^\{\x22id\x22:.{0,399}</?script" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:removeWhitespace"
SecRule REQUEST_FILENAME "@endsWith save.php" \
"id:220122,chain,msg:'COMODO WAF: XSS vulnerability in view.php in Machform 2 (CVE-2013-4950)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:elements "@rx ^\{\x22elements\x22:\[\{\x22title\x22:\x22.{0,399}</?script" \
"t:none,t:removeWhitespace,t:lowercase,t:urlDecodeUni"
SecRule REQUEST_METHOD "@streq POST" \
"id:220140,chain,msg:'COMODO WAF: XSS vulnerability in Review Board 1.6.x before 1.6.17 and 1.7.x before 1.7.10 (CVE-2013-2209)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /account/register/" \
"chain,t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace"
SecRule ARGS:first_name|ARGS:last_name "@rx <script" \
"t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace"
SecRule REQUEST_METHOD "@streq GET" \
"id:220170,chain,msg:'COMODO WAF: XSS vulnerability in RiteCMS 1.0.0 (CVE-2013-5317)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "cms/index\.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:mode "@rx <script" \
"t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace"
SecRule &ARGS_GET:owa_do "@ge 1" \
"id:220420,chain,msg:'COMODO WAF: SQL injection vulnerability in Open Web Analytics (OWA) before 1.5.5 (CVE-2014-1206)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:owa_action "@streq base.passwordresetrequest" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:owa_email_address "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:cid "@ge 1" \
"id:220430,chain,msg:'COMODO WAF: Remote command execution vulnerability in SkyBlueCanvas CMS before 1.1 r248-04 (CVE-2014-1683)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:pid "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:email|ARGS_POST:name|ARGS_POST:subject "@rx \x22;" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_BASENAME "@streq profiles.php" \
"id:220510,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in glFusion before 1.2.2.pl4 (CVE-2013-1466)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:subject "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /calendar/index.php" \
"id:220511,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in glFusion before 1.2.2.pl4 (CVE-2013-1466)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:address1|ARGS_POST:address2|ARGS_POST:calendar_type|ARGS_POST:city|ARGS_POST:state|ARGS_POST:title|ARGS_POST:url|ARGS_POST:zipcode "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:title|ARGS_POST:url "@contains <" \
"id:220512,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in glFusion before 1.2.2.pl4 (CVE-2013-1466)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /links/index.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:func "@within modinfonew modify_instance aliases assignprivileges" \
"id:220530,chain,msg:'COMODO WAF: XSS vulnerabilities in Xaraya 2.4.0-b1 and earlier (CVE-2013-3639)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id|ARGS_GET:interface|ARGS_GET:name|ARGS_GET:tabmodule "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:nick "@contains <" \
"id:220540,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Command School Student Management System 1.06.01 (CVE-2014-1914)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /sw/chat/message.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:topic "@contains <" \
"id:220541,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Command School Student Management System 1.06.01 (CVE-2014-1914)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /sw/add_topic.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:module "@streq com_vtiger_workflow" \
"id:220560,chain,msg:'COMODO WAF: XSS vulnerability in vTiger CRM 5.4.0 (CVE-2013-7326)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:return_url "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq agenda.php" \
"id:220570,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in GuppY before 4.6.28 (CVE-2013-5983)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:an "@rx \x22|<" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /mobile/thread.php" \
"id:220571,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in GuppY before 4.6.28 (CVE-2013-5983)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:cat "@rx \x22|<" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:Login "@ge 1" \
"id:220590,chain,msg:'COMODO WAF: SQLi vulnerabilities in AuraCMS 2.3 and earlier (CVE-2014-1401)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_HEADERS:CLIENT_IP|REQUEST_HEADERS:FORWARDED_FOR|REQUEST_HEADERS:X_FORWARDED|REQUEST_HEADERS:X_FORWARDED_FOR "@rx \'|\x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:Login "@ge 1" \
"id:220591,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in AuraCMS 2.3 and earlier (CVE-2014-1401)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_HEADERS:FORWARDED "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:phpMyAdmin "@ge 1" \
"id:220630,chain,msg:'COMODO WAF: XSS vulnerability in phpMyAdmin before 4.1.7 (CVE-2014-1879)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule FILES:import_file "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq import.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq ilias.php" \
"id:220710,chain,msg:'COMODO WAF: File upload and multiple RCE, XSS vulnerabilities in ILIAS 4.4.1 (CVE-2014-2088, CVE-2014-2089, CVE-2014-2090)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:baseClass "@streq ilPersonalDesktopGUI" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:tar|ARGS_POST:title "@rx \'|\x22|\<"
SecRule REQUEST_BASENAME "@streq ilias.php" \
"id:220711,chain,msg:'COMODO WAF: File upload and multiple RCE, XSS vulnerabilities in ILIAS 4.4.1 (CVE-2014-2088, CVE-2014-2089, CVE-2014-2090)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:baseClass "@streq ilRepositoryGUI" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:tar "@rx \'|\x22|\<" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "mods/_standard/forums/admin/forum_add\.php" \
"id:220750,chain,msg:'COMODO WAF: XSS vulnerability in ATutor 2.1.1 (CVE-2014-2091)||%{tx.domain}|%{tx.mode}|2',deny,status:403,log,t:none,t:urlDecodeUni,multiMatch,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:title "@rx \x22"
SecRule REQUEST_FILENAME "mods/_standard/forums/admin/forum_add\.php" \
"id:220751,chain,msg:'COMODO WAF: XSS vulnerability in ATutor 2.1.1 (CVE-2014-2091)||%{tx.domain}|%{tx.mode}|2',deny,status:403,log,t:none,t:urlDecodeUni,multiMatch,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:description "<"
SecRule ARGS_POST:text "<" \
"id:220760,chain,msg:'COMODO WAF: Blocking XSS attack||%{tx.domain}|%{tx.mode}|2',deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /index.php/guestbook/index/newentry"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"id:220780,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple (CVE-2014-2092 and CVE-2014-0334)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:group|ARGS_POST:htmlblob|ARGS_POST:title|ARGS_POST:url|ARGS_POST:stylesheet_name|ARGS_POST:template_name|ARGS_POST:template|ARGS_POST:css_name|ARGS_POST:metadata|ARGS_POST:sitedownmessage|ARGS_POST:page_metadata|ARGS_POST:date_format_string|ARGS_POST:filteruser|ARGS_POST:handler "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx \/admin\/(?:add(?:group|htmlblob|bookmark|template|css)|copy(?:stylesheet|template)|edit(?:bookmark|event)|list(?:css|templates)|siteprefs|pagedefaults|myaccount|adminlog)\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:default_cms_lang|ARGS_POST:docroot "@contains <" \
"id:220790,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple 1.11.10 (CVE-2014-2092)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /install/" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"id:220791,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple 1.11.10 (CVE-2014-2092)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith lib/filemanager/imagemanager/editorframe.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"id:220820,chain,msg:'COMODO WAF: XSS vulnerability in Collabtive 1.2 (CVE-2014-3247)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq addpro" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:desc "@rx (?:'|\x22|<)" \
"t:none"
SecRule ARGS_GET:query "@rx \x22" \
"id:220900,chain,msg:'COMODO WAF: XSS vulnerability in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 (CVE-2014-2280)||%{tx.domain}|%{tx.mode}|2',deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "/op\.search\.php" \
"t:none,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:keywords "@rx \x22" \
"id:220910,chain,msg:'COMODO WAF: XSS vulnerability in MyBB 1.6.12 and earlier (CVE-2014-1840)||%{tx.domain}|%{tx.mode}|2',deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "/upload/search\.php" \
"chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule ARGS:action "do_search"
SecRule Request_URI "@rx \/shared-apartments-rooms\/.{0,399}<" \
"id:220930,msg:'COMODO WAF: XSS vulnerability in Open Classifieds 2 before 2.1.3 (CVE-2014-2024)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:htmlEntityDecode,t:lowercase,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:/^extra_/ "@rx \x22" \
"id:220940,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Dokeos 2.1.1 (CVE-2014-1877)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:7,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule Request_FILENAME "(profile|user_edit|user_add)\.php"
SecRule ARGS_POST:title "@rx \x22>" \
"id:220941,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Dokeos 2.1.1 (CVE-2014-1877)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:7,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule Request_FILENAME "groups\.php"
SecRule Request_FILENAME "new_message\.php" \
"id:220942,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Dokeos 2.1.1 (CVE-2014-1877)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:htmlEntityDecode,t:lowercase,t:urlDecodeUni,rev:7,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:content "@rx \x22>"
SecRule ARGS_POST:title "@rx \x22" \
"id:221050,chain,msg:'COMODO WAF: XSS vulnerability in Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 (CVE-2013-4430)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "/artefact/internal/editnote\.php"
SecRule REQUEST_FILENAME "@endsWith admin/categories.php" \
"id:221070,chain,msg:'COMODO WAF: SQL injection vulnerability in Dotclear before 2.6.3 (CVE-2014-3783)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:categories_order "@rx \x22(?:item_id|left|right)\x22:(?!(?:null|\x22\d+\x22|\d+)(?:,|}))" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:removeWhitespace"
SecRule ARGS:news_image_1|ARGS:news_image_2|ARGS_POST:news_image "@rx \'" \
"id:221297,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains administration/news.php" \
"t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,t:lowercase"
SecRule REQUEST_HEADERS:Referer "@contains >" \
"id:221330,chain,msg:'COMODO WAF: XSS vulnerability in concrete5 before 5.6.3 (CVE-2014-5108)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:urlDecodeUni,t:removeWhitespace,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains index.php/download_file" \
"t:none,t:urlDecodeUni,t:normalizePath,t:removeWhitespace,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith add.php" \
"id:221340,chain,msg:'COMODO WAF: XSS vulnerability in OpenDocMan before 1.2.7.3 (CVE-2014-4853)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule FILES "@contains >"
SecRule ARGS_GET:leftmenu|ARGS_GET:mainmenu|ARGS_POST:dol_hide_leftmenu|ARGS_POST:dol_hide_topmenu|ARGS_POST:dol_no_mouse_hover|ARGS_POST:dol_optimize_smallscreen|ARGS_POST:dol_use_jmobile "@contains >" \
"id:221360,msg:'COMODO WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3991)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith user/index.php" \
"id:221361,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3991)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:dol_hide_leftmenu|ARGS_GET:dol_hide_topmenu|ARGS_GET:dol_no_mouse_hover|ARGS_GET:dol_optimize_smallscreen|ARGS_GET:dol_use_jmobile "@contains >"
SecRule REQUEST_FILENAME "@endsWith user/logout.php" \
"id:221362,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3991)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:dol_hide_leftmenu|ARGS_GET:dol_hide_topmenu|ARGS_GET:dol_no_mouse_hover|ARGS_GET:dol_optimize_smallscreen|ARGS_GET:dol_use_jmobile "@contains >"
SecRule REQUEST_FILENAME "@endsWith user/fiche.php" \
"id:221363,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3991)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:email|ARGS_POST:firstname|ARGS_POST:job|ARGS_POST:lastname|ARGS_POST:login "@contains >"
SecRule REQUEST_FILENAME "@endsWith viewimage.php" \
"id:221364,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3991)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:file|ARGS_GET:modulepart "@contains >"
SecRule ARGS_GET:table "@rx '|<" \
"id:221490,chain,msg:'COMODO WAF: XSS vulnerability in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 (CVE-2014-4955)||%{tx.domain}|%{tx.mode}|2',deny,status:403,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains db_triggers.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq firewall_schedule_edit.php" \
"id:221610,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in pfSense before 2.1.4 (CVE-2014-4687)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:starttime0|ARGS:stoptime0 "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains widgets/widgets/rss.widget.php" \
"id:221611,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in pfSense before 2.1.4 (CVE-2014-4687)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:rssfeed|ARGS:rssmaxitems|ARGS:rsswidgetheight|ARGS:rsswidgettextlength "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains widgets/widgets/services_status.widget.php" \
"id:221612,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in pfSense before 2.1.4 (CVE-2014-4687)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:servicestatusfilter "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains widgets/widgets/log.widget.php" \
"id:221614,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in pfSense before 2.1.4 (CVE-2014-4687)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:filterlogentries|ARGS:filterlogentriesinterfaces "@rx \x22|<|'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains admin/admin.php" \
"id:222000,chain,msg:'COMODO WAF: XSS vulnerability in Sphider 1.3.6 (CVE-2014-5193)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:normalizePath,t:removeWhitespace,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:f "@rx \d" \
"chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace"
SecRule ARGS_POST:category "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:do "!eq 0" \
"id:222070,chain,msg:'COMODO WAF: XSS vulnerability in Kasseler CMS (CVE-2013-3728)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:module "@pm sendmail news voting forum account categories database" \
"chain,t:none,t:lowercase,multiMatch"
SecRule ARGS:cat|ARGS:desc|ARGS:dok|ARGS:fid|ARGS:groups[]|ARGS:id|ARGS:module|ARGS:nid|ARGS:tid|ARGS:tid|ARGS:vid "@contains >" \
"chain,t:none,t:urlDecodeUni,multiMatch"
SecRule REQUEST_FILENAME "@pm admin.php index.php" \
"t:none,t:urlDecodeUni,t:lowercase,multiMatch"
SecRule REQUEST_FILENAME "@endsWith admin/categories.php" \
"id:227600,chain,msg:'COMODO WAF: XSS vulnerability in 4images 1.7.11 and earlier (CVE-2015-7708)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:action "@pm updatecat savecat" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:cat_description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_URI "@endsWith sa/getparticipants_json" \
"id:240060,chain,msg:'COMODO WAF: SQL injection vulnerability in LimeSurvey 2.05+ Build 140618 (CVE-2014-5017)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:sidx "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains participants/sa/getAttribute_json/pid/" \
"id:240070,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in LimeSurvey 2.05+ Build 140618 (CVE-2014-5016)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_LINE "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains admin/globalsettings" \
"id:240071,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in LimeSurvey 2.05+ Build 140618 (CVE-2014-5016)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:sa "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains survey/index" \
"id:240080,chain,msg:'COMODO WAF: XSS vulnerability in LimeSurvey 2.05+ Build 140618 (CVE-2014-5018)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:loadname "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains register-exec.php" \
"id:240100,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Restaurant Script (PizzaInn_Project) 1.0.0 (CVE-2014-6619)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:fname|ARGS_POST:lname|ARGS_POST:login "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith modules/lib_jquery/plugins/cattranslate/cattranslate.php" \
"id:240110,chain,msg:'COMODO WAF: XSS vulnerability in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 (CVE-2014-5259)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:/cat[\d]{4}sessionid/ "@ge 1" \
"chain"
SecRule ARGS:msg "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains user/help/html/index.php" \
"id:240131,chain,msg:'COMODO WAF: XSS vulnerability in Fonality trixbox (CVE-2014-5110)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id_nodo "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@pm data_layout main_layout" \
"id:240150,chain,msg:'COMODO WAF: XSS vulnerability in MyWebSQL 3.4 and earlier (CVE-2014-4735)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:table "@pm < >" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:phpMyAdmin "@ge 1" \
"id:240160,chain,msg:'COMODO WAF: XSS vulnerability in phpMyAdmin before 4.1.7 (CVE-2014-1879)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule FILES:import_file "@contains <" \
"chain"
SecRule REQUEST_BASENAME "@streq import.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:MoodleSession "@ge 1" \
"id:240200,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Moodle 2.7.x before 2.7.1 (CVE-2014-3550)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/tool/task/scheduledtasks.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:success|ARGS:error "@pm < > /" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:MoodleSession "@ge 1" \
"id:240210,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4 (CVE-2014-3547)||%{tx.domain}|%{tx.mode}|2',phase:4,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx (badges\/mybadges|user\/profile)\.php$" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule RESPONSE_BODY "!@rx <spanclass=\x22badge\-name\x22>[a-z0-9\.'\!\:\-]+<\/a><\/li>"
SecRule ARGS_GET:page "@streq posts" \
"id:240230,chain,msg:'COMODO WAF: XSS vulnerabilities in the MetalGenix GeniXCMS 0.0.3 (CVE-2015-5066)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:act "add" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title|ARGS_POST:content "@rx \x22|'" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "index.php" \
"t:none,t:lowercase"
SecRule ARGS_GET:page "posts" \
"id:240231,chain,msg:'COMODO WAF: XSS vulnerabilities in the MetalGenix GeniXCMS 0.0.3 (CVE-2015-5066)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:q "@rx \'" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "index.php" \
"t:none,t:lowercase"
SecRule REQUEST_URI "@contains /dashboard/settings/categories" \
"id:240260,chain,msg:'COMODO WAF: XSS vulnerabilities in Free Reprintables ArticleFR 3.0.6 (CVE-2015-5529)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:name "@rx <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_URI "@contains /dashboard/settings/links" \
"id:240261,chain,msg:'COMODO WAF: XSS vulnerabilities in Free Reprintables ArticleFR 3.0.6 (CVE-2015-5529)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:title|ARGS_POST:rel|ARGS_POST:url "@rx <" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "@contains /dashboard/tools/pingservers" \
"id:240262,chain,msg:'COMODO WAF: XSS vulnerabilities in Free Reprintables ArticleFR 3.0.6 (CVE-2015-5529)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:url "@rx <" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /site/tools/searchResults.php" \
"id:240340,chain,msg:'COMODO WAF: XSS vulnerabilities in phpipam 1.1.010 (CVE-2015-6529)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:addresses "@streq on" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:ip "@rx \x22" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith site/error.php" \
"id:240341,chain,msg:'COMODO WAF: XSS vulnerabilities in phpipam 1.1.010 (CVE-2015-6529)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:section "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@contains phpliteadmin.php" \
"id:240370,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpLiteAdmin 1.1 (CVE-2015-6518)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith phpliteadmin.php" \
"id:240371,chain,msg:'COMODO WAF: XSS vulnerabilities in phpLiteAdmin 1.1 (CVE-2015-6518)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:droptable|ARGS_GET:table "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /cpg15x/install_classic.php" \
"id:240390,chain,msg:'COMODO WAF: XSS vulnerabilities in Coppermine Photo Gallery (CPG) 1.5.36 (CVE-2015-6528)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:admin_username|ARGS_POST:admin_password|ARGS_POST:admin_email|ARGS_POST:dbserver|ARGS_POST:dbname|ARGS_POST:dbuser|ARGS_POST:dbpass|ARGS_POST:table_prefix|ARGS_POST:impath "@rx <|\'|\x22" \
"t:none,t:urlDecodeUni,t:htmlEntitydecode"
SecRule REQUEST_COOKIES_NAMES "@contains cacti" \
"id:240400,chain,msg:'COMODO WAF: XSS injection vulnerability in Cacti before 0.8.8d (CVE-2015-2665)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /graphs.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /www/make_subset.php" \
"id:240420,chain,msg:'COMODO WAF: XSS vulnerability in PHP Font Lib before 0.3.1 (CVE-2015-2570)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:fontfile "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith adm_config_report.php" \
"id:240430,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT 1.2.13 through 1.2.17 (CVE-2014-8987)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:MANTIS_STRING_COOKIE "@rx ^[a-f0-9]{64}$" \
"chain,t:none"
SecRule ARGS:config_option "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:demo "@streq applyconvolution" \
"id:240440,chain,msg:'COMODO WAF: XSS vulnerability in WideImage 11.02.19 (CVE-2015-5519)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx \/demo\/(?:index\.php)?$" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:matrix "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith backend/groups/ajax_save_group.php" \
"id:240450,chain,msg:'COMODO WAF: XSS vulnerability in BlackCat CMS 1.1.2 (CVE-2015-5521)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:/^cat[\d]+sessionid$/ "@rx [0-9a-z]{26}" \
"chain,t:none"
SecRule ARGS_POST:name "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith feedback/pages/feedback.php" \
"id:240480,chain,msg:'COMODO WAF: SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 and earlier (CVE-2015-6915)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:user "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES:dcxd "@rx ^[0-9a-f]{40}$" \
"id:240490,chain,msg:'COMODO WAF: XSS vulnerability in Dotclear before 2.8.1 (CVE-2015-5651)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith posts.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:/entries\[\d+\]/ "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:controller "@streq post" \
"id:240570,chain,msg:'COMODO WAF: XSS vulnerabilities in Nibbleblog before 4.0.2 (CVE-2014-8996)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq view" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:hash "@rx ^[0-9a-f]+$" \
"chain,t:none"
SecRule ARGS_POST:author_name|ARGS_POST:content "@rx \x22|<" \
"t:none"
SecRule FILES "@contains <" \
"id:240620,chain,msg:'COMODO WAF: XSS vulnerability in Revive Adserver before 3.2.2 (CVE-2015-7365)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:sessionID "@rx ^[a-z0-9]{32}$" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith plugin-index.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:240640,chain,msg:'COMODO WAF: XSS vulnerability in Piwigo before 2.7.4 (CVE-2015-2035)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@endswith opensis/index.php" \
"id:240650,chain,msg:'COMODO WAF: SQLi vulnerability in openSIS 4.5 through 5.3 (CVE-2014-8366)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:username|ARGS_POST:password "@contains '" \
"t:none,t:urlDecodeUni"
SecRule ARGS:id "@rx <" \
"id:240660,chain,msg:'COMODO WAF: XSS vulnerability in zTree 3.5.19.1 and possibly earlier (CVE-2015-7348)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx (?:getnodes|getnodesforbigdata).php$" \
"t:none,t:lowercase"
SecRule ARGS_POST:formType "@pm install update" \
"id:240690,chain,msg:'COMODO WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-7383)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:PHPSESSID "@rx ^\w+$" \
"chain,t:none"
SecRule ARGS_POST:submit "@pm install update" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:adminUserName|ARGS_POST:pathToMYSQL|ARGS_POST:databaseStructureFile|ARGS_POST:pathToBibutils "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains www/admin/banner-edit" \
"id:240700,chain,msg:'COMODO WAF: XSS vulnerabilities in the Revive Adserver before 3.2.2 (CVE-2015-7373)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:submit "@streq savechanges" \
"chain,t:none,t:removeWhitespace,t:lowercase"
SecRule ARGS_POST:url|ARGS_POST:height|ARGS_POST:width|ARGS_POST:weight "@rx <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endswith changedata.php" \
"id:240710,chain,msg:'COMODO WAF: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:post-title|ARGS_POST:post-content "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:october_session "@eq 1" \
"id:240730,chain,msg:'COMODO WAF: XSS vulnerability in October CMS build 271 and earlier (CVE-2015-5612)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:title "@contains <" \
"t:none"
SecRule &REQUEST_COOKIES:pwg_id "@gt 0" \
"id:240750,chain,msg:'COMODO WAF: XSS vulnerability in the Piwigo before 2.7.4 (CVE-2015-2034)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@rx <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith symphony/blueprints/sections/edit/1/saved/" \
"id:240760,chain,msg:'COMODO WAF: XSS vulnerability in the Symphony CMS 2.6.3 (CVE-2015-8376)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:meta[name]|ARGS_POST:meta[navigation_group] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" \
"id:240770,chain,msg:'COMODO WAF: XSS vulnerability in the Serendipity before 2.0.3 (CVE-2015-8603)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:serendipity[adminAction] "@streq edit" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:serendipity[entry_id] "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_URI "@endswith nucleus/index.php" \
"id:240790,chain,msg:'COMODO WAF: XSS vulnerability in Nucleus CMS 3.65 (CVE-2015-5454)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:title "@contains <" \
"t:none"
SecRule REQUEST_FILENAME "@contains card.php" \
"id:240800,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.8.3 (CVE-2016-1912)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:action "@streq update" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:lastname|ARGS_POST:firstname|ARGS_POST:job|ARGS_POST:email|ARGS_POST:signature "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith agenda_extsites.php" \
"id:240810,chain,msg:'COMODO WAF: XSS vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier (CVE-2015-8685)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith DOLSESSID_" \
"chain,t:none"
SecRule ARGS "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule MATCHED_VARS_NAMES "@rx ^ARGS:AGENDA_EXT_(?:NAME|SRC|COLOR)__[\d]{1}$" \
"t:none"
SecRule REQUEST_FILENAME "@contains onepage/savebilling" \
"id:240820,chain,msg:'COMODO WAF: Stored XSS in Magento before Magento CE: 1.9,2.3, Magento EE: 1.14.2.3||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:billing[email] "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:frontend "@ge 1" \
"t:none"
SecRule &REQUEST_COOKIES:sess_hash "@gt 0" \
"id:240840,chain,msg:'COMODO WAF: XSS injection vulnerability in the Beehive Forum 1.4.4 (CVE-2015-2198)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:homepage_url|ARGS_POST:pic_url|ARGS_POST:avatar_url "@rx \x22|<" \
"chain,t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith edit_prefs.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@pm cms/index.php forum/index.php" \
"id:240850,chain,msg:'COMODO WAF: XSS vulnerability in the ocPortal before 9.0.17 (CVE-2015-2677)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@pm cms_calendar cms_polls topics" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title|ARGS_POST:question|ARGS_POST:reason|ARGS_POST:description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains symphony/system/preferences" \
"id:240860,chain,msg:'COMODO WAF: XSS vulnerability in the Symphony CMS before 2.6.4 (CVE-2015-8766)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:settings[email_sendmail][from_name]|ARGS_POST:settings[email_sendmail][from_address]|ARGS_POST:settings[email_smtp][from_name]|ARGS_POST:settings[email_smtp][from_address]|ARGS_POST:settings[email_smtp][host]|ARGS_POST:settings[email_smtp][port]|ARGS_POST:it_image_manipulation[trusted_external_sites]|ARGS_POST:maintenance_mode[ip_whitelist]|ARGS_POST:settings[email_smtp][username]|ARGS_POST:settings[email_smtp][password] "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains symphony/system/authors" \
"id:240870,chain,msg:'COMODO WAF: XSS vulnerability in the Symphony CMS 2.6.2 (CVE-2015-4661)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:sort "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:mode "@streq admin" \
"id:240900,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in my little forum before 2.3.4 (CVE-2015-1434)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:/^mlf\w+$/ "@gt 0" \
"chain,t:none"
SecRule ARGS_GET:edit_category|ARGS_GET:letter "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:mode "@streq posting" \
"id:240910,chain,msg:'COMODO WAF: XSS vulnerability in my little forum before 2.3.4 (CVE-2015-1435)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:/^mlf\w+$/ "@gt 0" \
"chain,t:none"
SecRule ARGS_GET:back "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES:/^mlf\w+$/ "@gt 0" \
"id:240920,chain,msg:'COMODO WAF: XSS vulnerability in my little forum 2.3.3, 2.2, and 1.7 (CVE-2015-1475)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page|ARGS_GET:category|ARGS_GET:order|ARGS_POST:title|ARGS_POST:menu_linkname "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith error.php" \
"id:240940,chain,msg:'COMODO WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:errorNo|ARGS_GET:errorMsg "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith import_modify.php" \
"id:240941,chain,msg:'COMODO WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:sourceText "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm import_modify.php" \
"id:240942,chain,msg:'COMODO WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:sourceIDs|ARGS_POST:importRecords "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith duplicate_manager.php" \
"id:240980,chain,msg:'COMODO WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:viewType "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith query_manager.php" \
"id:240981,chain,msg:'COMODO WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:queryAction|ARGS_GET:displayType|ARGS_GET:citeOrder|ARGS_GET:sqlQuery|ARGS_GET:showQuery|ARGS_GET:showLinks|ARGS_GET:showRows|ARGS_GET:queryID "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith query_modify.php" \
"id:240982,chain,msg:'COMODO WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:queryAction|ARGS_POST:displayType|ARGS_POST:showLinks|ARGS_POST:showRows|ARGS_POST:citeOrder|ARGS_POST:queryID "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith modify.php" \
"id:240983,chain,msg:'COMODO WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:typeName|ARGS_POST:fileName "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith query_modify.php" \
"id:240984,chain,msg:'COMODO WAF: XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:sqlQuery "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith backend/main.php" \
"id:241010,chain,msg:'COMODO WAF: XSS & SQL injection vulnerabilities in Sefrengo before 1.6.1 (CVE-2015-0919)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:area "@streq con_configcat" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:idcat "@rx \x22|\'" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith backend/main.php" \
"id:241011,chain,msg:'COMODO WAF: SQL injection vulnerabilities in Sefrengo before 1.6.1 (CVE-2015-0919)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:area "@streq con_configcat" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:idcat "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith backend/main.php" \
"id:241012,chain,msg:'COMODO WAF: SQL injection vulnerabilities in Sefrengo before 1.6.1 (CVE-2015-0919)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:area "@streq plug" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:idclient "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith backend/main.php" \
"id:241013,chain,msg:'COMODO WAF: SQL injection vulnerabilities in Sefrengo before 1.6.1 (CVE-2015-0919)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:idclient "@rx \'" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_GET:area "@streq plug" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith backend/main.php" \
"id:241020,chain,msg:'COMODO WAF: XSS vulnerability in Sefrengo before 1.6.1 (CVE-2015-0918)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:area "@streq user" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:searchterm "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith backend/main.php" \
"id:241030,chain,msg:'COMODO WAF: SQL injection vulnerability in Sefrengo before 1.6.2 (CVE-2015-1428)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:sefrengo "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith backend/main.php" \
"id:241031,chain,msg:'COMODO WAF: SQL injection vulnerability in Sefrengo before 1.6.2 (CVE-2015-1428)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:area "@streq settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:value_id "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@pm user_management.php" \
"id:241040,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Saurus CMS 4.7.0 (CVE-2015-1562)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:search "@rx <" \
"t:none,t:lowercase,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@pm profile_data.php" \
"id:241041,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Saurus CMS 4.7.0 (CVE-2015-1562)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:data_search "@rx <" \
"t:none,t:lowercase,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@pm error_log.php" \
"id:241042,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Saurus CMS 4.7.0 (CVE-2015-1562)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:filter "@rx <" \
"t:none,t:lowercase,t:urlDecodeUni"
SecRule &ARGS_GET:p "@gt 0" \
"id:241050,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_extfile|ARGS_POST:jak_file|ARGS_POST:jak_tags "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:p "@gt 0" \
"id:241051,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:sp|ARGS_GET:ssp|ARGS_GET:sssp|ARGS_GET:ssssp "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith js/editor/plugins/filemanager/dialog.php" \
"id:241052,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:type|ARGS_GET:editor|ARGS_GET:lang|ARGS_GET:fldr|ARGS_GET:field_id "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p "@streq categories" \
"id:241053,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_name|ARGS_POST:jak_varname|ARGS_POST:jak_url|ARGS_POST:jak_img "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p "@streq site" \
"id:241054,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_title|ARGS_POST:jak_description|ARGS_POST:jak_keywords|ARGS_POST:jak_author|ARGS_POST:jak_copy "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p "@streq plugins" \
"id:241055,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_generala|ARGS_POST:jak_managea|ARGS_POST:jak_name|ARGS_POST:jak_phpcode "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p "@streq user" \
"id:241056,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_name|ARGS_POST:jak_email|ARGS_POST:jak_username|ARGS_POST:jak_password "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p "@streq usergroup" \
"id:241057,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_name "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p "@streq page" \
"id:241058,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_catid|ARGS_POST:jak_title|ARGS_POST:jak_password|ARGS_POST:jak_css|ARGS_POST:jak_javascript|ARGS_POST:jak_showcontact|ARGS_POST:horder_new[]|ARGS_POST:real_hook_id_new[]|ARGS_POST:sreal_plugin_id_new[]|ARGS_POST:horder[]|ARGS_POST:real_hook_id[]|ARGS_POST:sreal_plugin_id[] "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p "@streq contactform" \
"id:241059,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_email|ARGS_POST:jak_title|ARGS_POST:jak_option[]|ARGS_POST:jak_options[] "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p "@streq sitemap" \
"id:241060,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_title|ARGS_POST:jak_hookshow[]|ARGS_POST:horder_new[]|ARGS_POST:real_hook_id_new[]|ARGS_POST:sreal_plugin_id_new[]|ARGS_POST:horder[]|ARGS_POST:real_hook_id[]|ARGS_POST:sreal_plugin_id[] "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:p "@streq logs" \
"id:241061,chain,msg:'COMODO WAF: XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_delete_log[] "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_POST:submit "@contains send!" \
"id:241090,chain,msg:'COMODO WAF: SQL injection vulnerability in the CatBot 0.4.2 (CVE-2015-1367)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:lastcatbot "@rx \'" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith index.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith __admin/index.php" \
"id:241100,chain,msg:'COMODO WAF: SQL injection vulnerability in xlinkerz ecommerceMajor (CVE-2015-1476)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:username|ARGS_POST:password "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@pm locale/index" \
"id:241110,chain,msg:'COMODO WAF: SQL injection vulnerabilities in Fork CMS before 3.8.6 (CVE-2015-1467)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:type[] "@rx \'" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "@pm locale/index" \
"id:241111,chain,msg:'COMODO WAF: SQL injection vulnerabilities in Fork CMS before 3.8.6 (CVE-2015-1467)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:language[] "@rx \'" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith course/management.php" \
"id:241130,chain,msg:'COMODO WAF: XSS vulnerability in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 (CVE-2016-0725)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:search "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith mod/survey/save.php" \
"id:241150,chain,msg:'COMODO WAF: XSS vulnerability in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 (CVE-2015-5336)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:/q\d+/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES:GeniXCMS "@ge 1" \
"id:241190,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0.0.2 (CVE-2015-2679)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@rx \'" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@contains /gxadmin/login.php" \
"id:241191,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0.0.2 (CVE-2015-2679)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:username "@rx \'" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:dcxd "@ge 1" \
"id:241200,chain,msg:'COMODO WAF: XSS vulnerability in Dotclear before version 2.8.2 (CVE-2015-8831)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq comments.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:author "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:_mbox "@contains <" \
"id:241210,chain,msg:'COMODO WAF: XSS vulnerability in Roundcube before 1.0.6 and 1.1.x before 1.1.2 (CVE-2015-8793)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:_action "@ge 1" \
"chain,t:none"
SecRule &ARGS_GET:_remote "@ge 1" \
"chain,t:none"
SecRule REQUEST_COOKIES_NAMES "@contains roundcube" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith mod/lesson/essay.php" \
"id:241220,chain,msg:'COMODO WAF: XSS injection vulnerability in Moodle 2.8.x before 2.8.2 (CVE-2015-0216)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:response "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains bedita-app/admin/saveconfig" \
"id:241240,chain,msg:'COMODO WAF: XSS vulnerabilities in BEdita before 3.6.0 (CVE-2015-6809)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:cfg[projectName] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith bedita-app/areas/savearea" \
"id:241241,chain,msg:'COMODO WAF: XSS vulnerabilities in BEdita before 3.6.0 (CVE-2015-6809)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[stats_provider_url] "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith bedita-app/home/editprofile" \
"id:241250,chain,msg:'COMODO WAF: XSS vulnerabilities in BEdita 3.4.0 (CVE-2015-1040)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[User][realname] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith bedita-app/pages/savequickitem" \
"id:241251,chain,msg:'COMODO WAF: XSS vulnerabilities in BEdita 3.4.0 (CVE-2015-1040)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[title]|ARGS_POST:data[description] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith bedita-app/pages/savenote" \
"id:241252,chain,msg:'COMODO WAF: XSS vulnerabilities in BEdita 3.4.0 (CVE-2015-1040)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[description] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith bedita-app/documents/save" \
"id:241253,chain,msg:'COMODO WAF: XSS vulnerabilities in BEdita 3.4.0 (CVE-2015-1040)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[title] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/dashboard/reports/logs/view" \
"id:241270,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:channel "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/tools/required/permissions/access_entity" \
"id:241271,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:accessType "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/ccm/system/dialogs/area/design" \
"id:241272,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:arHandle "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/dashboard/extend/connect" \
"id:241273,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/dashboard/system/conversations/bannedwords" \
"id:241274,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:banned_word[] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/dashboard/system/multilingual/setup/load_icon" \
"id:241275,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:msCountry "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/dashboard/pages/single" \
"id:241276,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:pageURL "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/dashboard/system/seo/searchindex" \
"id:241279,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:SEARCH_INDEX_AREA_METHOD "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/dashboard/system/optimization/jobs" \
"id:241280,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:unit "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/dashboard/system/registration/open" \
"id:241290,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:register_notification_email "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm htdocs/product/liste.php htdocs/adherents/liste.php" \
"id:241300,chain,msg:'COMODO WAF: XSS vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 (CVE-2015-3935)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:sall "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith htdocs/contact/list.php" \
"id:241301,chain,msg:'COMODO WAF: XSS vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 (CVE-2015-3935)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:contactname "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith htdocs/societe/societe.php" \
"id:241302,chain,msg:'COMODO WAF: XSS vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 (CVE-2015-3935)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:search_nom|ARGS_POST:search_town|ARGS_POST:/search_idprof\d+/|ARGS_POST:socname "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains index.php/dashboard/system/mail/importers" \
"id:241310,chain,msg:'COMODO WAF: XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-3989)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:miEmail|ARGS_POST:miServer|ARGS_POST:miUsername|ARGS_POST:miPassword|ARGS_POST:miPort "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES:pivotxsession "@ge 1" \
"id:241320,chain,msg:'COMODO WAF: XSS vulnerabilities in PivotX before 2.3.11 (CVE-2015-5456)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@rx index\.php\/\x22|index\.php\/\'" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule ARGS_GET:page "@streq logout" \
"id:241321,chain,msg:'COMODO WAF: XSS vulnerabilities in PivotX before 2.3.11 (CVE-2015-5456)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@rx index\.php\/\x22|index\.php\/\'" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule &REQUEST_COOKIES:user_env "@ge 1" \
"id:241330,chain,msg:'COMODO WAF: XSS vulnerabilities in Ultimate PHP Board (aka myUPB) 2.2.7 (CVE-2015-2217)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith search.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:user_env "@ge 1" \
"id:241331,chain,msg:'COMODO WAF: XSS vulnerabilities in Ultimate PHP Board (aka myUPB) 2.2.7 (CVE-2015-2217)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith profile.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:avatar "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains index.php/ajaxproxy/" \
"id:241340,chain,msg:'COMODO WAF: XSS vulnerabilities in WoltLab Community Gallery 2.0 before 2014-12-26 (CVE-2015-2275)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:/parameters\[data]\[\d+]\[title]/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith scp/tickets.php" \
"id:241400,chain,msg:'COMODO WAF: XSS vulnerability in osTicket before 1.9.5 (CVE-2015-1176)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:a "@streq search" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:status "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES:e107_tzOffset "@ge 1" \
"id:241420,chain,msg:'COMODO WAF: XSS vulnerabilities in e107 Bootstrap CMS 2.0.0 (CVE-2015-1057)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith usersettings.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:realname "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains admin/file_manager/file_manager/editfile" \
"id:241440,chain,msg:'COMODO WAF: XSS vulnerabilities in Croogo before 2.2.1 (CVE-2015-1053)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:path "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm admin/contacts/contacts/add admin/contacts/contacts/edit" \
"id:241450,chain,msg:'COMODO WAF: XSS vulnerabilities in Croogo before 2.1.0 (CVE-2014-8577)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[Contact][title] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm admin/blocks/blocks/add admin/blocks/blocks/edit" \
"id:241451,chain,msg:'COMODO WAF: XSS vulnerabilities in Croogo before 2.1.0 (CVE-2014-8577)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[Block][title]|ARGS_POST:data[Block][alias] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm admin/blocks/regions/add admin/blocks/regions/edit" \
"id:241452,chain,msg:'COMODO WAF: XSS vulnerabilities in Croogo before 2.1.0 (CVE-2014-8577)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[Region][title] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm admin/menus/menus/add admin/menus/menus/edit" \
"id:241453,chain,msg:'COMODO WAF: XSS vulnerabilities in Croogo before 2.1.0 (CVE-2014-8577)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[Menu][title]|ARGS_POST:data[Menu][alias] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm admin/menus/links/add admin/menus/links/edit" \
"id:241454,chain,msg:'COMODO WAF: XSS vulnerabilities in Croogo before 2.1.0 (CVE-2014-8577)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[Link][title] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains e107_admin/filemanager.php" \
"id:241460,chain,msg:'COMODO WAF: XSS vulnerabilities in e107 1.0.4 (CVE-2015-1041)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith db_search.php" \
"id:241470,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 (CVE-2016-2040)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:criteriaTables[] "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:phpmyadmin "@ge 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith tbl_zoom_select.php" \
"id:241471,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 (CVE-2016-2040)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:/criteriaValues\[\d+\]/|ARGS:/criteriaColumnTypes\[\d+\]/ "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:phpmyadmin "@ge 1" \
"t:none"
SecRule REQUEST_URI "@ge 600" \
"id:241472,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 (CVE-2016-2040)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:length,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_HEADERS:Host "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule RESPONSE_HEADERS:Set-Cookie "@contains pmaPass" \
"t:none"
SecRule REQUEST_FILENAME "@pm modules/news/modify_group.php modules/edit_module_files.php modules/news/modify_post.php modules/news/modify_settings.php" \
"id:241490,chain,msg:'COMODO WAF: XSS vulnerabilities in WebsiteBaker 2.8.3 (CVE-2014-9243)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:section_id "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith modules/news/add_post.php" \
"id:241491,chain,msg:'COMODO WAF: XSS vulnerabilities in WebsiteBaker 2.8.3 (CVE-2014-9243)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:section_id "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains admin/admintools/tool.php" \
"id:241492,chain,msg:'COMODO WAF: XSS vulnerabilities in WebsiteBaker 2.8.3 (CVE-2014-9243)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains <" \
"t:none,t:urlDecodeUni,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@contains pmapass" \
"id:241500,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 (CVE-2016-2560)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_HEADERS:Host "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule RESPONSE_HEADERS:Set-Cookie "@contains pmaPass" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith server_privileges.php" \
"id:241501,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 (CVE-2016-2560)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:initial "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@contains pmapass" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith tbl_zoom_select.php" \
"id:241502,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 (CVE-2016-2560)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:it "@rx \D" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@contains pmapass" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@pm upload-process-form.php edit-file.php" \
"id:241510,chain,msg:'COMODO WAF: XSS vulnerability in ProjectSend (formerly cFTP) r561 (CVE-2014-9580)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:/file\[\d+]\[name]/|ARGS_POST:/file/[/d+]/[description]/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith view_item.php" \
"id:241520,chain,msg:'COMODO WAF: SQL injection vulnerability in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) (CVE-2015-2102)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:type "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:item "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith upload/index.php" \
"id:241550,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in Persian Car CMS 1.0 (CVE-2015-4678)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:cat_id "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith admin/asset/grid-proxy" \
"id:241560,chain,msg:'COMODO WAF: SQL injection vulnerability in the pimcore before build 3473 (CVE-2015-4426)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:filter "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith db_structure.php" \
"id:241610,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 (CVE-2016-2561)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@contains pmapass" \
"chain,t:none,t:lowercase"
SecRule ARGS:tbl_type|ARGS:tbl_group "@rx \x22" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith dapur/index.php" \
"id:241660,chain,msg:'COMODO WAF: XSS vulnerability in the Fiyo CMS 2.0.1.8 (CVE-2014-9146)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:app "@streq module" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:act "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:app "@contains article" \
"id:241661,chain,msg:'COMODO WAF: XSS vulnerability in the Fiyo CMS 2.0.1.8 (CVE-2014-9146)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:view "@contains item" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:id|ARGS_GET:view|ARGS_GET:app "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith dapur/index.php" \
"id:241670,chain,msg:'COMODO WAF: XSS vulnerability in the Fiyo CMS 1.5.7 (CVE-2014-4032)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:app "@streq comment" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:comment "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_POST:send-comment "@streq send" \
"id:241671,chain,msg:'COMODO WAF: XSS vulnerability in the Fiyo CMS 1.5.7 (CVE-2014-4032)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:secure "@eq 1" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:com "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains admin/noviusos_media/media/insert_update" \
"id:241681,chain,msg:'COMODO WAF: XSS vulnerability in the Novius OS 5.0.1 (Elche) (CVE-2015-5353)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:media_title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains admin/noviusos_menu/menu/crud/insert_update" \
"id:241682,chain,msg:'COMODO WAF: XSS vulnerability in the Novius OS 5.0.1 (Elche) (CVE-2015-5353)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:menu_title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith /components/filemanager/dialog.php" \
"id:241700,chain,msg:'COMODO WAF: XSS vulnerability in Codiad before 2.4.3 (CVE-2014-9582)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:short_name "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith cms/front_content.php" \
"id:241750,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Contenido before 4.9.6 (CVE-2014-9433)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@contains 1frontend" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:idart|ARGS_GET:lang|ARGS_GET:idcat "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains administration/submissions.php" \
"id:241760,chain,msg:'COMODO WAF: SQL injection vulnerabilities in PHP-Fusion 7.02.07 (CVE-2014-8596)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:aid "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:submit_id "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains administration/members.php" \
"id:241761,chain,msg:'COMODO WAF: SQL injection vulnerabilities in PHP-Fusion 7.02.07 (CVE-2014-8596)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:aid "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:status "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule &ARGS:ajaxID "@ge 1" \
"id:241800,chain,msg:'COMODO WAF: XSS Vulnerability in TYPO3 Versions 6.2.0 to 6.2.18 (CVE-2016-4056)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:ajaxToken "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:module "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@contains be_typo_user" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith ajax.php" \
"t:none,t:lowercase"
SecRule REQUEST_URI "@contains module" \
"id:241810,chain,msg:'COMODO WAF: XSS vulnerability in Kajona before 4.6.3 (CVE-2015-0917)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@contains adminskin" \
"chain,t:none"
SecRule ARGS_GET:action "@contains <" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:serendipity[comment] "@contains <" \
"id:241820,chain,msg:'COMODO WAF: XSS vulnerability in Serendipity before 2.0-rc2 (CVE-2014-9432)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@rx ^s9y_[a-f0-9]{32}$" \
"t:none,t:lowercase"
SecRule ARGS_GET:doAction "@streq search" \
"id:241830,chain,msg:'COMODO WAF: XSS and SQL injection vulnerabilities in the TestLink 1.9.11 (CVE-2014-5308)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith lib/project/projectview.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:name "@rx \'|\x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_POST:controller "@contains search" \
"id:241850,chain,msg:'COMODO WAF: XSS vulnerability in Exponent CMS v2.3.0 (CVE-2014-6635)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:action "@contains none" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:src "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith /oc-admin/index.php" \
"id:241870,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in OSClass before 3.4.2 (CVE-2014-6280)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@contains items" \
"chain,t:none"
SecRule ARGS_GET:action|ARGS_GET:nsextt "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith e107_admin/db.php" \
"id:241880,chain,msg:'COMODO WAF: XSS vulnerability in e107 v2.0 alpha2 (CVE-2014-4734)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:mode "@contains pref_editor" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:type "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains textpattern/setup/index.php" \
"id:241890,chain,msg:'COMODO WAF: XSS vulnerability in Textpattern CMS before 4.5.7 (CVE-2014-4737)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:owa_action "@contains base.login" \
"id:241920,chain,msg:'COMODO WAF: XSS vulnerability in Open Web Analytics before 1.5.6 (CVE-2014-1456)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:owa_user_id "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains tools/required/dashboard/sitemap_drag_request" \
"id:241940,chain,msg:'COMODO WAF: XSS vulnerability in the concrete5 5.7.2.1, 5.7.2, and earlier (CVE-2014-9526)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:instance_id "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains dashboard/users/groups/bulkupdate/search" \
"id:241941,chain,msg:'COMODO WAF: XSS vulnerability in the concrete5 5.7.2.1, 5.7.2, and earlier (CVE-2014-9526)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:gName "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains dashboard/users/groups/bulkupdate/search" \
"id:241942,chain,msg:'COMODO WAF: XSS vulnerability in the concrete5 5.7.2.1, 5.7.2, and earlier (CVE-2014-9526)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:gName "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_URI "@contains /manager/" \
"id:241970,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution 2.3.1-pl and earlier (CVE-2014-5451 & CVE-2014-2080)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:a "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith www/admin/report-generate.php" \
"id:241990,chain,msg:'COMODO WAF: XSS vulnerability in the Revive Adserver before 3.0.6 (CVE-2014-8793)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:submit_type "@streq change" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:refresh_page "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:class_key "@streq modstaticresource" \
"id:242000,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution 2.x before 2.2.15 (CVE-2014-8774)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:context_key "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_URI "@contains /manager/" \
"id:242001,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution 2.x before 2.2.15 (CVE-2014-8774)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:a "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:key "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_POST:HTTP_MODAUTH "@ge 1" \
"id:242002,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution 2.x before 2.2.15 (CVE-2014-8774)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:context "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith admin/settings.php" \
"id:242020,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in GetSimple CMS 3.3.1 (CVE-2014-1603)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:sitepwd_confirm "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:user|ARGS_POST:email|ARGS_POST:name "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith admin/load.php" \
"id:242021,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in GetSimple CMS 3.3.1 (CVE-2014-1603)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:param "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith requests/manage_playlists.php" \
"id:242030,chain,msg:'COMODO WAF: XSS vulnerability in the phpSound 1.0.5 (CVE-2014-8954)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:a "@streq explore" \
"id:242031,chain,msg:'COMODO WAF: XSS vulnerability in the phpSound 1.0.5 (CVE-2014-8954)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:volume "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:filter "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_POST:controller "@streq users" \
"id:242040,chain,msg:'COMODO WAF: XSS vulnerability in the Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 (CVE-2014-8690)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:action "@streq update" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:firstname|ARGS_POST:lastname|ARGS_POST:username|ARGS_POST:src|ARGS_POST:int|ARGS_POST:avatar|ARGS_POST:email "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_COOKIES_NAMES "@contains yourls_" \
"id:242050,chain,msg:'COMODO WAF: XSS vulnerability in the Yourls 1.7 (CVE-2014-8488)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:url|ARGS_GET:title "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith thumb.php" \
"id:242060,chain,msg:'COMODO WAF: XSS vulnerability in MediaWiki before 1.25.2 (CVE-2015-6729)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:rel404 "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains blogs/admin.php" \
"id:242070,chain,msg:'COMODO WAF: XSS vulnerability in b2evolution before 5.2.1 (CVE-2014-9599)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:actionArray[filter] "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:fm_filter "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:env "@contains -login:" \
"id:242080,chain,msg:'COMODO WAF: XSS vulnerability in the In-Portal CMS 5.2.0 and earlier (CVE-2014-8304)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:next_template "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith editor.php" \
"id:242090,chain,msg:'COMODO WAF: XSS vulnerability in Network Weathermap before 0.97b (CVE-2013-2618)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:mapname "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:map_title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@pm tabella.php coloni.php insert.php" \
"id:242100,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in MySql Lite Administrator beta-1 (CVE-2015-5064)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:PHPSESSID "@rx ^[a-z0-9]{26}$" \
"chain,t:none"
SecRule ARGS_GET:table_name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith coloni.php" \
"id:242101,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in MySql Lite Administrator beta-1 (CVE-2015-5064)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:PHPSESSID "@rx ^[a-z0-9]{26}$" \
"chain,t:none"
SecRule ARGS_GET:num_row "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:op "@streq login" \
"id:242110,chain,msg:'COMODO WAF: SQL injection vulnerability in Simple E-Document version 1.31 (CVE-2014-10020)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:Submit "@streq login" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith login.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:username "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /gxadmin/index.php" \
"id:242120,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in MetalGenix GeniXCMS before 0.0.2 (CVE-2015-2678)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:GeniXCMS "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:cat "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES:GeniXCMS "@ge 1" \
"id:242121,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in MetalGenix GeniXCMS before 0.0.2 (CVE-2015-2678)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith project/controller.php" \
"id:242130,chain,msg:'COMODO WAF: XSS vulnerability in Codiad v2.0.7 (CVE-2013-7257)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq create" \
"chain,t:none"
SecRule ARGS_GET:project_name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@contains ostsessid" \
"id:242140,chain,msg:'COMODO WAF: XSS vulnerability in the osTicket before 1.9.2 (CVE-2014-4744)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:a "@streq open" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith open.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_COOKIES_NAMES "@contains ostsessid" \
"id:242141,chain,msg:'COMODO WAF: XSS vulnerability in the osTicket before 1.9.2 (CVE-2014-4744)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith account.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:do "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_COOKIES_NAMES "@contains ostsessid" \
"id:242142,chain,msg:'COMODO WAF: XSS vulnerability in the osTicket before 1.9.2 (CVE-2014-4744)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith account.php" \
"chain,t:none,t:lowercase"
SecRule &ARGS_POST:do "@ge 1" \
"chain,t:none"
SecRule ARGS_POST "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:r "@contains alms/games/edit" \
"id:242160,chain,msg:'COMODO WAF: XSS vulnerability in the Forma Lms before 1.2.1 p01 (CVE-2014-5257)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id_game "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:modname "@streq amanmenu" \
"id:242161,chain,msg:'COMODO WAF: XSS vulnerability in the Forma Lms before 1.2.1 p01 (CVE-2014-5257)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:op "@streq modcustom" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:id_custom "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith filemanager.php" \
"id:242190,chain,msg:'COMODO WAF: XSS vulnerability in AuraCMS before v3.0 (CVE-2014-3974)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:Login "@rx ^[a-z0-9]{26}$" \
"chain,t:none"
SecRule ARGS_GET:viewdir "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith register.php" \
"id:242200,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in WeBid 1.1.1 (CVE-2014-5101)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:TPL_name|ARGS_POST:TPL_nick|ARGS_POST:TPL_email|ARGS_POST:TPL_year|ARGS_POST:TPL_address|ARGS_POST:TPL_city|ARGS_POST:TPL_prov|ARGS_POST:TPL_zip|ARGS_POST:TPL_phone|ARGS_POST:TPL_pp_email|ARGS_POST:TPL_authnet_id|ARGS_POST:TPL_authnet_pass|ARGS_POST:TPL_wordpay_id|ARGS_POST:TPL_toocheckout_id|ARGS_POST:TPL_moneybookers_email "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith user_login.php" \
"id:242201,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in WeBid 1.1.1 (CVE-2014-5101)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:username "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith modules/system/admin.php" \
"id:242210,chain,msg:'COMODO WAF: XSS vulnerability in ImpressCMS 1.3.6.1 (CVE-2014-4036)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:ICMSSESSION "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:fct "@streq images" \
"chain,t:none"
SecRule ARGS_POST:query "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith joblogs.php" \
"id:242220,chain,msg:'COMODO WAF: SQL injection vulnerability in the Bacula-Web 5.2.10 (CVE-2014-8295)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:jobid "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endswith view_all_set.php" \
"id:242250,chain,msg:'COMODO WAF: XSS vulnerability in the MantisBT 1.2.12 (CVE-2013-5916)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:view_type "@streq advanced" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:match_type "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains /gpEasy" \
"id:242260,chain,msg:'COMODO WAF: XSS vulnerability in gpEasy-CMS 3.0.1 (CVE-2013-0807)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@gt 0" \
"chain,t:none"
SecRule ARGS_POST:cmd "@streq new_section" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:section "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith admin/changedata.php" \
"id:242270,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in GetSimple CMS 3.1.2 and 3.2.3 (CVE-2013-7243)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:nonce "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:post-menu "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith admin/settings.php" \
"id:242271,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in GetSimple CMS 3.1.2 and 3.2.3 (CVE-2013-7243)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:nonce "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:name "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith mod/data/field.php" \
"id:242310,chain,msg:'COMODO WAF: XSS injection vulnerability in the Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 (CVE-2016-2153)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:type "@ge 1" \
"chain,t:none"
SecRule &REQUEST_COOKIES:MoodleSession "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:ctg "@streq personal" \
"id:242320,chain,msg:'COMODO WAF: XSS vulnerability in the Epignosis eFront 3.6.14.4 (CVE-2014-4033)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:op "@streq profile" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@pm administrator.php student.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:surname "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith management/prioritize_planning.php" \
"id:242330,chain,msg:'COMODO WAF: XSS vulnerability in SimpleRisk before 20130916-001 (CVE-2013-5749)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:new_project "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:mod "@streq users" \
"id:242340,chain,msg:'COMODO WAF: XSS vulnerability in ClanSphere 2011.4 (CVE-2014-100010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq list" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:where "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains info.php" \
"id:242370,chain,msg:'COMODO WAF: XSS vulnerability in TomatoCart 1.1.8.6.1 (CVE-2014-3830)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:faqs_id "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /admin/managerrelated.php" \
"id:242390,chain,msg:'COMODO WAF: XSS vulnerability in Absolut Engine 1.73 (CVE-2014-9434)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:session "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:title "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith mod/feedback/mapcourse.php" \
"id:242410,chain,msg:'COMODO WAF: XSS injection vulnerability in the Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 (CVE-2014-7830)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MoodleSession "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:searchcourse "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith member.php" \
"id:242430,chain,msg:'COMODO WAF: SQL injection vulnerability in the MyBB 1.8.1 (CVE-2014-9240)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:action "@streq do_register" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:regsubmit "@streq submitregistration!" \
"chain,t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace"
SecRule ARGS_POST:question_id "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith report.php" \
"id:242440,chain,msg:'COMODO WAF: XSS vulnerability in the MyBB 1.8.1 (CVE-2014-9241)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:my_post_key "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:action "@streq do_report" \
"chain,t:none,t:lowercase"
SecRule &ARGS_POST:pid "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:type "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith usercp.php" \
"id:242441,chain,msg:'COMODO WAF: XSS vulnerability in the MyBB 1.8.1 (CVE-2014-9241)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:my_post_key "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:action "@streq do_editsig" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:signature "@rx '|\x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains /admin/index.php" \
"id:242442,chain,msg:'COMODO WAF: XSS vulnerability in the MyBB 1.8.1 (CVE-2014-9241)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:my_post_key "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:module "@streq style-templates" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:action "@streq add_set" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains /admin/index.php" \
"id:242443,chain,msg:'COMODO WAF: XSS vulnerability in the MyBB 1.8.1 (CVE-2014-9241)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:module "@streq config-languages" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:action "@streq edit" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:file "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES_NAMES:mediawiki_mw_Token "@ge 1" \
"id:242450,chain,msg:'COMODO WAF: XSS vulnerability in the SyntaxHighlight_Geshi extension and MediaWiki 1.25.1 (CVE-2015-6734)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /geshi/contrib/cssgen.php" \
"chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS_GET:step "@eq 3" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:/keywords\-[1-4]/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES_NAMES:mediawiki_mw_Token "@ge 1" \
"id:242480,chain,msg:'COMODO WAF: XSS vulnerability in the SemanticForms extension for MediaWiki 1.25.1 (CVE-2015-6732)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains Special:CreateForm" \
"chain,t:none,t:normalizePath"
SecRule ARGS_POST:sectionname "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES_NAMES:mediawiki_mw_Token "@ge 1" \
"id:242481,chain,msg:'COMODO WAF: XSS vulnerability in the SemanticForms extension for MediaWiki 1.25.1 (CVE-2015-6732)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains Special:CreateTemplate" \
"chain,t:none,t:normalizePath"
SecRule ARGS_POST:/name_\d+/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES_NAMES:mediawiki_mw_Token "@ge 1" \
"id:242482,chain,msg:'COMODO WAF: XSS vulnerability in the SemanticForms extension for MediaWiki 1.25.1 (CVE-2015-6732)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains Special:FormEdit" \
"chain,t:none,t:normalizePath"
SecRule ARGS_POST:wpSummary "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith media/unit_testing/templates/6776.php" \
"id:242500,chain,msg:'COMODO WAF: XSS vulnerability in the DataTables plugin 1.10.8 and earlier for jQuery (CVE-2015-6584)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:scripts "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES_NAMES:mediawiki_mw_Token "!@ge 1" \
"id:242510,phase:2,pass,nolog,skip:2,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains special:createform" \
"id:242511,chain,msg:'COMODO WAF: XSS vulnerability in the SemanticForms extension for MediaWiki 1.25.1 (CVE-2015-6731)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:/section\_[a-z0-9]+/|ARGS_GET:/template\_[a-z0-9]+/|ARGS_POST:/label\_[\w\d]+/|ARGS_POST:new_template "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_URI "@contains special:formedit" \
"id:242512,chain,msg:'COMODO WAF: XSS vulnerability in the SemanticForms extension for MediaWiki 1.25.1 (CVE-2015-6731)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:target|ARGS_GET:alt_form "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith admin/copy_field.php" \
"id:242540,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT before 1.2.18 (CVE-2014-9281)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:dest_id "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith related.php" \
"id:242550,chain,msg:'COMODO WAF: SQL injection vulnerability in Milw0rm Clone Script 1.0 (CVE-2015-4137)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:program "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith thumb.php" \
"id:242560,chain,msg:'COMODO WAF: XSS vulnerability in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 (CVE-2015-6730)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:f "@ge 1" \
"chain,t:none"
SecRule &ARGS_GET:width "@ge 1" \
"chain,t:none"
SecRule &ARGS_GET:rel404 "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:width|ARGS_GET:rel404 "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith adm_config_report.php" \
"id:242580,chain,msg:'COMODO WAF: SQL injection vulnerability in MantisBT before 1.2.16 (CVE-2014-2238)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:filter_config_id "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith interface/main/onotes/office_comments_full.php" \
"id:242590,chain,msg:'COMODO WAF: XSS vulnerability in OpenEMR 4.1.1 (CVE-2013-4620)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:openEMR "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:note "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith data_sources.php" \
"id:242600,chain,msg:'COMODO WAF: XSS vulnerability in Cacti 0.8.8b (CVE-2014-5025)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:name "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm tree.php cdef.php data_sources.php graphs.php data_input.php graph_templates.php host_templates.php" \
"id:242610,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Cacti 0.8.8b (CVE-2014-5026)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS:return|ARGS:ref|REQUEST_HEADERS:Referer "@rx \x22" \
"id:242631,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in MantisBT in 1.3.x before 1.3.0-rc2 and 1.2.x before 1.2.19 (CVE-2016-5364)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@within set_project.php manage_custom_field_edit_page.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/editevent.php" \
"id:242640,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple 1.11.9 (CVE-2013-3929)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:_sx_ "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:handler "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm interface/reports/custom_report_range.php custom/chart_tracker.php" \
"id:242650,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 (CVE-2013-4619)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:start|ARGS_POST:end|ARGS_POST:form_newid "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith admin/managersection.php" \
"id:242660,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Absolut Engine 1.73 (CVE-2014-9435)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:session "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:sectionID "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith admin/edituser.php" \
"id:242661,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Absolut Engine 1.73 (CVE-2014-9435)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:session "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:userID "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith admin/admin.php" \
"id:242662,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Absolut Engine 1.73 (CVE-2014-9435)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:session "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:username "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith admin/managerrelated.php" \
"id:242663,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Absolut Engine 1.73 (CVE-2014-9435)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalisepath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:session "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:title "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith manage_proj_cat_add.php" \
"id:242670,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in MantisBT 1.2.12 (CVE-2013-1810)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:manage_proj_cat_add_token "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith web/magmi.php" \
"id:242680,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Magento Mass Importer (CVE-2015-2068)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:profile "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith web/magmi_import_run.php" \
"id:242681,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Magento Mass Importer (CVE-2015-2068)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES:ci_session "@eq 1" \
"id:242720,chain,msg:'COMODO WAF: XSS in the Open Source Point Of Sale 2.3.1 (CVE-2015-0299)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@pm opensourcepos customers items item_kits suppliers employees config" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:first_name|ARGS_POST:last_name|ARGS_POST:item_number|ARGS_POST:name|ARGS_POST:category|ARGS_POST:company_name|ARGS_POST:company "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith settings/ajax/createuser.php" \
"id:242730,chain,msg:'COMODO WAF: XSS vulnerability in ownCloud before 4.5.7 (CVE-2013-0307)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:groups[] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith modules_v3/googlemap/wt_v3_street_view.php" \
"id:242740,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in webtrees before 1.5.2 (CVE-2014-100006)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:map|ARGS_GET:streetview "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"id:242750,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT 1.0.0 through 1.2.15 (CVE-2013-4460)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx [manage_proj_create\.php|manage_proj_update\.php]" \
"chain,t:none,t:lowercase"
SecRule &ARGS:manage_proj_create_token|&ARGS:manage_proj_update_token "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@pm tbl_create.php db_create.php" \
"id:242780,chain,msg:'COMODO WAF: XSS vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 (CVE-2014-4348)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:phpMyAdmin "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:new_db|ARGS_POST:table "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule REQUEST_URI "@contains symfony/web/index.php/pim/viewEmployeeList" \
"id:242800,chain,msg:'COMODO WAF: XSS vulnerability in OrangeHRM before 3.1.2 (CVE-2014-100021)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:empsearch[employee_name][empId] "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES:uin "@ge 1" \
"id:242810,chain,msg:'COMODO WAF: XSS vulnerability in PHP Address Book 8.2.5 (CVE-2013-1749)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains addressbook/edit.php" \
"chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS_POST:address "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith mod1/index.php" \
"id:242820,chain,msg:'COMODO WAF: SQL injection vulnerability in TYPO3 6.2.25 Extension Akronymmanager (CVE-2015-2803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id "@rx \'" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:action "@ge 1" \
"id:242840,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Exponent CMS before 2.2.0 release candidate 1 (CVE-2013-3294)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:module "@contains login" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:src "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith gollem/manager.php" \
"id:242890,chain,msg:'COMODO WAF: XSS vulnerability in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 (CVE-2016-2228)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@contains horde" \
"chain,t:none,t:lowercase"
SecRule ARGS:searchfield "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains admin/developer/modules/views/add" \
"id:242900,chain,msg:'COMODO WAF: XSS vulnerability in BigTree CMS before 4.0 RC2 (CVE-2013-4880)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:module "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:getfile "@contains ajax/setsites.php" \
"id:242910,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in ownCloud before 4.5.7 (CVE-2013-0297)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:site_name[]|ARGS_POST:site_url[] "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith public_html/submit.php" \
"id:242920,chain,msg:'COMODO WAF: XSS vulnerability in Geeklog before 2.0.0rc2 (CVE-2013-1470)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:type "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:calendar_type "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith src/index.php" \
"id:242930,chain,msg:'COMODO WAF: XSS vulnerability in Zikula Application Framework before 1.3.6 (CVE-2013-6168)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:module "@contains users" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:func "@contains login" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:returnpage "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains x2engine/index.php" \
"id:242940,chain,msg:'COMODO WAF: XSS vulnerability in X2Engine X2CRM before 3.5 (CVE-2013-5693)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /admin/editor" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:model "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:242950,chain,msg:'COMODO WAF: XSS vulnerability in the School Administration module 7.x-1.x before 7.x-1.8 for Drupal (CVE-2014-9505)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:form_id "@streq class_node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS:title "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule &REQUEST_COOKIES_NAMES:/^itop-([a-f0-9]{32})$/ "@ge 1" \
"id:242960,chain,msg:'COMODO WAF: XSS vunerability in the iTop 2.1.0-2127 (CVE-2015-6544)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /pages/ajax.render.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule ARGS_POST:dashboard_id "@streq welcomemenupage" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS:connector.sourceRepoId "@contains <" \
"id:243010,chain,msg:'COMODO WAF: XSS vulnerability in Apache Archiva 1.3.9 and earlier (CVE-2016-5005)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:rbkSignon "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@rx ^(?:add|edit)proxyconnector(?:\!|_)commit\.action$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES_NAMES:ATutorID "@ge 1" \
"id:243020,chain,msg:'COMODO WAF: XSS vulnerability in the ATutor 2.2 (CVE-2015-7711)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith popuphelp.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:h "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm pages/ui.php pages/run_query.php" \
"id:243040,chain,msg:'COMODO WAF: XSS vulnerability in IT Operations Portal (iTop) before 1.2 (CVE-2013-0805)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:/^itop-[a-z0-9]{32}$/ "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:expression "@contains </textarea" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /admin/media.php" \
"id:243050,chain,msg:'COMODO WAF: XSS vulnerability in the Dotclear v2.9.1 (CVE-2016-6523)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:dcxd "@ge 1" \
"chain,t:none"
SecRule ARGS:q "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains admin/users/api-keys" \
"id:243060,chain,msg:'COMODO WAF: XSS vulnerability in the Omeka before 2.2.1 (CVE-2014-5100)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:update_api_keys "@streq updateapikeys" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:api_key_label "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith /admin/plugin.php" \
"id:243070,chain,msg:'COMODO WAF: XSS vulnerability in the Dotclear before 2.6.4 (CVE-2014-5316)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:dcxd "@ge 1" \
"chain,t:none"
SecRule ARGS:post_title "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith admin/extensions.php" \
"id:243080,chain,msg:'COMODO WAF: XSS vulnerability in the Lunar CMS before 3.3-3 (CVE-2014-4718)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:ext "@streq contact_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:email|ARGS_POST:subject "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_COOKIES_NAMES "@contains phpmyadmin" \
"id:243110,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 (CVE-2016-5733)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@endsWith tbl_zoom_select.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:/^criteriaColumnTypes\[\d+\]$/ "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith blogs/admin.php" \
"id:243130,chain,msg:'COMODO WAF: SQL injection vulnerability in b2evolution before 4.1.7 (CVE-2013-2945)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalisePath,t:lowercase,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:ctrl "@contains items" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:show_statuses[] "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:x "@beginsWith entry:entry" \
"id:243150,chain,msg:'COMODO WAF: XSS vulnerability in FlatPress 1.0.2 (CVE-2014-100036)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:content "@contains </textarea" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith forum/viewthread.php" \
"id:243160,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@rx ^fusion" \
"chain,t:none"
SecRule &ARGS_GET:thread_id "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:highlight "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith files/messages.php" \
"id:243161,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@rx ^fusion" \
"chain,t:none"
SecRule &ARGS_GET:msg_send "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:user_list|ARGS_POST:user_types "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:aid "@ge 1" \
"id:243162,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith shoutbox_panel/shoutbox_admin.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^fusion" \
"chain,t:none"
SecRule ARGS_GET:page "@contains settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:message "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:aid "@ge 1" \
"id:243163,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith administration/news.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^fusion" \
"chain,t:none"
SecRule &ARGS_GET:error "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:message "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:aid "@ge 1" \
"id:243164,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith administration/panel_editor.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^fusion" \
"chain,t:none"
SecRule ARGS_POST:panel_list[] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:aid "@ge 1" \
"id:243165,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith administration/phpinfo.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^fusion" \
"chain,t:none"
SecRule REQUEST_HEADERS:User-Agent "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:aid "@ge 1" \
"id:243166,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith administration/bbcodes.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^fusion" \
"chain,t:none"
SecRule ARGS_GET:__BBCODE__[0][description]|ARGS_GET:__BBCODE__[0][usage] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:aid "@ge 1" \
"id:243167,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm administration/article_cats.php administration/download_cats.php administration/news_cats.php administration/weblink_cats.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^fusion" \
"chain,t:none"
SecRule &ARGS_GET:error "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:errorMessage "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:aid "@ge 1" \
"id:243168,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in PHP-Fusion before 7.02.06 (CVE-2013-1804)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith administration/articles.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule ARGS_POST:body|ARGS_POST:body2 "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:action "@contains errors" \
"id:243170,chain,msg:'COMODO WAF: XSS vulnerability in EspoCRM before 2.6.0 (CVE-2014-7987)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /install/index.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule ARGS_GET:desc "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_BASENAME "@within createsubscriber.action createdestination.action" \
"id:243180,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 (CVE-2016-0782)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_HEADERS:Authorization|&REQUEST_COOKIES:JSESSIONID "@ge 1" \
"chain,t:none"
SecRule ARGS:JMSDestination|ARGS:subscriberName "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES:gnew_template "@contains <" \
"id:243200,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Gnew 2013.1 (CVE-2013-7368)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm users/profile.php articles/index.php admin/polls" \
"t:none,t:normalizePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith posts/edit.php" \
"id:243203,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Gnew 2013.1 (CVE-2013-7368)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:post_text "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:thread_id|ARGS_POST:post_subject "@contains <" \
"t:none,t:urlDecodeuni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES_NAMES:quick_list_box|&REQUEST_COOKIES_NAMES:sess_salt "@ge 1" \
"id:243210,chain,msg:'COMODO WAF: XSS Vulnerability in the ClipBucket 8.2.1||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:collection_description|ARGS_POST:profile_desc|ARGS_POST:about_me|ARGS_POST:schools|ARGS_POST:occupation|ARGS_POST:companies|ARGS_POST:hobbies|ARGS_POST:fav_movies|ARGS_POST:fav_music|ARGS_POST:fav_books|ARGS_POST:closed_msg|ARGS_POST:description|ARGS_POST:allowed_types|ARGS_POST:note "@contains </textarea" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES:/cpg\d+x_data/ "@ge 1" \
"id:243230,chain,msg:'COMODO WAF: XSS vulnerability in the Coppermine Photo Gallery before 1.5.36 (CVE-2015-3921)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:referer "@rx \x22" \
"chain,t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith contact.php" \
"t:none,t:lowercase"
SecRule REQUEST_URI "@contains upload_files/pk/include.php" \
"id:243240,chain,msg:'COMODO WAF: XSS vulnerability in PHPKIT 1.6.6 (CVE-2015-1052)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:path "@contains pollarchive" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:result "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith news/send.php" \
"id:243250,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Gnew 2013.1 (CVE-2013-7349)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:send "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:news_id "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith posts/edit.php" \
"id:243251,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Gnew 2013.1 (CVE-2013-7349)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:preview_edited "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:thread_id "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@pm users/password.php users/register.php" \
"id:243252,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Gnew 2013.1 (CVE-2013-7349)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:password|&ARGS_POST:register "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:user_email "@contains '" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_GET:SESID "@ge 1" \
"id:243290,chain,msg:'COMODO WAF: SQL Injection vulnerability in ReadyDesk 9.1 (CVE-2016-5048)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith chat/staff/default.aspx" \
"chain,t:none,t:urlDecodeUni,t:normalizePath"
SecRule ARGS_POST:txtName "@rx (\'|\x22)" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /lib/ajax/addcomment.php" \
"id:243310,chain,msg:'COMODO WAF: XSS vulnerability in the PHPVibe before 4.21 (CVE-2015-5399)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:object_id "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:comment "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES:oc_sessionPassphrase "@ge 1" \
"id:243330,chain,msg:'COMODO WAF: XSS vulnerability in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 (CVE-2016-7419)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq mkcol" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains <" \
"chain,t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains remote.php" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^([0-9a-z]{12})$" \
"t:none"
SecRule ARGS_GET:back "@contains '" \
"id:243350,chain,msg:'COMODO WAF: XSS vulnerability in AlienVault OSSIM before 5.3 and USM before 5.3 (CVE-2016-6913)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /conf/reload.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:/^sc/ "@contains '" \
"id:243380,chain,msg:'COMODO WAF: Arbitrary Code Execution in Exponent CMS v2.3.9 (CVE-2016-7565)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule MATCHED_VAR "@contains ;" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx \/install\/(?:index\.php)?$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &ARGS_GET:interval "@ge 1" \
"id:243430,chain,msg:'COMODO WAF: XSS vulnerability in wordpress plugin ajax-random-post v2.00 (CVE-2016-1000127)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:count "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:count|ARGS_GET:interval "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq js.php" \
"t:none,t:lowercase"
SecRule ARGS_GET:q "@contains <" \
"id:243480,chain,msg:'COMODO WAF: XSS vulnerability in Piwigo 2.8.3 (CVE-2016-9751)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:Set-Cookie "@contains pwg_id" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq qsearch.php" \
"t:none,t:lowercase"
SecRule ARGS_GET:rac "@contains '" \
"id:243500,chain,msg:'COMODO WAF: XSS vulnerability in SPIP 3.1.3(CVE-2016-9152)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:spip_admin|&REQUEST_COOKIES:spip_session "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:exec "@streq plonger" \
"t:none,t:lowercase"
SecRule ARGS_POST:controller "@streq expratingcontroller" \
"id:243530,chain,msg:'COMODO WAF: SQL injection vulnerability in the Exponent CMS v2.4.0 or older (CVE-2016-9242)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:content_type|ARGS_POST:subtype "@contains '" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:plugin "@contains <" \
"id:243540,chain,msg:'COMODO WAF: XSS vulnerability in SPIP 3.1.x (CVE-2016-9998)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:spip_lang|&REQUEST_COOKIES:spip_session "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:exec "@streq info_plugin" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" \
"id:243570,chain,msg:'COMODO WAF: XSS Vulnerability in Serendipity 2.4.0 (CVE-2016-9272)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:serendipity[adminModule]|ARGS_GET:serendipity[step] "@pm category directorydocreate" \
"chain,t:none,t:lowercase"
SecRule ARGS:serendipity[cat][name]|ARGS:serendipity[name] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS_POST:mapsset "@ge 1" \
"id:243580,chain,msg:'COMODO WAF: XSS vulnerability in the Tiki Wiki CMS 12.x before 12.10 LTS, 15.x before 15.3 LTS, and 16.x before 16.1 (CVE-2016-9889)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith tiki-admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:page "@streq maps" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:geo_zoomlevel_to_found_location "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES_NAMES:GenixCMS "@ge 1" \
"id:243610,chain,msg:'COMODO WAF: SQL Injection Vulnerability in GeniXCMS before 1.0.0 (CVE-2016-10096)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith register.php" \
"chain,t:none,t:lowercase"
SecRule ARGS:activation "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES_NAMES:pwg_id "@ge 1" \
"id:243620,chain,msg:'COMODO WAF: XSS Vulnerability in Piwigo through 2.8.3 (CVE-2016-10083,CVE-2017-5608)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith ws.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:method "@streq pwg.images.upload" \
"chain,t:none,t:lowercase"
SecRule FILES:file "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_POST:media_title "@contains <" \
"id:243650,chain,msg:'COMODO WAF: XSS vulnerability in Dotclear before 2.11 (CVE-2016-9891)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:dcxd "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith media_item.php" \
"t:none,t:lowercase"
SecRule &REQUEST_COOKIES_NAMES:GeniXCMS "@ge 1" \
"id:243670,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in the GeniXCMS 0.0.8 (CVE-2017-5347)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq mods" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:mod "@streq newsletter" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:recipient "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES_NAMES:GeniXCMS "@ge 1" \
"id:243680,chain,msg:'COMODO WAF: XSS and SQL injection vulnerability in the GeniXCMS 0.0.8 (CVE-2017-5346)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq posts" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:id "@rx \x22|\x27" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith view_all_bug_page.php" \
"id:243690,chain,msg:'COMODO WAF: XSS vulnerability in the MantisBT 1.2.8 (CVE-2016-6837)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule ARGS:view_type "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES_NAMES:confluence.browse.space.cookie "@ge 1" \
"id:243710,chain,msg:'COMODO WAF: XSS vulnerability in the Atlassian Confluence 5.9.12 (CVE-2016-6283)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:atl_token "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains /pages/doeditattachment.action" \
"chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalizePath,t:lowercase"
SecRule ARGS:newFileName "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES_NAMES:GeniXCMS "@ge 1" \
"id:243720,chain,msg:'COMODO WAF: XSS vulnerability in the GeniXCMS 0.0.8 (CVE-2017-5515)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@pm tags categories" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:cat "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:var_url "@rx \x22" \
"id:243730,chain,msg:'COMODO WAF: XSS vulnerability in SPIP 3.1.2 (CVE-2016-7981)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:spip_lang|&REQUEST_COOKIES:spip_session "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:exec "@streq valider_xml" \
"t:none,t:lowercase"
SecRule ARGS_GET:term "@contains '" \
"id:243740,chain,msg:'COMODO WAF: SQL injection vulnerability in GeniXCMS 0.0.8 (CVE-2017-5345)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:token "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:ajax "@streq tags" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@contains genixcms" \
"t:none,t:lowercase"
SecRule ARGS_GET:modules "@contains '" \
"id:243760,chain,msg:'COMODO WAF: SQL injection vulnerability in GeniXCMS 0.0.8 (CVE-2017-5575)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:token "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:page "@streq modules" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@contains genixcms" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith source_selector.php" \
"id:243790,chain,msg:'COMODO WAF: SQL Injection in Exponent CMS 2.4.1 (CVE-2017-5879)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:controller|ARGS_GET:action "@pm blog showall" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:src "@contains '" \
"t:none"
SecRule &REQUEST_COOKIES_NAMES:GeniXCMS "@ge 1" \
"id:243810,chain,msg:'COMODO WAF: XSS vulnerability in the GeniXCMS 0.0.8 (CVE-2017-5516)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@pm posts pages menus users" \
"chain,t:none"
SecRule ARGS_GET:token "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &REQUEST_COOKIES_NAMES:GeniXCMS "@ge 1" \
"id:243811,chain,msg:'COMODO WAF: XSS vulnerability in the GeniXCMS 0.0.8 (CVE-2017-5516)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq menus" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:id "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS:obj_ids:tokens "@rx \x22" \
"id:243820,chain,msg:'COMODO WAF: XSS vulnerability in Plone before 4.3.12 and 5.x before 5.0.7 (CVE-2016-7147)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq manage_findresult" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:form "@rx \x22" \
"id:243850,chain,msg:'COMODO WAF: XSS vulnerability in PhreeBooksERP before 2017-02-13 (CVE-2017-5990)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /label_mgr/js_include.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:token "@rx \x22|>" \
"id:243860,chain,msg:'COMODO WAF: XSS vulnerability in PayPal PHP Merchant SDK 3.9.1 (CVE-2017-6099)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq getauthdetails.html.php" \
"t:none,t:lowercase"
SecRule &ARGS_GET:token "@ge 1" \
"id:243880,chain,msg:'COMODO WAF: SQL Injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678 (CVE-2016-3694)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:orders_status|ARGS_GET:customers_status "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith api/easybill/easybillcsv.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES_NAMES:ion_selected_language "@ge 1" \
"id:243910,chain,msg:'COMODO WAF: XSS vulnerability in the Ionize through 1.0.8 (CVE-2017-5961)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /themes/admin/javascript/tinymce/jscripts/tiny_mce/plugins/codemirror/dialog.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule ARGS_GET:path "@rx \x22" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS:path "@contains <" \
"id:243940,chain,msg:'COMODO WAF: XSS vulnerability in Groovel before 3.3.7-beta (CVE-2017-6480)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith src/commons/browser.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:errorMsg "@contains <" \
"id:243960,chain,msg:'COMODO WAF: XSS vulnerability in php-calendar before 2017-03-03 (CVE-2017-6485)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:urlDecodeUni,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:/Set-Cookie/ "@contains phpsessid" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith php-calendar/error.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:243970,chain,msg:'COMODO WAF: XSS vulnerability in BigTree CMS before 4.2.15 (CVE-2016-10223)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /ajax/dashboard/integrity-check/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:id "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith modules/utils/watchdog/subscribe.php" \
"id:243980,chain,msg:'COMODO WAF: XSS vulnerability in the EPESI 1.8.1.1 (CVE-2017-6489)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:cid|ARGS_POST:state|ARGS_POST:element|ARGS_POST:id|ARGS_POST:cat "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith modules/utils/recordbrowser/favorites.php" \
"id:243990,chain,msg:'COMODO WAF: XSS vulnerability in the EPESI 1.8.1.1 (CVE-2017-6487)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:cid|ARGS_POST:state|ARGS_POST:element|ARGS_POST:id|ARGS_POST:tab "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith modules/utils/tooltip/req.php" \
"id:244000,chain,msg:'COMODO WAF: XSS vulnerability in the EPESI 1.8.1.1 (CVE-2017-6491)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:cid|ARGS_POST:tooltip_id|ARGS_POST:callback|ARGS_POST:args "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith modules/utils/recordbrowser/grid.php" \
"id:244010,chain,msg:'COMODO WAF: XSS vulnerability in the EPESI 1.8.1.1 (CVE-2017-6490)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:cid|ARGS_POST:value|ARGS_POST:element|ARGS_POST:mode|ARGS_POST:tab|ARGS_POST:form_name|ARGS_POST:id "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:lang_code "@rx \x22" \
"id:244020,chain,msg:'COMODO WAF: XSS vulnerability in the ATutor 2.2.2 (CVE-2017-6483)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:ATutorID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith language_edit.tmpl.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains inc/admin/template_files/admin" \
"id:244040,chain,msg:'COMODO WAF: XSS vulnerability in the MaNGOSWebV4 4.0.8 (CVE-2017-6808 & CVE-2017-6809 & CVE-2017-6810 & CVE-2017-6811 & CVE-2017-6812)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule MATCHED_VAR "@pm admin.faq.php admin.donate.php admin.shop.php admin.vote.php admin.fplinks.php" \
"chain,t:none"
SecRule ARGS_GET:id|ARGS_GET:linkid "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS:page "@streq source/search" \
"id:244070,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT Source Integration Plugin before 2.0.2 (CVE-2017-6958)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith plugin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS:revision "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS:config_option "@streq window_title" \
"id:244100,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT before 2.1.1 (CVE-2017-7222)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:value "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx adm_config_(?:report|set)\.php$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:action "@rx \x22" \
"id:244110,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT before 1.3.8, 2.1.2, and 2.2.2 (CVE-2017-6973)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq adm_config_report.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES_NAMES:atlassian.xsrf.token "@ge 1" \
"id:244140,chain,msg:'COMODO WAF: XSS vulnerability in the Atlassian JIRA before 7.2.2 (CVE-2016-6285)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /includes/decorators/global-translations.jsp" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_HEADERS:Host "@rx \x22|<" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@contains /modules/vis/visualisations/compare.php" \
"id:244150,chain,msg:'COMODO WAF: XSS vulnerability in Emoncms through 9.8.0 (CVE-2017-5964)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:feedA|ARGS_GET:feedB "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS:prefix "@contains <" \
"id:244160,chain,msg:'COMODO WAF: XSS vulnerability in Magmi 0.7.22 (CVE-2017-7391)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@endsWith ajax_gettime.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:type "@rx \x22" \
"id:244170,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT before 1.3.9, 2.1.3, and 2.2.3 (CVE-2017-7241)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /admin/move_attachments_page.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:config_option "@rx \x22" \
"id:244180,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT before 1.3.9, 2.1.3, and 2.2.3 (CVE-2017-7309)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq adm_config_report.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:change_type "@rx \x22" \
"id:244190,chain,msg:'COMODO WAF: XSS vulnerability in the MantisBT before 1.3.7 and 2.x before 2.2.1 (CVE-2017-6797)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:id "@ge 1" \
"chain,t:none"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith bug_change_status_page.php" \
"t:none,t:lowercase"
SecRule ARGS_GET:model "@contains <" \
"id:244200,chain,msg:'COMODO WAF: XSS vulnerability in citymont/symetrie v.0.9.6 (CVE-2017-7386)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /app/commands/page.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:view_type "@rx \x22" \
"id:244210,chain,msg:'COMODO WAF: XSS vulnerability in the MantisBT before 2.2.1 (CVE-2017-6799)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq view_filters_page.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith modules/utils/recordbrowser/filters/save_filters.php" \
"id:244220,chain,msg:'COMODO WAF: XSS vulnerability in the EPESI 1.8.1.1 (CVE-2017-6488)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:cid|ARGS_POST:visible|ARGS_POST:tab "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:postLoginQuery "@rx \x22|<" \
"id:244250,chain,msg:'COMODO WAF: XSS vulnerability in ZoneMinder 1.30.2 (CVE-2017-7203)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /skins/classic/views/js/postlogin.js.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:meeting_id|ARGS_GET:user "@rx \x22|<" \
"id:244260,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in openeclass Release_3.5.4 (CVE-2017-7389)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /modules/tc/webconf/webconf.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:cavv "@contains <" \
"id:244300,chain,msg:'COMODO WAF: XSS vulnerability in Heartland Payment Systems Payment Gateway PHP SDK hps/heartland-php v2.8.17 (CVE-2017-7992)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /examples/consumer-authentication/cruise.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:action "@contains <" \
"id:244310,chain,msg:'COMODO WAF: XSS vulnerability in the Agora-Project 3.2.2 (CVE-2017-6561)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:ctrl "@streq object" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:Agora_agora "@ge 1" \
"t:none"
SecRule ARGS:wpTextbox1 "@contains </style>" \
"id:244320,chain,msg:'COMODO WAF: XSS vulnerability in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 (CVE-2016-6333)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:wpEditToken "@ge 1" \
"chain,t:none"
SecRule ARGS:action "@streq submit" \
"chain,t:none,t:lowercase"
SecRule ARGS:title "@endsWith common.css" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@rx \/(?:index\.php)?$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:menuid "@contains '" \
"id:244340,chain,msg:'COMODO WAF: SQL injection vulnerability in GeniXCMS 1.0.2 (CVE-2017-8377)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq menus" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:act "@streq remove" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:/^GeniXCMS-[a-zA-Z0-9]{20}$/ "@ge 1" \
"t:none"
SecRule ARGS_GET:lang "@contains '" \
"id:244350,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM 4.0.4 (CVE-2017-7886)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /theme/eldy/style.css.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:sall "@contains <" \
"id:244360,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM 4.0.4 (CVE-2017-7887)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /societe/list.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:meta[navigation_group] "@contains <" \
"id:244370,chain,msg:'COMODO WAF: XSS vulnerability in Symphony 2.6.11 (CVE-2017-8876)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /symphony/blueprints/sections/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"t:none"
SecRule ARGS_GET:id "@contains <" \
"id:244380,chain,msg:'COMODO WAF: XSS vulnerability in Allen Disk 1.6 (CVE-2017-8832)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith downfile.php" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:/^allendisk[a-z0-9]{13}$/ "@ge 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith /www/nyromodal/demosent.php" \
"id:244400,chain,msg:'COMODO WAF:XSS vulnerability in reasoncms before 4.7.1 (CVE-2017-6486)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:nyroModalSel "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:HTTP_MODAUTH "@ge 1" \
"id:244410,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution before 2.5.7 (CVE-2017-9070)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains /connectors/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:pagetitle "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /modules/base/box/check_for_new_version.php" \
"id:244420,chain,msg:'COMODO WAF: XSS vulnerability in Telaxus/EPESI 1.8.2 and earlier (CVE-2017-8763)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:cid "@eq 0" \
"chain,t:none"
SecRule ARGS_POST|ARGS_POST_NAMES "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq process.php" \
"id:244430,chain,msg:'COMODO WAF: XSS vulnerabilities in Telaxus EPESI 1.8.2 and earlier (CVE-2017-9331, CVE-2017-9366, CVE-2017-9622, CVE-2017-9623 & CVE-2017-9624)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:url "@contains _qf__libs_qf_" \
"chain,t:none,t:urlDecodeUni"
SecRule MATCHED_VAR "@rx (?:tab_name|description|akey|value|decimal_sign)=(.+)(?:\&|$)" \
"chain,capture,t:none"
SecRule TX:1 "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /ui/editor.php" \
"id:244440,chain,msg:'COMODO WAF:XSS vulnerability in Bram Korsten Note through 1.2.0 (CVE-2017-9289)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:note_session_id "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:edit "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:tn "@streq pages" \
"id:244480,chain,msg:'COMODO WAF: XSS vulnerability in flatCore 1.4.6 (CVE-2017-9451)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /acp/acp.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule MATCHED_VAR "@contains '" \
"chain,t:none"
SecRule ARGS_GET:sub "@streq edit" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"t:none"
SecRule ARGS_POST:description "@contains <" \
"id:244510,chain,msg:'COMODO WAF: XSS vulnerability in the BigTree CMS through 4.2.18 (CVE-2017-9448 & CVE-2017-9546)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /admin/ajax/pages/save-revision/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:244520,chain,msg:'COMODO WAF: XSS Vulnerability in Piwigo through 2.9.0 (CVE-2017-9452)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq admin.php" \
"t:none,t:lowercase"
SecRule ARGS:new|ARGS:original "@contains <" \
"id:244530,chain,msg:'COMODO WAF: XSS vulnerability in Telaxus/EPESI 1.8.2 (CVE-2017-9621)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith modules/base/lang/administrator/update_translation.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:targetObjIdChild "@contains <" \
"id:244550,chain,msg:'COMODO WAF: XSS vulnerability in the Agora-Project 3.2.2 (CVE-2017-6562)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:ctrl "@streq file" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:Agora_agora "@ge 1" \
"t:none"
SecRule ARGS_GET:return_url "@contains <" \
"id:244560,chain,msg:'COMODO WAF: XSS vulnerability In SimpleCE 2.3.0 (CVE-2017-9674)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:sce_session "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains /index.php/content/text/" \
"t:none,t:normalisePath,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:database_username "@contains '" \
"id:244580,chain,msg:'COMODO WAF: XSS vulnerability in WebsiteBaker v2.10.0 (CVE-2017-9771)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:wb-installer "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains /install/save.php" \
"t:none,t:normalisePath,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:description "@rx \x22" \
"id:244590,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple 2.1.6 (CVE-2017-9668)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:_sk_ "@ge 1" \
"chain,t:none"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@rx admin\/(?:add|edit)group\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith util/php/eval-stdin.php" \
"id:244600,chain,msg:'COMODO WAF: Arbitrary PHP code execution in PHPUnit before 4.8.28 and 5.x before 5.6.3 (CVE-2017-9841)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BODY "@contains <?" \
"t:none,t:urlDecodeUni,t:removeWhitespace"
SecRule ARGS_POST:table "@contains '" \
"id:244660,chain,msg:'COMODO WAF: SQL injection vulnerability in BigTree CMS through 4.2.18 (CVE-2017-9449)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:bigtree_admin[email] "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith index.php/admin/developer/modules/views/create/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:sec|ARGS_GET:referers|ARGS_POST:name "@contains <" \
"id:244670,chain,msg:'COMODO WAF: XSS vulnerability in Webmin before 1.850 (CVE-2017-9313)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:sid "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@pm /man/view_man.cgi change_referers.cgi /acl/save_user.cgi" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:route "@streq config" \
"id:244700,chain,msg:'COMODO WAF: XSS vulnerability in FineCMS before 2017-07-06 (CVE-2017-10967)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@within add edit" \
"chain,t:none,t:lowercase"
SecRule &ARGS_POST:field_type|&ARGS_POST:save_button|&ARGS_POST:active|&REQUEST_COOKIES:PHPSESSID "!@eq 0" \
"chain,t:none"
SecRule ARGS_POST:key_name|ARGS_POST:key_value|ARGS_POST:meaning "@rx (?:\x22|<)" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq aggregate_graphs.php" \
"id:244710,chain,msg:'COMODO WAF: XSS vulnerability in Cacti 1.1.12 (CVE-2017-11163)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_HEADERS:Referer "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_GET:action "@streq edit" \
"chain,t:none,t:lowercase"
SecRule &ARGS_GET:id "@ge 1" \
"chain,t:none"
SecRule REQUEST_COOKIES_NAMES "@contains cacti" \
"t:none,t:lowercase"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:244720,chain,msg:'COMODO WAF: XSS vulnerability in the Piwigo through 2.9.1 (CVE-2017-9836)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:virtual_name|ARGS_POST:name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:page "@rx ^(?:cat_list|album\-\d+?\-properties)$" \
"t:none,t:lowercase"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:244721,chain,msg:'COMODO WAF: XSS vulnerability in the Piwigo through 2.9.1 (CVE-2017-9836)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:format "@streq json" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq ws.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:map_language "@contains <" \
"id:244730,chain,msg:'COMODO WAF: XSS vulnerability in Blackcat CMS 1.2 (CVE-2017-9609)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith backend/pages/lang_settings_save.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^cat\d+?sessionid$" \
"t:none,t:lowercase"
SecRule ARGS_POST:id "@rx \x22" \
"id:244750,chain,msg:'COMODO WAF: XSS vulnerability in in FineCMS through 2017-07-12 (CVE-2017-11198)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /application/lib/ajax/get_image.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:filters[] "@contains '" \
"id:244760,chain,msg:'COMODO WAF: SQL injection vulnerability in Zenbership 1.0.8 (CVE-2017-9759)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:zen_admin_ses "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:l "@pm error_codes subscriptions widgets logins" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@rx \/admin\/(?:index\.php)?" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:instructions|ARGS_POST:subnetId "@contains <" \
"id:244790,chain,msg:'COMODO WAF: XSS vulnerability in phpipam 1.2 (CVE-2017-6481)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:phpipam "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@pm /app/admin/instructions/preview.php /app/admin/powerdns/refresh-ptr-records.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:editionId "@contains <" \
"id:244800,chain,msg:'COMODO WAF: XSS vulnerability in Tiki Wiki CMS Groupware 16.2 (CVE-2017-9305)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq tiki-batch_send_newsletter.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:filter "@rx \x22" \
"id:244820,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT 2.x before 2.5.2 (CVE-2017-12062)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq manage_user_page.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:name "@rx \x22" \
"id:244840,chain,msg:'COMODO WAF: SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11416)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /apps/app_comment/controller/insert.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:at "@contains <" \
"id:244900,chain,msg:'COMODO WAF: XSS vulnerability in DokuWiki through 2017-02-19b (CVE-2017-12583)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:DokuWiki "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq doku.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"id:244910,chain,msg:'COMODO WAF: XSS vulnerability in Cacti 1.1.13 (CVE-2017-11691)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq auth_profile.php" \
"chain,t:none,t:lowercase"
SecRule REQUEST_HEADERS:Referer "@contains '" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:image_mimetype "@contains <" \
"id:244980,chain,msg:'COMODO WAF: XSS vulnerability in XOOPS Core 2.5.8 (CVE-2017-12139)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:XOOPS_TOKEN_REQUEST "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /modules/system/admin.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:method "@contains <" \
"id:245010,chain,msg:'COMODO WAF: XSS vulnerability in Cacti 1.1.17 (CVE-2017-12927)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq spikekill.php" \
"t:none,t:lowercase"
SecRule &REQUEST_COOKIES:ATutorID "@ge 1" \
"id:245070,chain,msg:'COMODO WAF: XSS vulnerability in the ATutor before 2.2.3 (CVE-2017-14981)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:url "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /mods/_standard/rss_feeds/edit_feed.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:categoryId "@contains <" \
"id:245080,chain,msg:'COMODO WAF: XSS vulnerability in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (CVE-2017-14755)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith xadmin/html/xpressodoc" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:real_name|ARGS_POST:email_address "@contains <" \
"id:245090,chain,msg:'COMODO WAF: XSS vulnerability in Flyspray before 1.0-rc6 (CVE-2017-15213)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:flyspray "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:action "@within admin.newuser admin.edituser" \
"t:none,t:lowercase"
SecRule ARGS_GET:page "@streq menus" \
"id:245120,chain,msg:'COMODO WAF: XSS vulnerability in GeniXCMS 1.1.4 (CVE-2017-14761 & CVE-2017-14762 & CVE-2017-14765)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith genixcms" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@contains /gxadmin/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:id "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:cat_id "@ge 1" \
"id:245130,chain,msg:'COMODO WAF: SQL injection vulnerability in PHPSUGAR PHP Melody before 2.7.3 (CVE-2017-15578)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:type "@streq video" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:image "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith admin/edit_category.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:section_value|ARGS_GET:src_form "@contains <" \
"id:245160,chain,msg:'COMODO WAF: XSS vulnerability in the OpenEMR v5_0_0 (CVE-2017-6482)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES_NAMES:OpenEMR "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /gacl/admin/object_search.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:tipopessoa "@ge 1" \
"id:245170,chain,msg:'COMODO WAF: XSS vulnerability in the E-Sic 1.0 (CVE-2017-15380)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:nome "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /cadastro/index.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:website_header|ARGS_POST:website_footer "@contains <" \
"id:245190,chain,msg:'COMODO WAF: XSS vulnerability in the BlackCat CMS 1.2 (CVE-2017-14049)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES_NAMES:cat_session_id "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /upload/backend/settings/ajax_save_settings.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST_NAMES "@beginsWith pieform_" \
"id:245210,chain,msg:'COMODO WAF: XSS vulnerability in Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 (CVE-2017-15273)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:mahara "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:title "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx (?:artefact\/blog\/(?:(?:new|settings)\/|post\.php))" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:pieform_profileform "@ge 1" \
"id:245230,chain,msg:'COMODO WAF: XSS vulnerability in Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 (CVE-2017-14752)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:mahara "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:firstname|ARGS_POST:lastname|ARGS_POST:preferredname "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /artefact/internal/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:pieform_editview "@ge 1" \
"id:245240,chain,msg:'COMODO WAF: XSS vulnerability in Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 (CVE-2017-1000138)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:mahara "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:title "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith view/edit.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:m1_name "@contains <" \
"id:245250,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple 2.2.3.1 (CVE-2017-16799)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:_sk_ "@ge 1" \
"chain,t:none"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/moduleinterface.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:begriff "@contains <" \
"id:245270,chain,msg:'COMODO WAF: XSS vulnerability in WBCE v1.1.11 (CVE-2017-1000213)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:tool "@streq user_search" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/admintools/tool.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^wb\-\d+?\-sid$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS_POST:file_id "@ge 1" \
"id:245280,chain,msg:'COMODO WAF: XSS vulnerability in October CMS build 412 (CVE-2017-1000193)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:october_session "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith backend/system/settings/update/october/backend/branding" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:title|ARGS_POST:description "@rx (?:\x22|<)" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:URLSegment "@ge 1" \
"id:245300,chain,msg:'COMODO WAF: XSS vulnerability in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2 (CVE-2017-5197)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:SecurityID "@ge 1" \
"chain,t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:Title "@rx (?:\x22|>)" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx (?:admin\/pages\/edit\/editform\/\d+?\/$)" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:submitok "@streq true" \
"id:245330,chain,msg:'COMODO WAF: XSS vulnerability in the Revive Adserver before 4.0.1 (CVE-2017-5832)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:sessionID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:email_address "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:submitsettings "@streq savechanges" \
"chain,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith www/admin/account-user-email.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:_bigtree_preview "@ge 1" \
"id:245340,chain,msg:'COMODO WAF: SQL injection vulnerability in the BigTree CMS through 4.2.19 (CVE-2017-16961)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:_tags[] "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx \/admin\/trees\/(?:add|edit)\/process\/$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:site_name "@contains <" \
"id:245350,chain,msg:'COMODO WAF: XSS vulnerability in Fiyo CMS 2.0.7 (CVE-2017-13778)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /dapur/apps/app_config/sys_config.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:titre "@contains <" \
"id:245420,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM 6.0.0 (CVE-2017-14241)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:/DOLSESSID_([0-9a-fA-f]{32})/ "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /admin/menus/edit.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_URI "@contains /qstorapi" \
"id:245430,chain,msg:'COMODO WAF: XSS vulnerability in the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1 (CVE-2017-9979)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:qsCall "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:CONCRETE5 "@ge 1" \
"id:245440,chain,msg:'COMODO WAF: XSS vulnerability in concrete5 <= 5.6.3.4 (CVE-2017-6905)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith index.php/tools/required/files/search_dialog" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:disable_choose "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:HTTP_MODAUTH "@ge 1" \
"id:245470,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution 2.5.7 and earlier (CVE-2017-1000223 & CVE-2017-11744)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:description|ARGS_POST:data|ARGS_POST:key|ARGS_POST:value "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /connectors/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:met_auth "@ge 1" \
"id:245510,chain,msg:'COMODO WAF: XSS vulnerability in MetInfo 5.3.15 (CVE-2017-6878)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:/^name\_\d+$/ "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /admin/column/delete.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:section "@streq main" \
"id:245580,chain,msg:'COMODO WAF: XSS vulnerability in Piwigo 2.9.2 (CVE-2017-17826)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:page "@streq configuration" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:gallery_title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:element_ids "@ge 1" \
"id:245630,chain,msg:'COMODO WAF: XSS vulnerability in Piwigo 2.9.2 (CVE-2017-17825)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:page "@streq batch_manager" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:/^tags-/ "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /cgi/surgeftpmgr.cgi" \
"id:245640,chain,msg:'COMODO WAF: XSS vulnerability in NetWin SurgeFTP version 23f2 (CVE-2017-17933)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:username "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:installstatus|ARGS_GET:display|ARGS_GET:tab|ARGS_GET:mode|ARGS_GET:section|ARGS_GET:to "@contains <" \
"id:245660,chain,msg:'COMODO WAF: XSS vulnerability in Piwigo 2.8.2 (CVE-2018-5692)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:page "@within plugins batch_manager languages notification_by_mail configuration updates" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"t:none,t:lowercase"
SecRule &ARGS_POST:url "@ge 1" \
"id:245670,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple 2.2.5 (CVE-2018-5963)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:_sk_ "@ge 1" \
"chain,t:none"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx admin\/(?:add|edit)bookmark\.php$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS_GET:mact "@ge 1" \
"id:245671,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple 2.2.5 (CVE-2018-5964 & CVE-2018-5965)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:m1___messages|ARGS_GET:m1___errors "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@rx admin/moduleinterface.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:directory "@contains <" \
"id:245680,chain,msg:'COMODO WAF: XSS vulnerability in BigTree 4.2.19 (CVE-2018-6013)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:bigtree_admin[email] "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /core/admin/ajax/developer/extensions/file-browser.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"id:245690,chain,msg:'COMODO WAF: OS Command Injection vulnerability in OpenEMR version 5.0.0 (CVE-2018-1000019)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith interface/fax/fax_dispatch.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:form_filename "@contains '" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:label "@contains <" \
"id:245700,chain,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /product/card.php" \
"chain,t:none,t:normalisePath,t:lowercase,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:/DOLSESSID_([0-9a-fA-f]{32})/ "@ge 1" \
"t:none"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:245750,chain,msg:'COMODO WAF: Stored XSS vulnerability in Piwigo 2.9.3 (CVE-2018-7723)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq cat_list" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:virtual_name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:245760,chain,msg:'COMODO WAF: XSS vulnerability in Piwigo Facetag plugin 0.0.3 (CVE-2017-9425)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:method "@streq facetag.changetag" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq ws.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:245790,chain,msg:'COMODO WAF: XSS vulnerability in Piwigo 2.9.3 (CVE-2018-7722)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:method "@streq pwg.categories.add" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq ws.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:name "@rx <|\x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:245800,chain,msg:'COMODO WAF: XSS vulnerability in Piwigo 2.9.3 (CVE-2018-7724)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@beginsWith photo" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:ci_session2 "@ge 1" \
"id:245810,chain,msg:'COMODO WAF: SQLi vulnerability in Western Bridge Cobub Razor 0.8.0 (CVE-2018-8057)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /manage/channel/addchannel" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:channel_name|ARGS_POST:platform "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:bbs_admin_token "@ge 1" \
"id:245820,chain,msg:'COMODO WAF: XSS vulnerability in Xiuno BBS 4.0.0 (CVE-2018-8942)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains setting-base.htm" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:sitename "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:bpxd "@ge 1" \
"id:245830,chain,msg:'COMODO WAF: XSS vulnerability in bilboplanet 2.0 (CVE-2014-9916)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:action "@within add add_tags" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "@contains /admin/api/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:tribe_name|ARGS_POST:tags "@rx <|\x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:OSTSESSID "@ge 1" \
"id:245840,chain,msg:'COMODO WAF: XSS vulnerability in Enhancesoft osTicket before 1.10.2 (CVE-2018-7193)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq directory.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:order "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:OSTSESSID "@ge 1" \
"id:245850,chain,msg:'COMODO WAF: XSS vulnerability in Enhancesoft osTicket before 1.10.2 (CVE-2018-7196)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /scp/" \
"chain,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:sort "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith admin/template/js/uploadify/uploadify.swf" \
"id:245860,chain,msg:'COMODO WAF: XSS vulnerability in GetSimple CMS 3.3.13 (CVE-2018-9173)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:movieName "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:page "@streq changeword" \
"id:245870,chain,msg:'COMODO WAF: XSS vulnerability in Coppermine Photo Gallery before 1.5.27 and 1.6.x before 1.6.01 (CVE-2014-4612)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq keywordmgr.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:newword "@rx <|\x22" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:/cpg\d+x_data/ "@ge 1" \
"t:none"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"id:245880,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple 2.2.7 (CVE-2018-10029 & CVE-2018-10032)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains admin/moduleinterface.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:m1_name|ARGS_GET:m1_version "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:245900,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM 7.0.0 (CVE-2017-18259)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq card.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:societe|ARGS_GET:lastname|ARGS_GET:firstname|ARGS_GET:address|ARGS_GET:zipcode|ARGS_GET:town|ARGS_GET:email "@rx <|\x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:245910,chain,msg:'COMODO WAF: XSS vulnerability in frog cms 0.9.5 (CVE-2018-9992)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:file[name]|ARGS_POST:directory[name] "@rx <|\x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@rx \/plugin\/file_manager\/create_(?:file|directory)" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &REQUEST_COOKIES:phpipam "@ge 1" \
"id:245920,chain,msg:'COMODO WAF: XSS vulnerability in phpIPAM before 1.3.1 (CVE-2018-10329)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /tools/mac-lookup/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:mac "@rx <|\'" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:iCMS_iCMS_AUTH "@ge 1" \
"id:245930,chain,msg:'COMODO WAF: XSS vulnerability in iCMS V7.0.8 (CVE-2018-10250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq admincp.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:keywords "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:page "@streq menus" \
"id:245940,chain,msg:'COMODO WAF: XSS vulnerability in GeniXCMS 1.1.0 (CVE-2017-14740)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith genixcms" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@contains /gxadmin/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:id "@rx <|\x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:mybbuser "@ge 1" \
"id:245950,chain,msg:'COMODO WAF: XSS vulnerability in the Threads to Link plugin 1.3 for MyBB (CVE-2018-10365)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq editpost.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:tlink "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:password "@ge 1" \
"id:245970,chain,msg:'COMODO WAF: XSS vulnerability in Z-BlogPHP 1.5.2 (CVE-2018-10680, CVE-2018-7736)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /zb_system/cmd.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:ZC_BLOG_NAME|ARGS_POST:ZC_BLOG_SUBNAME|ARGS_POST:ZC_UPLOAD_FILETYPE "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:iCMS_iCMS_AUTH "@ge 1" \
"id:245980,chain,msg:'COMODO WAF: XSS vulnerability in iCMS V7.0.7 (CVE-2018-9925)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq admincp.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:user[nickname] "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:ci_session "@ge 1" \
"id:245990,chain,msg:'COMODO WAF: XSS vulnerability in HRSALE The Ultimate HRM v1.0.2 (CVE-2018-10259)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /admin/profile/user_basic_info" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:first_name "@rx <|\x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:phpipam "@ge 1" \
"id:246010,chain,msg:'COMODO WAF: XSS vulnerability in phpIPAM before 1.3.1 (CVE-2017-15640)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:ip "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:246030,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM before 5.0.4 (CVE-2017-9838)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /core/ajax/box.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_URI "@contains >" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:246031,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM before 5.0.4 (CVE-2017-9838)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /holiday/list.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:month_create|ARGS_GET:month_start|ARGS_GET:month_end "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:246032,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM before 5.0.4 (CVE-2017-9838)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:leftmenu "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:commit "@ge 1" \
"id:246040,chain,msg:'COMODO WAF: XSS vulnerability in frog cms 0.9.5 (CVE-2018-10806)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_URI "@contains /plugin/file_manager/rename" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:file[current_name]|ARGS_POST:file[new_name] "@rx <|\x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:password "@ge 1" \
"id:246060,chain,msg:'COMODO WAF: XSS vulnerability in Z-BlogPHP 2.0.0 (CVE-2018-11208)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /zb_system/cmd.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:ZC_BLOG_COPYRIGHT "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"id:246070,chain,msg:'COMODO WAF: SQLi vulnerability in OpenEMR before v5_0_1_1 (CVE-2018-9250)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains interface/super/edit_list.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:newlistname "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:domainmod_gc_ays "@ge 1" \
"id:246090,chain,msg:'COMODO WAF: XSS vulnerability in DomainMod v4.09.03 (CVE-2018-11403 and CVE-2018-11404)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@within account-owner.php ssl-provider-account.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:oid|ARGS_GET:sslpaid "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:246100,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM before 7.0.1 (CVE-2018-10095)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains adherents/cartes/carte.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:foruserlogin "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:app_id "@contains <" \
"id:246110,chain,msg:'COMODO WAF: XSS vulnerability in Z-BlogPHP 1.5.1 (CVE-2018-9169)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:password "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains /zb_users/plugin/AppCentre/plugin_edit.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_BASENAME "@streq jobcard-ongoing.php" \
"id:246140,chain,msg:'COMODO WAF: XSS And SQLi vulnerability in EasyService Billing 1.0. (CVE-2018-11443 and CVE-2018-11444)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q "@rx \x22|\'" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:mybbuser "@ge 1" \
"id:246150,chain,msg:'COMODO WAF: XSS vulnerability in the Moderator Log Notes plugin 1.1 for MyBB (CVE-2018-11430)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq modcp.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:modnotes "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:as_sid "@ge 1" \
"id:246160,chain,msg:'COMODO WAF: XSS vulnerability in ASUSTOR soundsgood (CVE-2018-11343)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith soundsgood/playlistmanager.cgi" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:playlist "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:domainmod_gc_ays "@ge 1" \
"id:246170,chain,msg:'COMODO WAF: XSS vulnerability in DomainMod v4.10.0 (CVE-2018-11558 and CVE-2018-11559)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /settings/profile" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:new_first_name|ARGS_POST:new_last_name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:HTTP_MODAUTH "@ge 1" \
"id:246190,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution 2.6.3 (CVE-2018-10382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:pagetitle|ARGS_POST:text|ARGS_POST:key "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /connectors/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_FILENAME "@contains /manager/" \
"id:246200,chain,msg:'COMODO WAF: XSS Vulnerability in ClipperCMS 1.3.3 (CVE-2018-11572)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:/^SN5[a-z0-9]{12}$/ "@ge 1" \
"t:none"
SecRule REQUEST_URI "@contains /settings/profile" \
"id:246210,chain,msg:'COMODO WAF: XSS vulnerability in Chevereto Free before 1.0.13 (CVE-2018-12030)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisepath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule &ARGS_POST:auth_token "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:bio "@rx \x22|<" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith senayan" \
"id:246220,chain,msg:'COMODO WAF: XSS vulnerability in SLiMS 8 Akasia through 8.3.1 (CVE-2018-12654, CVE-2018-12655, CVE-2018-12656, CVE-2018-12657, CVE-2018-12658)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@rx admin\/modules\/(?:circulation|master_file|bibliography|membership|stock_take)\/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:keywords "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:site_id "@ge 1" \
"id:246260,chain,msg:'COMODO WAF: XSS Vulnerability in ClipperCMS 1.3.3 (CVE-2018-11332, CVE-2018-13106)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /manager/" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^SN5[a-z0-9]{12}$" \
"chain,t:none"
SecRule ARGS_POST "@rx <|\x22" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:daily_digest "@ge 1" \
"id:246270,chain,msg:'COMODO WAF: XSS vulnerability in BigTree-CMS (CVE-2018-1000521)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:email "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_URI "@contains admin/users/create" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"id:246280,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple in 2.2.6 (CVE-2018-7893, CVE-2018-8058)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:_sk_ "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq moduleinterface.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:metadata|ARGS_POST:pagedata "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /manager/" \
"id:246300,chain,msg:'COMODO WAF: XSS Vulnerability in ClipperCMS 1.3.3 (CVE-2018-13998)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:/^SN5[a-z0-9]{12}$/ "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:fullname|ARGS_POST:newusername "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq add_do.php" \
"id:246320,chain,msg:'COMODO WAF: XSS vulnerability in YXcms 1.7 (CVE-2018-14686)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:b_title|ARGS_POST:b_name "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:_su "@streq wuzhicms" \
"id:246330,chain,msg:'COMODO WAF: XSS and SQLi vulnerability in WUZHI CMS 4.1.0 (CVE-2018-14515, CVE-2018-14472, CVE-2018-20572)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:keywords "@contains '" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:_su "@streq wuzhicms" \
"id:246340,chain,msg:'COMODO WAF: XSS vulnerability in WUZHI CMS 4.1.0 (CVE-2018-14512)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:form[nickname] "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:m "@streq feedback" \
"id:246350,chain,msg:'COMODO WAF: XSS vulnerability in WUZHI CMS 4.1.0 (CVE-2018-14513)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule &ARGS_POST:form[linkman] "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:form[content] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:iCMS_iCMS_AUTH "@ge 1" \
"id:246360,chain,msg:'COMODO WAF: XSS vulnerability in iCMS before 7.0.10 (CVE-2018-14415)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq admincp.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:field|ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:october_session "@ge 1" \
"id:246370,chain,msg:'COMODO WAF: XSS vulnerability in October CMS prior to build 437 (CVE-2018-1999008)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith backend/media" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith intelli_" \
"id:246380,chain,msg:'COMODO WAF: XSS vulnerability in Subrion CMS 4.2.1 (CVE-2018-14835)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:tooltip[en] "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /fields/add/edit/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith intelli_" \
"id:246381,chain,msg:'COMODO WAF: XSS vulnerability in Subrion CMS 4.2.1 (CVE-2018-14835)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:username|ARGS_POST:fullname "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /panel/members/add/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:mydms_session "@ge 1" \
"id:246390,chain,msg:'COMODO WAF: XSS vulnerability in SeedDMS before 5.1.8 (CVE-2018-12944)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq op.categories.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:mydms_session "@ge 1" \
"id:246400,chain,msg:'COMODO WAF: XSS vulnerability in SeedDMS before 5.1.8 (CVE-2018-12943)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:formtoken "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:action "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:october_session "@ge 1" \
"id:246420,chain,msg:'COMODO WAF: XSS vulnerability in Users plugin 1.4.5 for October CMS (CVE-2018-10366)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:User[name]|ARGS_POST:User[surname]|ARGS_POST:User[email] "@rx \x22|<" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@rx rainlab\/user\/users\/(?:create|update)" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:snippet[filter_id] "@ge 1" \
"id:246440,chain,msg:'COMODO WAF: XSS vulnerability in Wolf CMS 0.8.3.1 (CVE-2018-14837)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:snippet[name] "@rx \x22|<" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@rx \/admin\/snippet\/(?:add|edit)" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:page[breadcrumb] "@ge 1" \
"id:246450,chain,msg:'COMODO WAF: XSS vulnerability Wolf CMS 0.8.3.1 (CVE-2018-6890, CVE-2018-15842)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:page[slug]|ARGS_POST:page[created_on]|ARGS_POST:page[created_on_time]|ARGS_POST:page[published_on]|ARGS_POST:page[published_on_time]|ARGS_POST:page[valid_until]|ARGS_POST:page[valid_until_time] "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@rx \/admin\/page\/(?:add|edit)" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:part[index] "@ge 1" \
"id:246451,chain,msg:'COMODO WAF: XSS vulnerability Wolf CMS 0.8.3.1 (CVE-2018-6890)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_URI "@contains /admin/page/addpart" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:part[name] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:flag "@ge 1" \
"id:246460,chain,msg:'COMODO WAF: XSS vulnerability in joyplus-cms 1.6.0 (CVE-2018-10096)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:device_name|ARGS_POST:api_url|ARGS_POST:logo_url "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith manager/admin_ajax.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith manager/collect/collect_vod_zhuiju.php" \
"id:246470,chain,msg:'COMODO WAF: XSS vulnerability in Joyplus CMS 1.6.0 (CVE-2018-14500)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:keyword "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:unox "@ge 1" \
"id:246490,chain,msg:'COMODO WAF: XSS vulnerability in CMSUno before 1.5.3 (CVE-2018-15567)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES_NAMES:PHPSESSID "@eq 1" \
"chain,t:none"
SecRule ARGS_POST:title[titre]|ARGS_POST:titre "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endswith uno/central.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith manager/admin_ajax.php" \
"id:246500,chain,msg:'COMODO WAF: XSS vulnerability in Joyplus CMS 1.6.0 (CVE-2018-8767)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:t_name|ARGS_POST:t_enname|ARGS_POST:t_sort "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:layout[content] "@ge 1" \
"id:246510,chain,msg:'COMODO WAF: XSS vulnerability in Wolf CMS 0.8.3.1 (CVE-2018-1000084)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:layout[name]|ARGS_POST:layout[content_type] "@rx \x22|<" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@rx \/admin\/layout\/(?:add|edit)" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:_su "@streq wuzhicms" \
"id:246540,chain,msg:'COMODO WAF: SQLi vulnerability in WUZHI CMS 4.1.0 (CVE-2018-15894)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:m "@streq pay" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:keyValue "@contains '" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:_su "@streq wuzhicms" \
"id:246560,chain,msg:'COMODO WAF: XSS and SQLi vulnerability in WUZHI CMS 4.1.0 (CVE-2018-15893)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:m "@streq core" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:keywords "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:mc_token "@ge 1" \
"id:246570,chain,msg:'COMODO WAF: XSS vulnerability in MiniCMS v1.10 (CVE-2018-10227)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains mc-admin/conf.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:site_link "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246580,chain,msg:'COMODO WAF: XSS vulnerability in Wolf CMS 0.8.3.1 (CVE-2018-1000087)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:file[name]|ARGS_POST:directory[name]|ARGS_POST:file[new_name] "@rx \x22|<" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_URI "\/admin\/plugin\/file_manager\/(?:create_(?:file|directory)|rename)" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:state "@ge 1" \
"id:246590,chain,msg:'COMODO WAF: XSS vulnerability in MiniCMS v1.10 (CVE-2018-10296)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:mc_token "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:title|ARGS_POST:tags "@rx \x22|<" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endswith mc-admin/post-edit.php" \
"t:none,t:normalisePath,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:BLUDIT-KEY "@ge 1" \
"id:246600,chain,msg:'COMODO WAF: XSS vulnerability in Bludit 2.3.4 (CVE-2018-16313)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:username "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains admin/edit-user" \
"t:none,t:normalisePath,t:urlDecodeUni,t:lowercase"
SecRule &ARGS_POST:options[site_seo_title] "@ge 1" \
"id:246610,chain,msg:'COMODO WAF: XSS vulnerability in ChemCMS 1.0.6 (CVE-2018-16346)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_URI "@endsWith admin/setting/sitepost.html" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:options[site_icp]|ARGS_POST:options[site_analytics] "@rx \x22|<" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:_su "@streq wuzhicms" \
"id:246630,chain,msg:'COMODO WAF: XSS vulnerability in WUZHI CMS 4.1.0 (CVE-2018-16349, CVE-2018-16350)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:m "@within core link" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:form[remark]|ARGS_POST:form[statcode] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith admin/changedata.php" \
"id:246640,chain,msg:'COMODO WAF: XSS vulnerability in GetSimple CMS 3.4.0.9 (CVE-2018-16325)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:post-menu "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:/^[a-f0-9]{40}$/ "@ge 1" \
"t:none"
SecRule TX:Subrion_CMS "@eq 1" \
"id:246660,chain,msg:'COMODO WAF: XSS vulnerability in Subrion 4.2.1 (CVE-2018-16327)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@endsWith /configuration/system/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:v[admin_page] "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:iCMS_iCMS_AUTH "@ge 1" \
"id:246670,chain,msg:'COMODO WAF: XSS vulnerability in idreamsoft iCMS V7.0.11 (CVE-2018-9922)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq api.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:nickname "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"id:246680,chain,msg:'COMODO WAF: SQLi vulnerability in OpenEMR before 5.0.1.4 (CVE-2018-15147)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith interface/forms_admin/forms_admin.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:id "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"id:246700,chain,msg:'COMODO WAF: XSS and SQLi vulnerability in OpenEMR before 5.0.1.4 (CVE-2018-15144, CVE-2018-15151 and CVE-2018-15146)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:search_term "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx interface\/de_identification_forms\/find_(?:code|immunization|drug)_popup\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246710,chain,msg:'COMODO WAF: XSS vulnerability in YzmCMS 3.7 (CVE-2018-8078)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /advertisement/adver/edit.html" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:title "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:samp_cookieSID "@ge 1" \
"id:246730,chain,msg:'COMODO WAF: XSS vulnerabilities in e107 2.1.8 (CVE-2018-16381)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith e107_admin/users.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:user_loginname|ARGS_POST:user_realname|ARGS_POST:loginname|ARGS_POST:realname "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246750,chain,msg:'COMODO WAF: XSS vulnerability in Monstra CMS through 3.0.4 (CVE-2018-17024, CVE-2018-17025, CVE-2018-17026)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id "@streq pages" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:page_meta_title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246760,chain,msg:'COMODO WAF: XSS vulnerability in Monstra CMS through 3.0.4 (CVE-2018-17024, CVE-2018-17025, CVE-2018-17026)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id "@streq pages" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:page_meta_title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:246770,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM 7.0.3 (CVE-2018-17239)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:action "@within add update" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:town "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx (?:product\/stock\/card|admin\/company)\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:spos_spos_cookie "@ge 1" \
"id:246780,chain,msg:'COMODO WAF: SQLi vulnerability in Simple POS 4.0.24 (CVE-2018-17110)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains products/get_products/" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:/^columns\[\d+?]\[search]\[value]$/ "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"id:246790,chain,msg:'COMODO WAF: SQLi vulnerability in OpenEMR before 5.0.1.4 (CVE-2018-15149)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:encounter "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith interface/forms/eye_mag/php/anything_simple.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:246800,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM 8.0.2 (CVE-2018-19992, CVE-2018-19995)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:MAIN_INFO_SOCIETE_TOWN|ARGS_POST:address|ARGS_POST:town "@rx \x22|<" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx (?:(?:(?:user|adherents)(?:\/card))|admin\/company)\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith nvsid" \
"id:246810,chain,msg:'COMODO WAF: XSS vulnerability in Navigate CMS 2.8 (CVE-2018-17255)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:fid "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith navigate/navigate.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"id:246820,chain,msg:'COMODO WAF: XSS vulnerability in OpenEMR before 5.0.1.4 (CVE-2018-1000218, CVE-2018-1000219)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:file|ARGS_GET:scan "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith interface/fax/fax_view.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"id:246830,chain,msg:'COMODO WAF: SQLi vulnerability in OpenEMR before 5.0.1.4 (CVE-2018-15148)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:mode "@streq search" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:text "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith interface/patient_file/encounter/search_code.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:HTTP_MODAUTH "@ge 1" \
"id:246850,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution v2.6.5-pl (CVE-2018-17556)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:description|ARGS_POST:data "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:action "@rx ^source\/(?:updatefromgrid|create)$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:_su "@streq wuzhicms" \
"id:246860,chain,msg:'COMODO WAF: SQL injection vulnerability in WUZHI CMS 4.1.0 (CVE-2018-17852)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:m "@streq coupon" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:groupname "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246880,chain,msg:'COMODO WAF: XSS vulnerability in LimeSurvey 3.14.7 (CVE-2018-17003)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:surveyls_title|ARGS_POST:SurveysGroups[title] "@contains <" \
"chain,t:none,t:UrlDecodeUni"
SecRule REQUEST_URI "@rx survey(?:sgroups)?\/sa\/(?:create|insert)$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:met_auth "@ge 1" \
"id:246890,chain,msg:'COMODO WAF: XSS vulnerability in MetInfo 6.0.0 (CVE-2018-9928)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:a "@within doaddsave doeditorsave" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:weburl|ARGS_POST:webname "@rx \x22|<" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:dili_session "@ge 1" \
"id:246900,chain,msg:'COMODO WAF: XSS vulnerability in DiliCMS 2.4.0 (CVE-2018-10430)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains setting/site" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:site_name|ARGS_POST:site_domain|ARGS_POST:site_logo|ARGS_POST:site_icp|ARGS_POST:site_keyword "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith admin/settings.php" \
"id:246910,chain,msg:'COMODO WAF: XSS vulnerability in GetSimple CMS 3.3.15 (CVE-2018-17835)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:sitename "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:permalink "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:/^[a-f0-9]{40}$/ "@ge 1" \
"t:none"
SecRule REQUEST_COOKIES_NAMES "@beginsWith nvsid" \
"id:246920,chain,msg:'COMODO WAF: XSS vulnerability in Navigate CMS 2.8 (CVE-2018-17849)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:name|FILES "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@rx navigate(?:\_upload)?\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246930,chain,msg:'COMODO WAF: XSS vulnerability in waimai Super Cms 20150505 (CVE-2018-15570)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains Foodcat/editsave" \
"chain,t:none,t:UrlDecodeUni,t:normalizePath"
SecRule ARGS_POST:fcname "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246940,chain,msg:'COMODO WAF: XSS vulnerability in waimai Super Cms 20150505 (CVE-2018-18082)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:fcid "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endswith admin.php" \
"chain,t:none,t:UrlDecodeUni"
SecRule ARGS_GET:a "@within addsave editsave" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:fname "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:dili_session "@ge 1" \
"id:246950,chain,msg:'COMODO WAF: XSS vulnerability in DiliCMS 2.4.0 (CVE-2018-18209, CVE-2018-18210)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains setting/site" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:attachment_url|ARGS_POST:attachment_type "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"id:246960,chain,msg:'COMODO WAF: XSS vulnerability in CMS Made Simple 2.2.7 (CVE-2018-18270 & CVE-2018-18271)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq moduleinterface.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:m1_news_url|ARGS_POST:m1_extra "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246970,chain,msg:'COMODO WAF: XSS vulnerability in waimai Super Cms 20150505||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:fcsort "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:fcname "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:nav_item_type "@ge 1" \
"id:246980,chain,msg:'COMODO WAF: XSS vulnerability in LUYA CMS 1.0.12 (CVE-2018-18259)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/api-cms-nav/create-page" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:title "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"id:247000,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT 2.3.x before 2.3.2 (CVE-2017-7897)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm view_user_page.php my_view_page.php" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith domainmod" \
"id:247070,chain,msg:'COMODO WAF: XSS vulnerability in DomainMOD 4.11.01 (CVE-2018-19750, CVE-2018-19751, CVE-2018-19892)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:new_name|ARGS_POST:new_host|ARGS_POST:new_username|ARGS_POST:new_notes "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx admin\/(?:(?:ssl|domain)\-fields|dw)\/(?:add|edit)(?:\-server)?\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith domainmod" \
"id:247080,chain,msg:'COMODO WAF: XSS vulnerability in DomainMOD 4.11.01 (CVE-2018-19749, CVE-2018-19752, CVE-2018-19913, CVE-2018-19914, CVE-2018-19915, CVE-2018-20009, CVE-2018-20010, CVE-2018-20011)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@rx (?:(?:ssl\-provider|registrar)(?:\-account)?|host|dns|category|account\-owner)\.php$" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cat" \
"id:247090,chain,msg:'COMODO WAF: XSS vulnerability in BlackCat CMS 1.3.2 (CVE-2018-16635)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /upload/backend/pages/ajax_add_page.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:page_title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:247100,chain,msg:'COMODO WAF: XSS vulnerability in Dolibarr ERP/CRM 8.0.3||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith exports/export.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:datatoexport "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains /reports/default/save" \
"id:247110,chain,msg:'COMODO WAF: XSS vulnerability in Zurmo 3.2.4 (CVE-2018-19506)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:RowsAndColumnsReportWizardForm[name] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains /en/settings" \
"id:247120,chain,msg:'COMODO WAF: XSS vulnerability in ForkCMS 5.0.6||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:form "@streq settingsindex" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:facebook_admin_ids "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"id:247130,chain,msg:'COMODO WAF: XSS vulnerability in MantisBT 2.1.0 through 2.17.1 (CVE-2018-17782 and CVE-2018-17783||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq manage_proj_update.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:evogv65zs "@ge 1" \
"id:247170,chain,msg:'COMODO WAF:XSS Vulnerability in Evolution 1.4.x CMS (CVE-2018-16637)one||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:pagetitle "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /manager/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_GET:__c "@ge 1" \
"id:247180,chain,msg:'COMODO WAF: XSS vulnerabilty in CMS Made Simple 2.2.8 (CVE-2018-20464)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:email "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith admin/myaccount.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith domainmod" \
"id:247190,chain,msg:'COMODO WAF: XSS vulnerability in DomainMOD 4.11.01 (CVE-2018-1000856)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:new_name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx segments\/(?:add|edit)\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247210,chain,msg:'COMODO WAF: XSS vulnerability in CuppaCMS through 2018-09-03 release (CVE-2018-17300)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:name_field "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith table_manager/classes/functions.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:247220,chain,msg:'COMODO WAF: SQL Injection vulnerability in Dolibarr ERP/CRM 8.0.4||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/dict.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:rowid "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith yzmphp" \
"id:247230,chain,msg:'COMODO WAF: XSS vulnerability in YzmCMS 5.1 (CVE-2018-17044)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith system_manage/user_config_add.html" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"id:247250,chain,msg:'COMODO WAF: XSS vulnerability in Cacti before 1.2.0 (CVE-2018-20723, CVE-2018-20724, CVE-2018-20725 and CVE-2018-20726)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:vertical_label|ARGS_POST:hostname|ARGS_POST:name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@rx ^(?:(?:graph|color)_templates|host|pollers)\.php$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:wsid "@ge 1" \
"id:247280,chain,msg:'COMODO WAF: XSS vulnerability in Creatiwity wityCMS 0.6.1 (CVE-2018-11512)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:settings[site_title] "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /admin/settings/general" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"id:247290,chain,msg:'COMODO WAF: XSS vulnerability in Cacti before 1.1.18 (CVE-2017-12978)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq links.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:ATutorID "@ge 1" \
"id:247330,chain,msg:'COMODO WAF: XSS vulnerability in ATutor through v2.2.4 (CVE-2019-7172)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:real_name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith mods/_core/users/admins/my_edit.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:ZMSESSID "@ge 1" \
"id:247340,chain,msg:'COMODO WAF: XSS vulnerability in ZoneMinder through 1.32.3 (CVE-2019-6990, CVE-2019-6992, CVE-2019-7326, CVE-2019-7338, CVE-2019-7339, CVE-2019-7340, CVE-2019-7341, CVE-2019-7342, CVE-2019-7343, CVE-2019-7345, CVE-2019-7348, CVE-2019-7349 and CVE-2019-7352)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:view "@within console monitor user options filter events group controlcaps zones" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:newState|ARGS_POST:newMonitor[V4LMultiBuffer]|ARGS_POST:newUser[Username]|ARGS_POST:newConfig[ZM_WEB_TITLE]|ARGS_POST:newConfig[ZM_HOME_URL]|ARGS_POST:newMonitor[Method]|ARGS_POST:filter[AutoExecuteCmd]|ARGS_POST:newMonitor[LinkedMonitors]|ARGS_POST:/filter\[Query]\[terms]\[\d+]\[val]/|ARGS_POST:level|ARGS_POST:name|ARGS_POST:hostname|ARGS_POST:protocol "@rx \x22|<" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:ci_session "@ge 1" \
"id:247360,chain,msg:'COMODO WAF: XSS vulnerability in FUEL CMS 1.4.3 (CVE-2018-20137)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:vars--page_title|ARGS_POST:vars--meta_keywords "@rx \x22|<" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx \/fuel\/pages\/(?:create|edit)\/" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &REQUEST_COOKIES:ZMSESSID "@ge 1" \
"id:247370,chain,msg:'COMODO WAF: XSS vulnerability in ZoneMinder through 1.32.3 (CVE-2019-7327, CVE-2019-7328, CVE-2019-7330, CVE-2019-7332, CVE-2019-7336, CVE-2019-7337 and CVE-2019-7344)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:view "@within filter events cycle download frame" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:filter[Name]|ARGS_GET:limit|ARGS_GET:MonitorName|ARGS_GET:Source|ARGS_GET:eid|ARGS_GET:show|ARGS_GET:scale "@rx \x22|<" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:KB_SID "@ge 1" \
"id:247390,chain,msg:'COMODO WAF: XSS vulnerability in Kanboard before 1.2.8 (CVE-2019-7324)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:controller "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:order "@contains '" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:met_auth "@ge 1" \
"id:247410,chain,msg:'COMODO WAF: XSS vulnerability in Metinfo 6.1.3 (CVE-2018-19835)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:foldername "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:lang_columnerr4 "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith admin/column/move.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:met_auth "@ge 1" \
"id:247420,chain,msg:'COMODO WAF: Arbitrary code execution vulnerability in Metinfo 6.x. (CVE-2019-7718)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:a "@streq dogetsql" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:tables "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:a "@streq dogetpassword" \
"id:247430,chain,msg:'COMODO WAF: XSS vulnerability in Metinfo 6.1.3 (CVE-2018-19050)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:langset "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /admin/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:a "@streq dogetpassword" \
"id:247440,chain,msg:'COMODO WAF: XSS vulnerability in Metinfo 6.1.3 (CVE-2018-19051)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:abt_type "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains /admin/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:m "@streq content" \
"id:247480,chain,msg:'COMODO WAF: XSS vulnerability in WUZHI CMS 4.1.0 (CVE-2019-9110)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:set_iframe "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq managetask.php" \
"id:247500,chain,msg:'COMODO WAF: XSS vulnerability in Collabtive 1.3||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:title "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:m "@within attachment message" \
"id:247510,chain,msg:'COMODO WAF: XSS vulnerability in WUZHI CMS 4.1.0 (CVE-2019-9107, CVE-2019-9109)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:imgurl|ARGS_GET:username "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:TRHl_adminauth "@ge 1" \
"id:247580,chain,msg:'COMODO WAF: XSS vulnerability in MOPCMS (CVE-2019-9016)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:formsubmit "@eq 1" \
"chain,t:none"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:fm[instop][note] "@contains '" \
"id:247610,chain,msg:'COMODO WAF: XSS vulnerability exists in imcat v4.5 (CVE-2019-8436)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:/^\d{3}_sessid/ "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /root/run/adm.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:HTTP_MODAUTH "@ge 1" \
"id:247620,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution through v2.7.0-pl (CVE-2018-20755)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:photo "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:action "@rx ^security\/user\/(?:create|update)$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith yzmphp" \
"id:247630,chain,msg:'COMODO WAF: XSS vulnerability in YzmCMS 5.2 (CVE-2019-9660, CVE-2019-9661)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:catname|ARGS_POST:value "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx (?:category|system_manage)\/(?:user\_config\_)?(?:add|edit)\.html$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &ARGS_POST:HTTP_MODAUTH "@ge 1" \
"id:247650,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution through v2.7.0-pl (CVE-2018-20756,CVE-2018-20757)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:extended|ARGS_POST:pagetitle "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:action "@rx ^(security\/user|resource)\/(?:create|update)$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith yzmphp" \
"id:247660,chain,msg:'COMODO WAF: XSS vulnerability in YzmCMS 5.2 (CVE-2019-9570)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:site_code "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith system_manage/save.html" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_BASENAME "@streq view.php" \
"id:247690,chain,msg:'COMODO WAF: SQL injection vulnerability in Machform 2 (CVE-2013-4948)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:/^element_\d+?$/ "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith dapur/apps/app_user/controller/check_user.php" \
"id:247710,chain,msg:'COMODO WAF: SQL injection vulnerability in the Fiyo CMS 2.0.1.8 (CVE-2014-9145)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:username|ARGS_POST:email "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith dapur/apps/app_article/controller/article_list.php" \
"id:247711,chain,msg:'COMODO WAF: SQL injection vulnerability in the Fiyo CMS 2.0.1.8 (CVE-2014-9145)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:cat|ARGS_GET:level|ARGS_GET:user "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith sources/main.queries.php" \
"id:247720,chain,msg:'COMODO WAF: SQL injection vulnerabilities in the TeamPass before 2.1.20 (CVE-2014-3773)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:type "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:login "@contains '" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@pm super/edit_layout.php reports/prescriptions_report.php billing/edit_payment.php billing/sl_eob_search.php orders/procedure_stats.php orders/pending_followup.php orders/pending_orders.php encounter/coding_popup.php encounter/search_code.php reports/appointments_report.php summary/demographics_save.php fax/fax_dispatch_newpid.php patient_file/deleter.php forms_admin/forms_admin.php practice/ins_search.php" \
"id:247760,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (CVE-2014-5462)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:layout_id|ARGS_POST:form_patient|ARGS_POST:form_drug_name|ARGS_POST:form_lot_number|ARGS_POST:payment_id|ARGS_POST:form_encounter|ARGS_POST:form_pid|ARGS_POST:search_term|ARGS_POST:text|ARGS_POST:form_facility|ARGS_POST:form_patient_id|ARGS_POST:form_apptstatus|ARGS_POST:form_provider|ARGS_POST:db_id|ARGS_POST:form_addr1|ARGS_POST:form_addr2|ARGS_POST:form_attn|ARGS_POST:form_country|ARGS_POST:form_freeb_type|ARGS_POST:form_partner|ARGS_POST:form_name|ARGS_POST:form_zip|ARGS_POST:form_state|ARGS_POST:form_city|ARGS_POST:form_cms_id|ARGS_GET:p|ARGS_GET:encounterid|ARGS_GET:issue|ARGS_GET:formid|ARGS_GET:id|ARGS:patient "@contains '" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:options[site_tongji] "@contains <" \
"id:247800,chain,msg:'COMODO WAF: XSS vulnerability exists in WTCMS (CVE-2019-8911)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:g "@streq admin" \
"t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq semcms_seoandtag.php" \
"id:247830,chain,msg:'COMODO WAF: XSS vulnerability in SEMCMS V3.4 (CVE-2018-18840, CVE-2018-18841)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:CF "@streq seoandtag" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:tag_indexkey|ARGS_POST:tag_prometatit "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:VDSSKEY "@ge 1" \
"id:247840,chain,msg:'COMODO WAF: XSS vulnerability exists in verydows cms (CVE-2019-7753)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:c "@streq stats" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:referrer "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith admin_" \
"id:247850,chain,msg:'COMODO WAF:XSS vulnerability exists in UCMS v1.4.7 (CVE-2018-20600)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:do "@streq sadmin_ceditpost" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:cname "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247880,chain,msg:'COMODO WAF: XSS vulnerability exists in Maccms v8.4 (CVE-2019-8410)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:ac "@streq save" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:t_key "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@endsWith admin_data.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247980,chain,msg:'COMODO WAF: Multiple vulnerabilities in X2Engine X2CRM before 5.0.9 (CVE-2015-5076)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq createwebform" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS:view "@contains <" \
"id:247990,chain,msg:'COMODO WAF: Multiple reflected XSS vulnerabilities in ZoneMinder v1.30 and v1.29 (CVE-2017-5367)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:/Set-Cookie/ "@contains zmsessid" \
"t:none,t:lowercase"
SecRule TX:Subrion_CMS "@eq 1" \
"id:248000,chain,msg:'COMODO WAF: XSS vulnerability in Subrion CMS 4.0.5 (CVE-2017-6069)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:tags "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@pm admin/blog/add admin/blog/edit" \
"t:none,t:urlDecodeUni,t:normalisePath"
SecRule TX:SLiMS_Akasia "@ge 1" \
"id:248010,chain,msg:'COMODO WAF: XSS vulnerability in SLiMS 8 Akasia through 8.3.1 (CVE-2017-12584)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/modules/system/app_user.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:realName "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:248030,chain,msg:'COMODO WAF: XSS vulnerability in the Piwigo through 2.9.2 (CVE-2017-17775)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:page "@rx ^album\-\d+?(\-properties)?$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecMarker IGNORE_SFS_XSS_SQLi_OtherApps
SecRule &TX:ARGS_Non_Digit "@eq 0" \
"id:247450,msg:'COMODO WAF: Track same forbidden symbols to Ignore signature for Other Apps||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'IGNORE_SFS_Non_Digit_OtherApps',rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:favobj "@streq toggle" \
"id:210560,chain,msg:'COMODO WAF: SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 (CVE-2016-10134)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@contains zbx_sessionid" \
"chain,t:none,t:lowercase"
SecRule ARGS:toggle_ids[] "@rx \W" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:211060,chain,msg:'COMODO WAF: SQLi vulnerability in Dolibarr ERP/CRM 7.0.0 (CVE-2017-18260)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq list.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:search_statut|ARGS_POST:propal_statut|ARGS_GET:viewstatut "!@rx ^\-?\d+?$" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:218560,chain,msg:'COMODO WAF: SQLi vulnerability in Piwigo before 2.9.3 (CVE-2018-6883)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq tags" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:edit_list|ARGS_POST:merge_list|ARGS_POST:tags[] "!@rx ^(\d+(,\d+)*)?$" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:phpMyAdmin "@ge 1" \
"id:220100,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 (CVE-2013-5003)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm pmd_pdf.php schema_export.php" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:pdf_page_number|ARGS:scale "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith view.php" \
"id:220110,chain,msg:'COMODO WAF: SQL injection vulnerability in Machform 2 (CVE-2013-4948)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:8,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id "@rx \d+" \
"chain,t:none"
SecRule ARGS_POST:form_id "@rx \D" \
"t:none"
SecRule REQUEST_URI "@contains cacti" \
"id:220220,chain,msg:'COMODO WAF: SQL injection vulnerability in Cacti 0.8.8b and earlier (CVE-2013-5589)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx host.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:id "!@rx ^[0-9]+$"
SecRule ARGS_GET:module "@streq calendar" \
"id:220230,chain,msg:'COMODO WAF: SQLi vulnerability in vTiger CRM 5.4.0 (CVE-2013-5091)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq index" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:day|ARGS_GET:hour|ARGS_GET:month|ARGS_GET:year|ARGS_GET:onlyforuser "@rx \D" \
"t:none"
SecRule REQUEST_URI "@contains /popupnews/popupnewsitem/" \
"id:220300,chain,msg:'COMODO WAF: SQLi vulnerability in the Pop Up News module 2.0 for phpVMS (CVE-2013-3524)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:itemid "@rx \D" \
"t:none"
SecRule ARGS_POST:objectClass "@streq affectation" \
"id:220310,chain,msg:'COMODO WAF: SQLi vulnerability in the Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x (CVE-2013-6164)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /view/objectdetail.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:objectId "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith /radio/meneger.php" \
"id:220340,chain,msg:'COMODO WAF: SQLi vulnerability in RadioCMS 2.2 (CVE-2013-3531)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:playlist_id "@rx \D" \
"t:none"
SecRule ARGS_GET:test_id "!@rx ^\d+$" \
"id:220350,msg:'COMODO WAF: SQL injection vulnerability in Testa Online Test Management System (OTMS) 2.0.0.2 (CVE-2013-6873)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:cidToEdit|ARGS_GET:module_id|ARGS_GET:offset "@rx \D" \
"id:220360,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Claroline before 1.11.9 (CVE-2013-6267)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx \/admin\/(?:admin(?:registeruser|_user_course_settings)|module\/module|right\/profile_list)\.php$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_FILENAME "/mobile/php/translation/index.php" \
"id:220400,chain,msg:'COMODO WAF: XSS vulnerability in LiveZilla before 5.1.1.0 (CVE-2013-7002)||%{tx.domain}|%{tx.mode}|2',phase:1,block,deny,status:403,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:g_language "!@rx ^[a-z]{2}$"
SecRule REQUEST_BASENAME "@streq thumb.php" \
"id:220440,chain,msg:'COMODO WAF: Remote command execution vulnerability in MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11 (CVE-2014-1610)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:f "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:w "@rx \D" \
"t:none"
SecRule REQUEST_URI "@contains /dg-admin/" \
"id:220600,chain,msg:'COMODO WAF: SQLi vulnerability in doorGets CMS 5.2 and earlier (CVE-2014-1459)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:_position_down_id "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@contains /ajax_udf.php" \
"id:220700,chain,msg:'COMODO WAF: SQL injection vulnerability in OpenDocMan before 1.2.7.2 (CVE-2014-1945)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:add_value|ARGS_GET:table "!@rx ^[\w]*$"
SecRule ARGS_GET:eventid "@rx \D" \
"id:220770,chain,msg:'COMODO WAF: SQL injection vulnerability in Simple PHP Agenda before 2.2.9 (CVE-2013-3961)||%{tx.domain}|%{tx.mode}|2',deny,status:403,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "edit_event\.php"
SecRule ARGS_GET:action "@streq fileview_list" \
"id:220810,chain,msg:'COMODO WAF: SQL injection vulnerability in Collabtive 1.2 (CVE-2014-3246)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq manageajax.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:folder "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@contains ajax_udf.php" \
"id:220860,chain,msg:'COMODO WAF: SQL injection vulnerability in OpenDocMan before 1.2.7.2 (CVE-2014-2317)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:table "!@rx ^[\w]*$"
SecRule REQUEST_URI "polls/vote\.php" \
"id:220980,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Gnew 2013.1 (CVE-2013-5640)||%{tx.domain}|%{tx.mode}|2',deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:answer_id|ARGS_POST:question_id "@rx \D"
SecRule REQUEST_URI "comments/(add|edit)\.php|posts/add\.php" \
"id:220981,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Gnew 2013.1 (CVE-2013-5640)||%{tx.domain}|%{tx.mode}|2',deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:story_id|ARGS_POST:thread_id "@rx \D"
SecRule REQUEST_FILENAME "@contains symphony/system/authors" \
"id:221020,chain,msg:'COMODO WAF: SQL injection vulnerability in Symphony CMS before 2.3.2 (CVE-2013-2559)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:sort "@rx \W" \
"t:none"
SecRule ARGS_GET:graph_end|ARGS_GET:graph_height|ARGS_GET:graph_start|ARGS_GET:graph_width|ARGS_GET:local_graph_id|ARGS_GET:rra_id "[^0-9]" \
"id:221110,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Cacti 0.8.7g, 0.8.8b and earlier (CVE-2014-2708)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@streq graph_xport.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:pm_email_notify|ARGS_POST:pm_save_sent "!@rx ^(0|1)$" \
"id:221292,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains administration/settings_messages.php" \
"t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,t:lowercase"
SecRule ARGS_POST:pm_inbox|ARGS_POST:pm_savebox|ARGS_POST:pm_sentbox "[^0-9]" \
"id:221293,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains administration/settings_messages.php" \
"t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,t:lowercase"
SecRule ARGS_POST:thumb_compression "!@rx ^gd\d$" \
"id:221294,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains administration/settings_photo.php" \
"t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,t:lowercase"
SecRule ARGS_POST:/photo_watermark_text_color\d/ "!@rx ^(?:([0-9a-fA-F]){6})$" \
"id:221295,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains administration/settings_photo.php" \
"t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,t:lowercase"
SecRule ARGS_GET:enable "[^a-z!]" \
"id:221296,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains administration/bbcodes.php" \
"t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,t:lowercase"
SecRule ARGS_POST:article_id|ARGS_POST:news_id "[^0-9]" \
"id:221298,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "administration/(articles|news)\.php" \
"t:none,t:urlDecodeUni,t:removeWhitespace,t:normalizePath,t:lowercase"
SecRule ARGS_POST:article_id "[^0-9]" \
"id:221300,chain,msg:'COMODO WAF: SQL injection vulnerability in ZeroCMS 1.0 (CVE-2014-4194)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains zero_transact_article.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith views/zero_view_article.php" \
"id:221310,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in ZeroCMS 1.0 (CVE-2014-4195 / CVE-2014-4034)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:article_id "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith user/fiche.php" \
"id:221350,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3992)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,multiMatch,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:entity "@rx \D"
SecRule REQUEST_COOKIES_NAMES "@streq foecms_lang" \
"id:221550,chain,msg:'COMODO WAF: SQL injection vulnerability in FoeCMS (CVE-2014-4850)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:removeWhitespace,skip:1,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:i|REQUEST_COOKIES:foecms_lang "!@rx \d" \
"t:none,t:urlDecodeUni,t:removeWhitespace"
SecRule RESPONSE_HEADERS:Set-Cookie "@rx ^foecms_lang=(.{0,399});\ expires.{0,399}$" \
"id:221551,chain,msg:'COMODO WAF: SQL injection vulnerability in FoeCMS (CVE-2014-4850)||%{tx.domain}|%{tx.mode}|2',phase:3,capture,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule TX:1 "!@rx ^\d$"
SecRule REQUEST_FILENAME "@endsWith admin/uploads.php" \
"id:221650,chain,msg:'COMODO WAF: SQL injection vulnerability in The Digital Craft AtomCMS 2.0 (CVE-2014-4852)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id "@rx \D+" \
"t:none"
SecRule REQUEST_URI "@contains admin/admin.php" \
"id:221820,chain,msg:'COMODO WAF: RCE vulnerability in Sphider 1.3.6 (CVE-2014-5194)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:htmlEntityDecode,t:normalizePath,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:_word_upper_bound "@rx \D" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_POST:drp_action "@rx \D" \
"id:222330,chain,msg:'COMODO WAF: XSS vulnerabilities in Cacti 0.8.8b (CVE-2014-4002)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm cdef.php data_input.php data_queries.php data_sources.php data_templates.php graph_templates.php graphs.php host.php host_templates.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:graph_template_id|ARGS_POST:graph_template_input_id "@rx \D" \
"id:222331,chain,msg:'COMODO WAF: XSS vulnerabilities in Cacti 0.8.8b (CVE-2014-4002)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith graph_templates_inputs.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith endpoint_generic.php" \
"id:240130,chain,msg:'COMODO WAF: SQL injection vulnerability in Fonality trixbox (CVE-2014-5109)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:mac "!@rx ^[0-9a-f]{12}$" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains maint/modules/home/index.php" \
"id:240140,chain,msg:'COMODO WAF: Fonality trixbox allows remote attackers to execute arbitrary commands (CVE-2014-5112)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:lang "@rx [^a-zA-Z0-9_]" \
"t:none,t:urlDecodeUni,t:cmdLine"
SecRule REQUEST_COOKIES_NAMES "@contains cacti" \
"id:240280,chain,msg:'COMODO WAF: SQL injection vulnerability in Cacti before 0.8.8e (CVE-2015-4634)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith graphs.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:local_graph_id "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@contains rate.php" \
"id:240300,chain,msg:'COMODO WAF: SQL injection vulnerabilities in Free Reprintables ArticleFR 3.0.4 (CVE-2014-5097)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:act "@pm set get" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:id "@rx \D" \
"t:none"
SecRule REQUEST_COOKIES_NAMES "@contains cacti" \
"id:240350,chain,msg:'COMODO WAF: SQL injection vulnerability in Cacti before 0.8.8d (CVE-2015-4342)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /cdef.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:cdef_id|ARGS_POST:id "@rx \D" \
"t:none"
SecRule REQUEST_COOKIES_NAMES "@contains cacti" \
"id:240360,chain,msg:'COMODO WAF: SQL injection vulnerability in Cacti before 0.8.8d (CVE-2015-4454)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /graph_templates.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:graph_template_id "@rx \D" \
"t:none"
SecRule REQUEST_COOKIES_NAMES "@contains cacti" \
"id:240380,chain,msg:'COMODO WAF: XSS vulnerability in Cacti before 0.8.8d (CVE-2015-4454)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /settings.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:tab "@rx \W" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" \
"id:240500,chain,msg:'COMODO WAF: SQL injection vulnerability in the Serendipity before 2.0.2 (CVE-2015-6943)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:serendipity[id] "@rx \D" \
"t:none"
SecRule ARGS_POST:serendipity[submit] "@streq submit comment" \
"id:240520,chain,msg:'COMODO WAF: XSS vulnerability in the 2k11 theme in Serendipity before 2.0.2 (CVE-2015-6969)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:serendipity[name] "@rx \W" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith index.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" \
"id:240550,chain,msg:'COMODO WAF: XSS vulnerability in Serendipity before 2.0.1 (CVE-2015-2289)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:serendipity[cat][name] "@rx \W" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith index.php/admin/questiongroups/sa/import" \
"id:240580,chain,msg:'COMODO WAF: SQL injection vulnerability in LimeSurvey before 2.06+ Build 150618 (CVE-2015-4628)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:action "@streq importgroup" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:sid "@rx \D" \
"t:none"
SecRule ARGS_GET:rra_id "@rx \D" \
"id:240670,chain,msg:'COMODO WAF: SQL injection vulnerability in Cacti 0.8.8f and earlier (CVE-2015-8369)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq properties" \
"chain,t:none"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith graph.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endswith filebrowser.php" \
"id:240720,chain,msg:'COMODO WAF: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5356)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:func "@rx \W" \
"t:none"
SecRule &REQUEST_COOKIES:pwg_id "@gt 0" \
"id:240740,chain,msg:'COMODO WAF: SQL injection vulnerability in the Piwigo before 2.7.4 (CVE-2015-1517)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq batch_manager" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:filter_level "@rx \D" \
"t:none"
SecRule ARGS_GET:route "@streq account/address/add" \
"id:240780,chain,msg:'COMODO WAF: XSS vulnerability in OpenCart before 2.1.0.2 (CVE-2015-4671)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:zone_id "@rx \D" \
"t:none"
SecRule ARGS_POST:formType "@pm install update" \
"id:240930,chain,msg:'COMODO WAF: SQL injection vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-7382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm install.php update.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:submit "@pm install update" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:defaultCharacterSet "@rx \W" \
"t:none"
SecRule REQUEST_URI "@rx user:(.{0,99})$" \
"id:240950,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in Pragyan CMS 3.0 (CVE-2015-1471)||%{tx.domain}|%{tx.mode}|2',phase:1,capture,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule TX:1 "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith views/zero_transact_user.php" \
"id:240970,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in ZeroCMS 1.3.3, 1.3.2, and earlier (CVE-2015-1442)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:user_id "@rx \D" \
"t:none"
SecRule ARGS_POST:subcats-included "@ge 1" \
"id:241000,chain,msg:'COMODO WAF: SQL injection vulnerability in the Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 (CVE-2015-1441)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith search.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:mode|ARGS_POST:date_type|ARGS_POST:search_author|ARGS_POST:fields[] "@rx \W" \
"t:none"
SecRule ARGS_POST:subcats-included "@ge 1" \
"id:241001,chain,msg:'COMODO WAF: SQL injection vulnerability in the Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 (CVE-2015-1441)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith search.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:start_day|ARGS_POST:start_month|ARGS_POST:start_year|ARGS_POST:end_day|ARGS_POST:end_month|ARGS_POST:end_year|ARGS_POST:subcats-included "@rx \D" \
"t:none"
SecRule ARGS_GET:p "@streq logs" \
"id:241070,chain,msg:'COMODO WAF: SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1423)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:ssp "@rx \D" \
"t:none"
SecRule ARGS_GET:p "@streq logs" \
"id:241071,chain,msg:'COMODO WAF: SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1423)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:jak_delete_log[] "@rx \D" \
"t:none"
SecRule ARGS_GET:do "@pm subadminmgt editcurrency disporders" \
"id:241350,chain,msg:'COMODO WAF: SQL injection vulnerability in ZeusCart 4 (CVE-2015-2183)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id|ARGS_GET:cid "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith asys/site/system.php" \
"id:241370,chain,msg:'COMODO WAF: XSS vulnerabilities in Adminsystems CMS before 4.0.2 (CVE-2015-1603)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id "@rx \D" \
"t:none"
SecRule ARGS_GET:action "@streq item_edit" \
"id:241410,chain,msg:'COMODO WAF: SQL injection vulnerability in Cacti 0.8.8g and earlier (CVE-2016-3172)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:parent_id "@rx \D" \
"chain,t:none"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith tree.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/pages/modify.php" \
"id:241480,chain,msg:'COMODO WAF: XSS & SQL injection vulnerabilities in in WebsiteBaker 2.8.3 & 2.8.3 SP3 (CVE-2015-0553) & (CVE-2014-9242)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page_id "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith dapur/index.php" \
"id:241630,chain,msg:'COMODO WAF: SQL injection vulnerability in the Fiyo CMS 2.0.1.8 (CVE-2014-9145)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:app "@streq user" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:id "@rx \D" \
"t:none"
SecRule ARGS_GET:categ "@streq isbd" \
"id:241640,chain,msg:'COMODO WAF: SQL injection vulnerability in the PMB 4.1.3 and earlier (CVE-2014-9457)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith catalog.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:id "!@rx ^\d+#?$" \
"t:none"
SecRule ARGS_GET:r "@contains notification/list/index" \
"id:241650,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in the HumHub 0.10.0-rc.1 and earlier (CVE-2014-9528)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:from "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@contains modules/system/admin.php" \
"id:241730,chain,msg:'COMODO WAF: SQL injection vulnerability in the XOOPS before 2.5.7 (CVE-2014-8999)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:fct "@streq users" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:selgroups "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:241770,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in the Piwigo 2.6.3 before & Piwigo 2.6.x and 2.7.x before 2.7.0beta2 (CVE-2014-3900 / CVE-2014-4649)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@contains photo-" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:associate[]|ARGS_POST:represent[] "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith graphs_new.php" \
"id:241840,chain,msg:'COMODO WAF: SQL injection vulnerability in Cacti 0.8.8f and earlier (CVE-2015-8604)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:cg_g "@rx \D" \
"chain,t:none"
SecRule REQUEST_COOKIES_NAMES "@contains cacti" \
"t:none,t:lowercase"
SecRule ARGS_GET:action "@streq rate" \
"id:241900,chain,msg:'COMODO WAF: SQL injection vulnerability in the Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 (CVE-2014-9115)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@rx picture\.php\?\/\d+\/category\/\d+" \
"chain,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath"
SecRule ARGS_GET:rate "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@contains /manager/" \
"id:241980,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in the MODX Revolution before 2.2.14 (CVE-2014-2736)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:id "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith connectors/security/message.php" \
"id:241981,chain,msg:'COMODO WAF: SQL injection vulnerability in the MODX Revolution before 2.2.14 (CVE-2014-2736)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:HTTP_MODAUTH "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:user "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@pm sources/datatable/datatable.users_logged.php sources/datatable/datatable.item_edition.php sources/datatable/datatable.logs.php" \
"id:242360,chain,msg:'COMODO WAF: XSS and SQL injection vulnerabilities in the TeamPass before 2.1.20 (CVE-2014-3773)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:iDisplayStart|ARGS_GET:iDisplayLength "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith graph.php" \
"id:242760,chain,msg:'COMODO WAF: SQL injection vulnerability in the Cacti 0.8.6e (CVE-2015-0916)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:rra_id "@eq 1" \
"chain,t:none"
SecRule ARGS_GET:local_graph_id "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith ticket.php" \
"id:242770,chain,msg:'COMODO WAF: SQL injection vulnerability in the TickFa 1.x (CVE-2015-4676)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq read" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:tid "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith patient_file/problem_encounter.php" \
"id:242831,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (CVE-2014-5462)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:form_pid "@rx \D" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith reminder/patient_reminders.php" \
"id:242832,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (CVE-2014-5462)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:patient_id "@rx \D" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith mods/_standard/gradebook/edit_marks.php" \
"id:243090,chain,msg:'COMODO WAF: PHP code injection vulnerability in ATUTOR version 2.2 and prior versions (CVE-2015-7712)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:asc|ARGS_GET:desc "@rx \W" \
"t:none"
SecRule &REQUEST_COOKIES:osCAdminID "@ge 1" \
"id:243100,chain,msg:'COMODO WAF: SQL injection vulnerability in osCommerce Online Merchant before 2.3.3.4 (CVE-2014-10033)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith geo_zones.php" \
"chain,t:none,t:normalizePath,t:lowercase"
SecRule ARGS_GET:action "@contains list" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:zID "@rx \D" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith managetimetracker.php" \
"id:243120,chain,msg:'COMODO WAF: SQL injection vulnerability in Collabtive before 1.2 (CVE-2013-6872)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@contains projectpdf" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:id "@rx \D" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS:controller "@streq pixidou" \
"id:243280,chain,msg:'COMODO WAF: SQL injection vulnerability in Exponent CMS 2.3.9 (CVE-2016-7453)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:action "@streq exiteditor" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS:fid "@rx [^0-9\-]" \
"t:none"
SecRule ARGS:action "@streq manage_ranks" \
"id:243440,chain,msg:'COMODO WAF: SQL Injection in Exponent CMS 2.4.0 (CVE-2016-9272)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:controller "@streq container" \
"chain,t:none,t:lowercase"
SecRule ARGS:rerank[] "@rx \D" \
"t:none"
SecRule ARGS_GET:module "@streq navigation" \
"id:243450,chain,msg:'COMODO WAF:SQL injection vulnerability in the Exponent CMS v2.4.0 or older (CVE-2016-9288)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq dragndroprerank" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:target "@rx \D" \
"t:none"
SecRule REQUEST_BASENAME "@streq rollbackimport" \
"id:243461,chain,msg:'COMODO WAF: Multiple vulnerabilities in X2Engine X2CRM before 5.0.9 (CVE-2015-5076)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:importId "@rx \D" \
"t:none"
SecRule REQUEST_BASENAME "@streq getevents" \
"id:243462,chain,msg:'COMODO WAF: Multiple vulnerabilities in X2Engine X2CRM before 5.0.9 (CVE-2015-5076)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:lastEventId "@rx \D" \
"t:none"
SecRule ARGS_GET:controller "@streq exphtmleditorcontroller" \
"id:243560,chain,msg:'COMODO WAF: SQL injection vulnerability in the Exponent CMS v2.4.0 or older (CVE-2016-9184)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:action "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:editor "@rx \W" \
"t:none"
SecRule ARGS_POST:controller "@streq exphtmleditorcontroller" \
"id:243561,chain,msg:'COMODO WAF: SQL injection vulnerability in the Exponent CMS v2.4.0 or older (CVE-2016-9184)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:action "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:editor "@rx \W" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" \
"id:243600,chain,msg:'COMODO WAF: File Inclusion and a possible Code Execution vulnerability in the Serendipity through 2.0.5 (CVE-2016-10082)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:dbType "@rx \W" \
"t:none"
SecRule &REQUEST_COOKIES_NAMES:GeniXCMS "@ge 1" \
"id:243800,chain,msg:'COMODO WAF: SQL injection vulnerability in the GeniXCMS 0.0.8 (CVE-2017-5519)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@pm posts pages" \
"chain,t:none"
SecRule ARGS_GET:id "@rx \D" \
"t:none"
SecRule ARGS:view "@streq events" \
"id:243830,chain,msg:'COMODO WAF: Multiple reflected XSS vulnerabilities in ZoneMinder v1.30 and v1.29 (CVE-2017-5367)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:/Set-Cookie/ "@contains zmsessid" \
"chain,t:none,t:lowercase"
SecRule ARGS:limit "@rx \D" \
"t:none"
SecRule ARGS:view "@streq events" \
"id:243831,chain,msg:'COMODO WAF: Multiple reflected XSS vulnerabilities in ZoneMinder v1.30 and v1.29 (CVE-2017-5367)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:/Set-Cookie/ "@contains zmsessid" \
"chain,t:none,t:lowercase"
SecRule ARGS:/[cnj]/ "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith auth_support/passwordreset/resetpassword.php" \
"id:243950,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in INTER-Mediator 5.5 (CVE-2017-6484)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:/Set-Cookie/ "@contains phpsessid" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:c|ARGS_POST:cred "@rx [^0-9A-Fa-f]" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith adm_program/modules/dates/dates_function.php" \
"id:244030,chain,msg:'COMODO WAF: SQL injection vulnerability in the Admidio 3.2.5 (CVE-2017-6492)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:dat_cat_id "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:shm_session "@ge 1" \
"id:244090,chain,msg:'COMODO WAF: XSS vulnerability in Shimmie before 2.5.1 (CVE-2017-6909)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /ext/chatbox/history/index.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:log "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:244450,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM before 5.0.3 (CVE-2017-9435)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:search_statut|ARGS:search_supervisor "@rx [^0-9\,]" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx user\/(?:index\.php)?$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith install/make-config.php" \
"id:244540,chain,phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:dbprefix "@rx [^\w\$]" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES_NAMES:pwg_id "@ge 1" \
"id:244570,chain,msg:'COMODO WAF: SQLi vulnerability in the Piwigo version 2.9.0 and possibly prior (CVE-2017-9463)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:iDisplayStart|ARGS_POST:iDisplayLength "@rx \D" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith admin/user_list_backend.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"id:244740,chain,msg:'COMODO WAF: SQL injection & XSS vulnerabilities in Cacti 0.8.8b (CVE-2017-1000031 & CVE-2017-1000032)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@within tree.php data_sources.php graph_templates_inputs.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:graph_template_id|ARGS_POST:graph_template_input_id|ARGS_GET:parent_id|ARGS_POST:drp_action "@rx \D" \
"t:none"
SecRule ARGS_GET:id "@rx \D" \
"id:244850,chain,msg:'COMODO WAF: SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11631)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /dapur/apps/app_user/controller/status.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith glpi_" \
"id:244860,chain,msg:'COMODO WAF: SQLi vulnerability in GLPI before 9.1.5 (CVE-2017-11184)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith front/devicesoundcard.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:start "@rx \D" \
"t:none"
SecRule ARGS_GET:id "@rx \D" \
"id:244890,chain,msg:'COMODO WAF: SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11631)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /dapur/apps/app_user/controller/status.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/trees/edit/process/" \
"id:244920,chain,msg:'COMODO WAF: SQLi vulnerability in the BigTree CMS through 4.2.18 (CVE-2017-11736)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:/_tags\[\d*?\]/ "@rx \D" \
"t:none"
SecRule TX:SLiMS_Akasia "@ge 1" \
"id:244940,chain,msg:'COMODO WAF: SQLi vulnerability in SLiMS 8 Akasia through 8.3.1 (CVE-2017-12585)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@within ajax_lookup_handler.php ajax_check_id.php ajax_vocabolary_control.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:tableName|ARGS_POST:tableFields "@rx \W" \
"t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:244990,chain,msg:'COMODO WAF: SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11412)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /dapur/apps/app_comment/controller/comment_status.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:id "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:245020,chain,phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /dapur/apps/app_article/controller/article_status.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:id "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:/DOLSESSID_([0-9a-fA-f]{32})/ "@ge 1" \
"id:245030,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.0 (CVE-2017-14242)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /don/list.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:statut "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:/DOLSESSID_([0-9a-fA-f]{32})/ "@ge 1" \
"id:245040,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.0 (CVE-2017-14238)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /admin/menus/edit.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:menuId "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:JSESSIONID "@ge 1" \
"id:245050,chain,msg:'COMODO WAF: SQL injection vulnerability in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (CVE-2017-14757)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith xdashboard/html/jobhistory/downloadsupportfile.action" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:jobRunId "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:JSESSIONID "@ge 1" \
"id:245060,chain,msg:'COMODO WAF: SQL injection vulnerability in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (CVE-2017-14758)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith xadmin/html/cm_doclist_view_uc.jsp" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:documentId "@rx \D" \
"t:none"
SecRule ARGS_GET:_itemtype "@streq computer" \
"id:245140,chain,msg:'COMODO WAF: SQL injection vulnerability in GLPI before 9.1.5.1 (CVE-2017-11474)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:_glpi_tab "@contains computer_softwareversion" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith glpi_" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith ajax/common.tabs.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:criterion "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith /restrito/inc/lkpcep.php" \
"id:245180,chain,msg:'COMODO WAF: SQL injection vulnerability in the E-Sic 1.0 (CVE-2017-15373)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:q "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:245260,chain,msg:'COMODO WAF: SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11413)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /dapur/apps/app_comment/controller/comment_status.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:id "@rx \D" \
"t:none"
SecRule ARGS_GET:page "@streq tags" \
"id:245360,chain,msg:'COMODO WAF: SQL injection vulnerability in Piwigo 2.9.2 (CVE-2017-16893)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:edit_list "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" \
"id:245400,chain,msg:'COMODO WAF: SQL injection vulnerability in the Serendipity 2.0.5 (CVE-2017-5609)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES_NAMES:serendipity[author_token] "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:serendipity[cat] "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:/DOLSESSID_([0-9a-fA-f]{32})/ "@ge 1" \
"id:245540,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.4 (CVE-2017-17899)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /htdocs/adherents/subscription/info.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:rowid "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:/DOLSESSID_([0-9a-fA-f]{32})/ "@ge 1" \
"id:245550,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.4 (CVE-2017-17897)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /htdocs/comm/multiprix.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:id "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:/DOLSESSID_([0-9a-fA-f]{32})/ "@ge 1" \
"id:245560,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.4 (CVE-2017-17900)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /htdocs/fourn/index.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:socid "@rx \D" \
"t:none"
SecRule ARGS_GET:section "@streq main" \
"id:245570,chain,msg:'COMODO WAF: XSS & SQL injection vulnerability in Piwigo 2.9.2 (CVE-2017-17823)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:page "@streq configuration" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:/^order_by\[/ "@rx \W" \
"t:none,t:urlDecodeUni,t:removeWhitespace"
SecRule &ARGS_GET:mode "@ge 1" \
"id:245610,chain,msg:'COMODO WAF: SQL Injection vulnerability in Piwigo 2.9.2 (CVE-2017-17824)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:page "@streq batch_manager" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:element_ids "!@rx ^[0-9\,]+?$" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:phpMyAdmin "@ge 1" \
"id:245720,chain,msg:'COMODO WAF: XSS vulnerability in phpMyAdmin before 4.7.8 (CVE-2018-7260)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@endsWith db_central_columns.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:total_rows "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:245770,chain,msg:'COMODO WAF: SQLi vulnerability in Piwigo Facetag plugin 0.0.3 (CVE-2017-9426)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:method "@within facetag.changetag facetag.listtags" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq ws.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:imageId "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:txp_login "@ge 1" \
"id:245780,chain,msg:'COMODO WAF: SQLi vulnerability in Textpattern CMS 4.6.2 (CVE-2018-7474)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:step "@streq link_change_pageby" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:qty "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:245960,chain,msg:'COMODO WAF: SQLi and XSS vulnerability in Dolibarr ERP/CRM before 5.0.4 (CVE-2017-9839)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /product/stats/card.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:type "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:ci_session "@ge 1" \
"id:246000,chain,msg:'COMODO WAF: SQLi vulnerability in HRSALE The Ultimate HRM v1.0.2 (CVE-2018-10256)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /admin/user/read_awards" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:award_id "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:iCMS_iCMS_AUTH "@ge 1" \
"id:246020,chain,msg:'COMODO WAF: SQLi vulnerability in iCMS V7.0.7 (CVE-2018-9924)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq admincp.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:pid[] "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@within salelistdetailed.php wishlistdetailed.php" \
"id:246180,chain,msg:'COMODO WAF: SQLi vulnerability in iScripts eSwap v2.4 (CVE-2018-11372 and CVE-2018-11373)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:ToId "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:iCMS_iCMS_AUTH "@ge 1" \
"id:246230,chain,msg:'COMODO WAF: SQL Injection vulnerability in iCMS V7.0.8 (CVE-2018-12498)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq admincp.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:id[] "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_POST:flag "@ge 1" \
"id:246480,chain,msg:'COMODO WAF: SQL injection vulnerability in Joyplus CMS 1.6.0 (CVE-2018-14501)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:m_id "@rx \D" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith manager/admin_ajax.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:mydms_session "@ge 1" \
"id:246530,chain,msg:'COMODO WAF: SQL injection vulnerability in SeedDMS before 5.1.8 (CVE-2018-12942)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:userid "@rx \D" \
"chain,t:none"
SecRule REQUEST_BASENAME "@rx ^(?:op|out)\.usrmgr\.php$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:246550,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM version 7.0.3 (CVE-2018-13448, CVE-2018-13450)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:action "@within add update" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:country_id|ARGS_POST:status_batch "@rx \D" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx (?:product(?:\/stock)?|societe|adherents)\/card\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:xbtitFM "@ge 1" \
"id:246690,chain,msg:'COMODO WAF: XSS vulnerability in BTITeam XBTIT 2.5.4. (CVE-2018-16361)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq news" \
"chain,t:none"
SecRule ARGS_GET:id "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246740,chain,msg:'COMODO WAF: XSS vulnerability in frog cms 0.9.5 (CVE-2018-16374)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /admin/?/plugin/comment/save" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:rowspage "@rx \D" \
"t:none"
SecRule REQUEST_COOKIES_NAMES "@beginsWith domainmod" \
"id:246990,chain,msg:'COMODO WAF: XSS vulnerability in DomainMOD 4.11.01 (CVE-2018-19136, CVE-2018-19137)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:raid|ARGS_GET:ipid "@rx \D" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx assets\/edit\/(?:ip-address|registrar-account)\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSIDwebERPteam "@ge 1" \
"id:247030,chain,msg:'COMODO WAF: SQL injection vulnerability in webERP 4.15 (CVE-2018-19435)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:FormID "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq salesinquiry.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:SortBy "!@rx ^[\w\.\,]+$" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:247140,chain,msg:'COMODO WAF: SQLi vulnerability in Dolibarr ERP/CRM version 7.0.3 (CVE-2018-13449)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith product/card.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:statut_buy "@rx \D" \
"t:none"
SecRule ARGS_POST:filterType "@gt 0" \
"id:247150,chain,msg:'COMODO WAF: SQL injection vulnerability in FrontAccounting 2.4.5 (CVE-2018-1000890)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:length,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:/^FA[a-f0-9]{32}$/ "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:filterType "@rx \D" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@rx ^(?:attachments|(?:supplier(?:\_allocation)?|customer)\_inquiry)\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:247160,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM 8.0.2 (CVE-2018-19998)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /user/card.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:employee "@rx \D" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247200,chain,msg:'COMODO WAF: SQL injection vulnerability in CuppaCMS (CVE-2018-19559)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:reference_id "@rx \D" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith classes/ajax/functions.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247270,chain,msg:'COMODO WAF: SQLi vulnerability in Cleanto 5.0 (CVE-2019-6295 and CVE-2019-6296)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:service_id|ARGS_POST:id "@rx \D" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx \/assets\/lib\/(?:export|service_method)_ajax\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:247300,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM version 7.0.3 (CVE-2018-13447, CVE-2018-13450)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith product/card.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:statut|ARGS_POST:status_batch "@rx \D" \
"t:none"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:247310,chain,phase:2,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith product/card.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:statut|ARGS_POST:status_batch "@rx \D" \
"t:none"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:247320,chain,msg:'COMODO WAF: SQL injection vulnerability in Dolibarr ERP/CRM 8.0.2 (CVE-2018-19994)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith stock/product.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:desiredstock "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:sid "@ge 1" \
"id:247560,chain,msg:'COMODO WAF: SQL vulnerability in Rukovoditel Project Management CRM 2.4.1||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:module "@streq global_lists/choices" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:lists_id "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:user "@ge 1" \
"id:247570,chain,msg:'COMODO WAF: SQL vulnerability in ResourceSpace 8.6||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:ref "@rx \D" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /rse_search_notifications/pages/watched_searches.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247600,chain,msg:'COMODO WAF: SQL vulnerability exists in Bo-blog Wind CMS (CVE-2019-7587)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:comID "@rx \D" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /admin.php/comments/batchdel/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247680,chain,msg:'COMODO WAF: Arbitrary code Injection exists in PHPMyWind CMS v5.5 (CVE-2018-17131)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:varvalue "@rx \D" \
"chain,t:none"
SecRule ARGS_POST:vartype "@streq number" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /admin/web_config.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_BASENAME "@streq db_central_columns.php" \
"id:247750,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 (CVE-2016-2561)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@contains pmapass" \
"chain,t:none,t:lowercase"
SecRule ARGS:pos "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:247920,chain,msg:'COMODO WAF: SQL Injection vulnerability in Piwigo before 2.7.4 (CVE-2015-2035)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq history" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:user "@rx \D" \
"t:none"
SecRule &ARGS_GET:productbycat "@ge 1" \
"id:247930,chain,msg:'COMODO WAF: SQL injection vulnerability in xlinkerz ecommerceMajor (CVE-2015-1476)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq product.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:productbycat "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:TESTLINK_USER_AUTH_COOKIE "@ge 1" \
"id:247940,chain,msg:'COMODO WAF: SQL injection vulnerabilities in the TestLink 1.9.11 (CVE-2014-5308)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith lib/events/eventinfo.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:id "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith olcommerce/affiliate_show_banner.php" \
"id:247960,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 (CVE-2014-5104)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:affiliate_banner_id "@rx \D" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith news/submit.php" \
"id:247970,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Gnew 2013.1 (CVE-2013-7368)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:submit "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:category_id "@rx \D" \
"t:none"
SecRule &ARGS_POST:send|&ARGS_POST:add "@ge 1" \
"id:247971,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Gnew 2013.1 (CVE-2013-7368)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm news/send.php comments/add.php" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:news_id "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"id:248020,chain,msg:'COMODO WAF: Possible arbitrary code execution in Cacti before 1.1.16 (CVE-2017-12065)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq spikekill.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:outlier-start|ARGS:outlier-end "@rx [^\d\-\:]" \
"t:none,t:urlDecodeUni,t:removeWhitespace"
SecMarker IGNORE_SFS_Non_Digit_OtherApps
SecRule &TX:LFI "@eq 0" \
"id:247470,msg:'COMODO WAF: Track same forbidden symbols to Ignore signature from Other Apps||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'IGNORE_SFS_SIG_OtherApps_LFI',rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:courseId "@ge 1" \
"id:210850,chain,msg:'COMODO WAF: Directory Traversal exists in ATutor before 2.2.2 (CVE-2016-10400)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:icon "@contains ../" \
"chain,t:none,t:urlDecodeUni,t:normalisePath"
SecRule &REQUEST_COOKIES:ATutorID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains mods/_core" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule MATCHED_VAR "@rx (mods\/_core\/(?:courses|properties)\/(?:admin|users)\/(?:create|edit)_course\.php)$" \
"t:none"
SecRule &REQUEST_COOKIES:as_sid "@ge 1" \
"id:211130,chain,msg:'COMODO WAF: Directory Traversal vulnerability in ASUSTOR AS6202T ADM 3.1.0.RFQ3 (CVE-2018-11344)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains apis/fileexplorer/download.cgi" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:file1 "@contains .." \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:folder "@contains .." \
"id:215050,chain,msg:'COMODO WAF: Directory traversal vulnerability in Coppermine Photo Gallery 1.5.4 (CVE-2015-3923)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith minibrowser.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES_NAMES:/^cpg(\d+)x_data$/ "@ge 1" \
"t:none"
SecRule REQUEST_URI "users/login\.php" \
"id:220990,chain,msg:'COMODO WAF: Directory traversal vulnerability in Gnew 2013.1 and earlier (CVE-2013-5639)||%{tx.domain}|%{tx.mode}|2',deny,status:403,t:none,t:urlDecodeUni,t:cmdline,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:gnew_language "\.\./"
SecRule ARGS:xmlin "@contains .." \
"id:221470,chain,msg:'COMODO WAF: Directory traversal vulnerability in Reportico PHP Report Designer before 4.0 (CVE-2014-3777)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains run.php" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith browse.php" \
"id:222140,chain,msg:'COMODO WAF: Directory traversal vulnerability in Vtiger CRM before 6.0.0 Security patch 1 (CVE-2014-1222)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@contains vtiger" \
"chain,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase,multiMatch"
SecRule ARGS_GET:act "@streq download" \
"chain,t:none,t:urlDecodeUni,t:lowercase,multiMatch"
SecRule &ARGS_POST:dir "@ge 1" \
"chain,t:none,t:urlDecodeUni,t:lowercase,multiMatch"
SecRule ARGS_POST:file "@contains .." \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,multiMatch"
SecRule REQUEST_URI "@contains /admin/translationManager" \
"id:240001,chain,msg:'COMODO WAF: Directory traversal vulnerability in X2Engine X2CRM before 3.5 (CVE-2013-5692)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@rx x2engine(\/index.php)?" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:file "@contains .." \
"t:none,t:normalizePath,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@rx maint\/modules\/(home\/index|asterisk_info\/asterisk_info|repo\/repo|endpointcfg\/endpointcfg)\.php" \
"id:240120,chain,msg:'COMODO WAF: Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files (CVE-2014-5111)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:lang "@contains .." \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@contains pimcore_admin_sid" \
"id:240410,chain,msg:'COMODO WAF: Directory traversal vulnerability in pimcore before build 3473 (CVE-2015-4425)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /admin/asset/add-asset-compatibility/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &ARGS:parentId "@ge 1" \
"chain,t:none"
SecRule ARGS:dir "@contains .." \
"t:none"
SecRule ARGS_POST:_skin "@contains .." \
"id:241080,chain,msg:'COMODO WAF: Directory traversal vulnerability in Roundcube before 1.0.8 and 1.1.x before 1.1.4 (CVE-2015-8770)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:_action "@streq save-prefs" \
"chain,t:none"
SecRule &ARGS_POST:_token "@ge 1" \
"chain,t:none"
SecRule REQUEST_COOKIES_NAMES "@contains roundcube" \
"t:none,t:lowercase"
SecRule &REQUEST_COOKIES:fuelfid "@ge 1" \
"id:241680,chain,msg:'COMODO WAF: Directory traversal vulnerability in Novius OS 5.0.1 (Elche) (CVE-2015-5353)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:tab "@contains .." \
"t:none"
SecRule ARGS:layerstyle "@contains .." \
"id:241710,chain,msg:'COMODO WAF: Directory traversal vulnerability in Revive Adserver before 3.2.2 (CVE-2015-7372)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith delivery_dev/al.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith oc-admin/index.php" \
"id:242010,chain,msg:'COMODO WAF: Directory traversal vulnerability in OSClass before 3.4.2 (CVE-2014-6308)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:osclass "@rx ^[a-z0-9]{26}$" \
"chain,t:none"
SecRule ARGS_GET:page "@contains appearance" \
"chain,t:none"
SecRule ARGS_GET:action "@contains render" \
"chain,t:none"
SecRule ARGS_GET:file "@contains .." \
"t:none,t:normalizePath"
SecRule REQUEST_FILENAME "@endsWith /install/popup.php" \
"id:242710,chain,msg:'COMODO WAF: Directory traversal vulnerability in Exponent CMS (CVE-2013-3295)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@contains .." \
"t:none,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith /src/index.php" \
"id:243000,chain,msg:'COMODO WAF: Directory traversal vulnerability in QuiXplorer before 2.5.5 (CVE-2013-1641)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:action "@contains post" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:do_action "@contains download_selected" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:selitems[] "@contains .." \
"t:none,t:normalizePath,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS:fid "@ge 1" \
"id:243270,chain,msg:'COMODO WAF: Path traversal vulnerability in Exponent CMS 2.3.9 (CVE-2016-7452)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:cpi "@contains .." \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:controller "@streq pixidou" \
"chain,t:none,t:lowercase"
SecRule ARGS:action "@streq exiteditor" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"t:none"
SecRule &ARGS:fname "@ge 1" \
"id:243300,chain,msg:'COMODO WAF: Directory traversal vulnerability in ReadyDesk 9.1 (CVE-2016-5049)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:sesid "@contains .." \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith chat/openattach.aspx" \
"t:none,t:urlDecodeUni,t:normalizePath"
SecRule ARGS:profile "@contains .." \
"id:243390,chain,msg:'COMODO WAF: Remote Code Execution vulnerability in Exponent CMS v2.3.9 (CVE-2016-7790)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx \/install\/(?:index\.php)?$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:id|ARGS:dir "@contains .." \
"id:243590,chain,msg:'COMODO WAF: Directory traversal in MODX Revolution before 2.5.2-pl (CVE-2016-10037 & CVE-2016-10039)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:action "@pm getfiles getlist" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_HEADERS:modauth|&REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains /connectors/" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &REQUEST_COOKIES_NAMES:pwg_id "@ge 1" \
"id:243640,chain,msg:'COMODO WAF: Information Disclosure and Code Execution vulnerability in the Piwigo through 2.8.3 (CVE-2016-10105)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq plugin" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:section "@contains ../" \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:mode "@contains .." \
"id:243660,chain,msg:'COMODO WAF: Arbitrary path traversal vulnerability in Piwigo through 2.8.3 (CVE-2016-10084)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq batch_manager" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"t:none"
SecRule ARGS:path "@contains .." \
"id:243780,chain,msg:'COMODO WAF: File disclosure and inclusion vulnerability in ZoneMinder 1.x through v1.30.0 (CVE-2017-5595)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:view "@streq file" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:/Set-Cookie/ "@contains zmsessid" \
"t:none,t:lowercase"
SecRule ARGS_GET:f "@contains .." \
"id:244120,chain,msg:'COMODO WAF: Directory traversal vulnerability in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 (CVE-2016-9835)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq jcss.php" \
"t:none,t:lowercase"
SecRule ARGS_GET:tab "@contains .." \
"id:244130,chain,msg:'COMODO WAF: Arbitrary path traversal vulnerability in Piwigo through 2.8.3 (CVE-2016-10085)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"t:none"
SecRule ARGS_POST:pathfolder "@contains .." \
"id:244330,chain,msg:'COMODO WAF: Directory traversal vulnerability in MyBB before 1.8.11 (CVE-2017-8104)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:mybbuser "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:module|ARGS_GET:action "@pm config-smilies add_multiple" \
"t:none,t:lowercase"
SecRule ARGS_POST:directory "@contains .." \
"id:244460,chain,msg:'COMODO WAF: Directory traversal vulnerability in BigTree CMS through 4.2.18 (CVE-2017-9428)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:bigtree_admin[email] "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /site/index.php/admin/ajax/developer/extensions/file-browser/" \
"t:none,t:normalisePath,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:FILECAMERA "@contains ../.." \
"id:244630,chain,msg:'COMODO WAF: Directory traversal in BOA Webserver 0.94.14rc21 (CVE-2017-9833)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@streq /cgi-bin/wapopen" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:deld "@contains .." \
"id:244830,chain,msg:'COMODO WAF: Directory traversal vulnerability in Xinha 0.96, as used in Jojo 4.4.0 (CVE-2017-11723)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:__plugin "@streq imagemanager" \
"chain,t:none,t:lowercase"
SecRule ARGS:__function "@streq images" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith plugins/jojo_core/external/xinha/plugins/imagemanager/backend.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule TX:SLiMS_Akasia "@ge 1" \
"id:244930,chain,msg:'COMODO WAF: Directory Traversal vulnerability in SLiMS 8 Akasia through 8.3.1 (CVE-2017-12586)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq help.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:url "@contains .." \
"t:none"
SecRule ARGS:ctrl "@streq files" \
"id:245220,chain,msg:'COMODO WAF: Directory traversal vulnerability in b2evolution through 6.8.3 (CVE-2017-5480 &CVE-2017-5539)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:session_b2evo "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@endsWith admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS:/^fm_selected\[\d*?\]$/ "@contains .." \
"t:none"
SecRule &REQUEST_COOKIES:met_auth "@ge 1" \
"id:245320,chain,msg:'COMODO WAF: Directory traversal vulnerability in MetInfo 5.3.17 (CVE-2017-14513)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:f_filename "@contains .." \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_GET:Action "@streq fingerprintdo" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /admin/app/physical/physical.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:name "@contains .." \
"id:245490,chain,msg:'COMODO WAF: Arbitrary File Read vulnerability in Fiyo CMS 2.0.7 (CVE-2017-17104)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /dapur/apps/app_theme/libs/check_file.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:dl "@contains .." \
"id:245740,chain,msg:'COMODO WAF: Directory traversal vulnerability in BlackCat CMS before 1.1.2 (CVE-2015-5079)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith modules/blackcat/widgets/logs.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246050,chain,msg:'COMODO WAF: Directory traversal vulnerability in NoneCms through 1.3.0 (CVE-2018-6022)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /admin/main/upload/act/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:path "@contains .." \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:as_sid "@ge 1" \
"id:246080,chain,msg:'COMODO WAF: Directory Traversal vulnerability in ASUSTOR AS6202T ADM 3.1.0.RFQ3 (CVE-2018-11342)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains apis/fileexplorer/fileexplorer.cgi" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:dest_folder "@contains .." \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:as_sid "@ge 1" \
"id:246130,chain,msg:'COMODO WAF: Directory Traversal vulnerability in ASUSTOR AS6202T ADM 3.1.0.RFQ3 (CVE-2018-11341)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith apis/accesscontrol/importuser.cgi" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:filename "@contains .." \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:picname "@contains .." \
"id:246250,chain,msg:'COMODO WAF: Directory Traversal vulnerability in in YXcms 1.4.7 (CVE-2018-13025)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:r "@streq admin/photo/delpic" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"t:none"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"id:246290,chain,msg:'COMODO WAF: Directory traversal vulnerability in CMS Made Simple in 2.2.7 (CVE-2018-10083)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:cmd "@streq del" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:val "@contains .." \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq moduleinterface.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"id:246310,chain,msg:'COMODO WAF: Directory traversal vulnerability in CMS Made Simple in 2.2.7 (CVE-2018-10520)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq moduleinterface.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:m1_mod "@contains .." \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:OCSESSID "@ge 1" \
"id:246520,chain,msg:'COMODO WAF: Directory traversal vulnerability OpenCart through 3.0.2.0 (CVE-2018-11495)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:filename|ARGS_POST:code "@contains .." \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_GET:route "@rx ^(?:catalog\/download|localisation\/language)\/(?:add|edit)$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:iCMS_iCMS_AUTH "@ge 1" \
"id:246620,chain,msg:'COMODO WAF: Directory Traversal vulnerability in idreamsoft iCMS V7.0.11 (CVE-2018-16320)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq admincp.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:config[FS][dir_format] "@contains .." \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:mydms_session "@ge 1" \
"id:246650,chain,msg:'COMODO WAF: Directory traversal vulnerability in SeedDMS before 5.1.8 (CVE-2018-12939)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:qqfilename "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq op.uploadchunks.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:qquuid "@contains .." \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:bigtree_htacess_url "@contains .." \
"id:246840,chain,msg:'COMODO WAF: Local File Inclusion vulnerability in BigTree 4.2.23 (CVE-2018-17341)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith core/launch.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246870,chain,msg:'COMODO WAF: XSS vulnerability in Monstra CMS through 3.0.4 (CVE-2018-16819, CVE-2018-16820)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/index.php" \
"chain,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:id "@streq filesmanager" \
"chain,t:none,t:lowercase"
SecRule ARGS:path "@beginsWith uploads/" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:path "@contains .." \
"t:none,t:urlDecodeUni"
SecRule ARGS_GET:mod "@streq library" \
"id:247010,chain,msg:'COMODO WAF: directory traversal vulnerability in PopojiCMS v2.0.1 (CVE-2018-18936)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq route.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:id "@contains .." \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"id:247020,chain,msg:'COMODO WAF: directory traversal vulnerability in OpenEMR before 5.0.1.4 (CVE-2018-15140)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith portal/import_template.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:docid "@contains .." \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247040,chain,msg:'COMODO WAF: directory traversal vulnerability in BearAdmin 0.5 (CVE-2018-11413)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith databack/download.html" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:name "@contains .." \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247050,chain,msg:'COMODO WAF: Directory Traversal vulnerability in PHPSHE 1.7 (CVE-2018-18485)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:mod "@streq db" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:dbname "@contains .." \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@contains admin/download" \
"id:247060,chain,msg:'COMODO WAF: Directory Traversal vulnerability in HRSALE The Ultimate HRM 1.0.2 (CVE-2018-10260)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:type "@eq 1" \
"chain,t:none"
SecRule ARGS_GET:filename "@contains ../" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSIDwebERPteam "@ge 1" \
"id:247260,chain,msg:'COMODO WAF: Directory traversal vulnerability in webERP 4.15 (CVE-2018-20420)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:FormID "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq z_createcompanytemplatefile.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:TemplateName "@contains ../" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247590,chain,msg:'COMODO WAF: Arbitrary File Download exists in RhinOS CMS v3.x (CVE-2018-18760)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:file "@contains .." \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /admin/inicio.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247790,chain,msg:'COMODO WAF: Arbitrary File Download exists in OpenSTA Manager v2.3||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:file "@contains .." \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /modules/backup/actions.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247820,chain,msg:'Arbitrary File Delete exists in PHPMyWind CMS v5.5 (CVE-2019-7403)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:tbname "@contains .." \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /admin/database_backup.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:efile "@contains .." \
"id:247870,chain,msg:'COMODO WAF: Directory traversal vulnerability exists in imcat (CVE-2018-20610)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:/^\d{3}_sessid/ "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /root/run/adm.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecMarker IGNORE_SFS_SIG_OtherApps_LFI
SecRule REQUEST_FILENAME "@endsWith web/ajax_pluginconf.php" \
"id:210320,chain,msg:'COMODO WAF: Directory traversal vulnerability in Magento Mass Importer (CVE-2015-2067)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:plugintype "@ge 1" \
"chain,t:none"
SecRule &ARGS:pluginclass "@ge 1" \
"chain,t:none"
SecRule ARGS:file "@rx \.\.|^\/" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "admin/plugin-index\.php|admin/plugin-settings\.php|admin/plugin-preferences\.php" \
"id:220060,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in OpenX Source 2.8.10 and earlier (CVE-2013-3515)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:action|ARGS:group|ARGS:package|ARGS:parent|ARGS:plugin "@rx [^a-zA-Z0-9\._-]"
SecRule REQUEST_FILENAME "@rx /data/form_[0-9]+/files/element_[0-9]+.{0,99}\.php" \
"id:220070,msg:'COMODO WAF: File upload vulnerability in Machform 2 (CVE-2013-4949)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "libraries\/(?:error(?:_handler)?\.class|auth\/swekey\/swekey\.auth\.lib|bookmark\.lib|common\.inc|config\.class|config\.default|data_drizzle\.inc|data_mysql\.inc|dbi\/drizzle-wrappers\.lib|display_tbl\.lib|engines\/(?:bdb|berkeleydb|binlog|innobase|innodb|memory|merge|mrg_myisam|myisam|ndbcluster|pbms|pbxt)\.lib|list_database\.class|pdf\.class|pma|pmd_common|recenttable\.class|schema\/pdf_relation_schema\.class)\.php" \
"id:220090,msg:'COMODO WAF: Multiple vulnerabilities in phpMyAdmin (CVE-2013-4998 / CVE-2013-4999 / CVE-2013-5000)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS "@pm unionselect union/*" \
"id:220150,chain,msg:'COMODO WAF: SQL injection vulnerability in Ginkgo CMS 5.0 (CVE-2013-5318)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,logdata:'%{MATCHED_VAR}',t:none,t:removeWhitespace,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS|!ARGS:/FCKeditor/|!ARGS:/^jform/|!ARGS:/^para/|!ARGS:/appendTo/|!ARGS:/database/|!ARGS:/description/|!ARGS:/insertAfter/|!ARGS:/insertBefore/|!ARGS:/installcode/|!ARGS:/message/|!ARGS:/msg/|!ARGS:/narrative/|!ARGS:/php/|!ARGS:/prependTo/|!ARGS:/prevObject/|!ARGS:/replaceAll/|!ARGS:/report/|!ARGS:/sql/|!ARGS:/teaser/|!ARGS:/text/|!ARGS:/txt/|!ARGS:Db_submit|!ARGS:Post|!ARGS:TicketID|!ARGS:action|!ARGS:alternate1|!ARGS:article_content|!ARGS:body|!ARGS:code|!ARGS:comment|!ARGS:contenido|!ARGS:content|!ARGS:data|!ARGS:faqs_answer|!ARGS:fck_body|!ARGS:file_content|!ARGS:form[pagina_text]|!ARGS:fulldescr|!ARGS:json|!ARGS:keywords|!ARGS:newcontent|!ARGS:p_action|!ARGS:prefix|!ARGS:query|!ARGS:resolution|!ARGS:saved_data|!ARGS:steps|!ARGS:suffix|!ARGS:wpSummary "@rx (?:union(?:\/\*.{0,399}\*\/)?select)" \
"t:none,t:removeWhitespace,t:lowercase"
SecRule REQUEST_FILENAME "@rx /user/browse/view_" \
"id:220160,chain,msg:'COMODO WAF: SQL injection vulnerability in PHPFox before 3.6.0 (CVE-2013-5121)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:search[sort_by] "@rx ^(?!^(asc|desc)$).+$" \
"t:none,t:removeWhitespace,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"id:220180,chain,phase:2,pass,nolog,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:edit "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:mode "@streq users" \
"setvar:'SESSION.ritecms=1',expirevar:'SESSION.ritecms=300',t:none,t:lowercase"
SecRule SESSION:ritecms "@eq 1" \
"id:220181,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:edit_user_submitted "@ge 1" \
"id:220182,chain,msg:'COMODO WAF: CSRF vulnerability in RiteCMS 1.0.0 (CVE-2013-5316)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:type "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:mode "@streq users" \
"t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq awards.php" \
"id:220270,chain,msg:'COMODO WAF: SQLi vulnerability in PsychoStats 3.2.2b (CVE-2013-3721)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:d "!@rx ^[\d\-]{10}$" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /recursos/agent.php" \
"id:220450,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Cubic CMS 5.1.1, 5.1.2, and 5.2 (CVE-2014-1619)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:resource_id|ARGS_GET:version_id "!@rx ^-?\d+$" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:MoodleSession "@ge 1" \
"id:220480,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /user/profile/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.Moodle=1',expirevar:'SESSION.Moodle=300',t:none,t:lowercase"
SecRule SESSION:Moodle "@eq 1" \
"id:220481,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:MoodleSession "@ge 1" \
"id:220482,chain,msg:'COMODO WAF: Multiple CSRF vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 (CVE-2014-0010)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq deletefield" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"id:220580,chain,msg:'COMODO WAF: XSS vulnerability in easyXDM before 2.4.19 (CVE-2014-1403)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq name.html" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule QUERY_STRING "@rx .{0,399}\#\_.{0,399}javascript" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith sw/admin_change_password.php" \
"id:220640,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.CSSMS=1',expirevar:'SESSION.CSSMS=300',t:none,t:lowercase"
SecRule SESSION:CSSMS "@eq 1" \
"id:220641,phase:2,pass,nolog,skip:1,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith sw/admin_change_password.php" \
"id:220642,chain,msg:'COMODO WAF: Multiple CSRF vulnerabilities in Command School Student Management System 1.06.01 (CVE-2014-1915)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:CSSMS "!@eq 1" \
"chain,t:none"
SecRule ARGS_POST:action "@streq update" \
"t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq create_topic.php" \
"id:220643,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.CSSMS2=1',expirevar:'SESSION.CSSMS2=300',t:none,t:lowercase"
SecRule SESSION:CSSMS2 "@eq 1" \
"id:220644,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith sw/add_topic.php" \
"id:220645,chain,msg:'COMODO WAF: CSRF vulnerabilities in Command School Student Management System 1.06.01 (CVE-2014-1915)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:Submit "@streq submit" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "/whizzywig/wb\.php/" \
"id:220740,chain,msg:'COMODO WAF: XSS vulnerability in CMSimple Classic 3.54 and earlier (CVE-2014-2219)||%{tx.domain}|%{tx.mode}|2',deny,status:403,t:none,t:htmlEntityDecode,t:lowercase,multiMatch,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:d "'"
SecRule REQUEST_URI "@contains /admin/users/add/user/" \
"id:220880,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.UMICMS=1',expirevar:'SESSION.UMICMS=300',t:none,t:lowercase"
SecRule SESSION:UMICMS "@eq 1" \
"id:220881,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /admin/users/add/user/do/" \
"id:220882,chain,msg:'COMODO WAF: CSRF vulnerability in Umisoft UMI.CMS before 2.9 build 21905 (CVE-2013-2754)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:data[new][login] "!@rx ^$" \
"chain"
SecRule ARGS_POST:data[new][password][] "!@rx ^$"
SecRule REQUEST_FILENAME "/portal/addtoapplication\.php" \
"id:220920,chain,msg:'COMODO WAF: SQL injection vulnerability in POSH (aka Posh portal or Portaneo) 3.0 before 3.3.0 (CVE-2014-2211)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:rssurl "!@rx ^(?:(?:http|ftp)[s]?:\/\/)?[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,3}|[0-9]{1,3})(:[0-9]+)?[a-zA-Z0-9\-\._\?\'/\\\+&%#\=~]*$" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni,t:lowercase"
SecRule ARGS:m1_sortby "!@rx ^\w+\W(ASC|DESC)$" \
"id:220960,chain,msg:'COMODO WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule Request_FILENAME "moduleinterface\.php"
SecRule REQUEST_METHOD "@streq POST" \
"id:221030,chain,msg:'COMODO WAF: DoS attack vulnerability (XML Quadratic Blowup Attack) in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31 (CVE-2014-5266)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq xmlrpc.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BODY "@contains ENTITY" \
"chain"
SecRule REQUEST_BODY "@rx (\;.{0,399}?\&.+?){100,}?"
SecRule REQUEST_HEADERS:User-Agent "WinHttp\.WinHttpRequest\.5" \
"id:221031,chain,msg:'COMODO WAF: DoS attack vulnerability (XML Quadratic Blowup Attack) in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31 (CVE-2014-5266)||%{tx.domain}|%{tx.mode}|2',deny,status:403,t:none,t:removeWhitespace,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
"chain"
SecRule REQUEST_BASENAME "@streq xmlrpc.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_METHOD "@streq GET" \
"id:221040,chain,phase:2,pass,nolog,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /symphony/system/authors" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule QUERY_STRING "@rx ^$" \
"setvar:'SESSION.symphony=1',expirevar:'SESSION.symphony=1200',t:none"
SecRule SESSION:symphony "@eq 1" \
"id:221041,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq GET" \
"id:221042,chain,msg:'COMODO WAF: CSRF vulnerability in Symphony CMS before 2.3.2 (CVE-2013-7346)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /symphony/system/authors" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:order|ARGS_GET:sort "@rx ." \
"t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq index2.php" \
"id:221120,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.XCloner=1',expirevar:'SESSION.XCloner=300',t:none,t:lowercase"
SecRule SESSION:XCloner "@eq 1" \
"id:221121,phase:2,pass,nolog,skip:1,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:jcuser "@eq 1" \
"id:221122,chain,msg:'COMODO WAF: Multiple CSRF vulnerabilities in XCloner Standalone 3.5 and earlier (CVE-2014-2579)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:jcpass "@eq 1" \
"chain,t:none"
SecRule &SESSION:XCloner "!@eq 1" \
"chain,t:none"
SecRule ARGS_POST:task "@streq config" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq index2.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_COOKIES:/fusion\w+user/ "@rx [^a-z0-9\.]" \
"id:221190,msg:'COMODO WAF: SQL injection vulnerability in PHP-Fusion 7.02.01 through 7.02.05 (CVE-2013-7375)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:dc_passwd "!@rx ^a:\d+:{(?:i:\d+;s:\d+:\x22.{0,399}?\x22;)*}$" \
"id:221200,msg:'COMODO WAF: RCE vulnerability in Dotclear before 2.6.2 (CVE-2014-1613)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,log,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:controller "@streq user" \
"id:221480,chain,phase:2,pass,nolog,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI_RAW "@contains kanboard/" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:action "@streq create" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.kan=1',expirevar:'SESSION.kan=300',t:none,t:lowercase"
SecRule SESSION:kan "@eq 1" \
"id:221481,phase:2,pass,nolog,skip:1,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:kan "!@eq 1" \
"id:221482,chain,msg:'COMODO WAF: CSRF vulnerability in Kanboard before 1.0.6 (CVE-2014-3920)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:controller "@streq user" \
"chain"
SecRule ARGS_GET:action "@streq save" \
"chain"
SecRule &ARGS_POST:username "@eq 1" \
"chain"
SecRule &ARGS_POST:name "@eq 1" \
"chain"
SecRule &ARGS_POST:password "@eq 1" \
"chain"
SecRule REQUEST_URI_RAW "@contains kanboard/" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith user/edit.php" \
"id:221560,chain,msg:'COMODO WAF: XSS vulnerability in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 (CVE-2014-3544)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@streq MoodleSession" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:skype "!@rx ^(?:live:|[a-z0-9,\._\-]){6,32}$" \
"t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,multiMatch"
SecRule REQUEST_FILENAME "@endsWith status_rrd_graph_img.php" \
"id:221620,chain,msg:'COMODO WAF: Remote command execution vulnerability in the pfSense before 2.1.4 (CVE-2014-4688)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:database|ARGS:graph "@rx [\\\\|\||\x22|\0|'|\/]" \
"t:none,t:urlDecodeUni,multiMatch"
SecRule REQUEST_FILENAME "@endsWith pkg_mgr_install.php" \
"id:221630,chain,msg:'COMODO WAF: Absolute path traversal vulnerability in pfSense before 2.1.4 (CVE-2014-4689)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:id|ARGS:mode|ARGS:pkg "@rx [\\\\|\||\.|\x22|\0|'|\/]" \
"t:none,t:urlDecodeUni,multiMatch"
SecRule REQUEST_FILENAME "@endsWith pkg_edit.php" \
"id:221631,chain,msg:'COMODO WAF: Absolute path traversal vulnerability in pfSense before 2.1.4 (CVE-2014-4689)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:xml "@rx [\\\\|\//\.|\0]" \
"t:none,t:urlDecodeUni,multiMatch"
SecRule REQUEST_FILENAME "@endsWith system_firmware_restorefullbackup.php" \
"id:221632,chain,msg:'COMODO WAF: Absolute path traversal vulnerability in pfSense before 2.1.4 (CVE-2014-4689)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:downloadbackup "@rx [\\\\|\//\.|\0]" \
"t:none,t:urlDecodeUni,multiMatch"
SecRule ARGS_GET:phpfile "@rx ^[\.\\\\\/]+" \
"id:221640,msg:'COMODO WAF: Absolute path traversal vulnerability in DirPHP 1.0 (CVE-2014-5115)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:do "!eq 0" \
"id:222060,chain,msg:'COMODO WAF: SQL injection vulnerability in Kasseler CMS (CVE-2013-3727)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:module "@pm sendmail news voting forum account categories" \
"chain,t:none,t:lowercase,multiMatch"
SecRule ARGS:desc|ARGS:dok|ARGS:fid|ARGS:groups[]|ARGS:id|ARGS:module|ARGS:nid|ARGS:tid|ARGS:tid|ARGS:vid "@rx [\'\,]" \
"chain,t:none,t:urlDecodeUni,multiMatch"
SecRule REQUEST_FILENAME "@pm admin.php index.php" \
"t:none,t:urlDecodeUni,t:lowercase,multiMatch"
SecRule &ARGS:site_id "@ge 1" \
"id:222130,chain,msg:'COMODO WAF: SQL injection vulnerability in Sphider 1.3.6 (CVE-2014-5192)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule ARGS:filter "@contains '" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /admin/admin.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_FILENAME "@rx concrete\/single_pages\/dashboard\/(?:(?:system\/(basics|mail|environment|permissions|seo)?|users|scrapbook|pages|files)?\/?(?:editor|file_storage_locations|importers|method|file_types|files|tasks|users|attributes|search)?(view)?)\.php" \
"id:240190,chain,msg:'COMODO WAF: Information leakage in the Concrete5 before 5.6.3 (CVE-2014-5107)||%{tx.domain}|%{tx.mode}|2',phase:4,deny,status:403,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule RESPONSE_BODY "@beginsWith Fatalerror:" \
"t:none,t:urlDecodeUni,t:removeWhitespace"
SecRule REQUEST_COOKIES:_ga "@rx ^ga(\d+\.{0,256})+" \
"id:240250,chain,phase:2,capture,pass,setsid:'%{TX.1}',nolog,t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /dashboard/users/create/" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@contains _ga" \
"id:240251,chain,phase:2,pass,nolog,t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains /dashboard/users/create/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.TIMEOUT=300',setvar:'SESSION.articleFR=1',expirevar:'SESSION.articleFR=300',t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"id:240253,chain,msg:'COMODO WAF: CSRF vulnerabilities in Free Reprintables ArticleFR 3.0.6 (CVE-2015-5530)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_NAMES "@pm username name password email website blog membership isactive" \
"chain,t:none,t:lowercase"
SecRule &SESSION:articleFR "!@eq 1" \
"chain"
SecRule REQUEST_URI "@contains /dashboard/users/create/" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_FILENAME "@rx \/(plupload\.flash|moxie)\.swf$" \
"id:240320,chain,msg:'COMODO WAF: XSS vulnerability in in the Plupload plugin for WordPress and other web apps (CVE-2013-0237, CVE-2015-3439)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:id|&ARGS:target "@gt 0" \
"t:none,t:lowercase"
SecRule REQUEST_METHOD "!@streq post" \
"id:240330,phase:2,pass,nolog,t:none,t:lowercase,skipAfter:'END_XMLRPC_PROTECTION',rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "!@endsWith xmlrpc.php" \
"id:240331,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:lowercase,skipAfter:'END_XMLRPC_PROTECTION',rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule IP:XMLRPC_COUNTER "@eq 0" \
"id:240332,phase:2,pass,setvar:'ip.xmlrpc_counter=+1',expirevar:'ip.xmlrpc_counter=%{tx.xmlrpc_watch_period}',nolog,t:none,skip:1,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecAction \
"id:240333,phase:2,pass,setvar:'ip.xmlrpc_counter=+1',nolog"
SecRule IP:XMLRPC_COUNTER "@gt %{tx.xmlrpc_requests_limit}" \
"id:240334,phase:2,pass,setvar:'ip.xmlrpc_block=1',expirevar:'ip.xmlrpc_block=%{tx.xmlrpc_block_timeout}',nolog,t:none,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule IP:XMLRPC_BLOCK "@eq 1" \
"id:240335,chain,msg:'COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source %{tx.real_ip} (%{tx.xmlrpc_block_counter} hits since last alert)|%{tx.domain}|%{tx.mode}|2',phase:2,block,log,t:none,skip:1,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &IP:XMLRPC_BLOCK_FLAG "@eq 0" \
"setvar:'ip.xmlrpc_block_flag=1',setvar:'tx.xmlrpc_block_counter=%{ip.xmlrpc_block_counter}+1',setvar:'ip.xmlrpc_block_counter=0',expirevar:'ip.xmlrpc_block_flag=60'"
SecRule IP:XMLRPC_BLOCK "@eq 1" \
"id:240336,phase:2,block,setvar:'ip.xmlrpc_block_counter=+1',nolog,noauditlog,t:none,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecMarker END_XMLRPC_PROTECTION
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS "@contains PHPSESSID" \
"id:240460,chain,msg:'COMODO WAF: XSS vulnerability in OpenDocMan before 1.3.4 (CVE-2015-5625)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx \/(?:index\.php)?$" \
"chain,t:none,t:lowercase"
SecRule ARGS:redirection "@rx data\:[\w\/]+\;base64" \
"t:none,t:lowercase,t:removeWhitespace"
SecRule &REQUEST_COOKIES:PHPSESSID "@gt 0" \
"id:240470,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 (CVE-2015-6967)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS:plugin "@streq my_image" \
"chain,t:none,t:lowercase"
SecRule FILES "!@rx \.(?:jpe?g|png|gif)$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@contains /content/private/plugins/my_image/" \
"id:240471,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 (CVE-2015-6967)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "!@rx image\.(?:jpe?g|png|gif)$" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith front/ticket.form.php" \
"id:240510,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in the GLPI before 0.85.3 (CVE-2015-7684)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:/_filename\[\d+]/ "@rx \.(?:php[\d]?|js|pl|rb|sh|p?html|asp|exe|com|htaccess)$" \
"t:none,t:lowercase"
SecRule &ARGS_POST:token "@eq 0" \
"id:240530,chain,msg:'COMODO WAF: CSRF protection bypass in Revive Adserver before 3.2.2 (CVE-2015-7364)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES:sessionID "@rx ^[a-z0-9]{32}$" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx (?:(?:advertiser|campaign|affiliate|zone|channel)\-edit|account\-user\-(?:name\-language|email|password))\.php$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:token "@eq 0" \
"id:240531,chain,msg:'COMODO WAF: CSRF in Revive Adserver before 3.2.2 (CVE-2015-7364)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:length,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:sessionID "@rx ^[a-z0-9]{32}$" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx (?:(?:advertiser|campaign|affiliate|zone|channel)\-edit|account\-user\-(?:name\-language|email|password))\.php$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith serendipity_admin.php" \
"id:240540,chain,msg:'COMODO WAF: Multiple incomplete blacklist vulnerabilities in Serendipity before 2.0.2 (CVE-2015-6968)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:/serendipity\[target_filename]\[\d+]/ "@rx \.pht(?:ml)?$" \
"t:none,t:lowercase"
SecRule ARGS_GET:controller "@streq post" \
"id:240561,chain,phase:2,pass,nolog,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq new_simple" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.nbblog=1',expirevar:'SESSION.nbblog=300',t:none,t:lowercase"
SecRule SESSION:nbblog "@eq 1" \
"id:240562,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:controller "@streq post" \
"id:240563,chain,msg:'COMODO WAF: CSRF vulnerability in Nibbleblog before 4.0.5 (CVE-2015-6966)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq new_simple" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:nbblog "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith index.php/admin/dataentry/sa/insert" \
"id:240590,chain,msg:'COMODO WAF: SQL injection vulnerability in LimeSurvey 2.06+ (CVE-2015-5078)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:subaction "@streq insert" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:closedate "!@rx ^[\d-:]+$" \
"t:none,t:removeWhitespace"
SecRule ARGS_GET:time "!@rx ^[\d\.]+$" \
"id:240600,chain,msg:'COMODO WAF: SQL Injection in FreiChat 9.6 (CVE-2015-6512)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith server/freichat.php" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "@contains syspass" \
"id:240630,chain,msg:'COMODO WAF: SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier (CVE-2015-6516)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endswith ajax/ajax_search.php" \
"chain,t:none,t:lowercase"
SecRule ARGS:search "@rx [')]" \
"t:none"
SecRule ARGS:name "@endsWith .php" \
"id:240680,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 (CVE-2015-7773)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:key "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains /panel/api/files/rename/" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:mimetype "!@within application/octet-stream text/plain" \
"id:240830,chain,msg:'COMODO WAF: CRLF injection vulnerability in CGit before 0.12 (CVE-2016-1899)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /blob/" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_FILENAME "@pm create_course.php edit_course.php" \
"id:240880,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in ATutor before 2.2 (CVE-2014-9752)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule FILES_NAMES "@streq customicon" \
"chain,t:none,t:lowercase"
SecRule FILES "!@rx \w+.(png|jpg|gif)" \
"t:none,t:lowercase"
SecRule ARGS_POST:__vtrftk "@beginsWith sid:" \
"id:240890,chain,msg:'COMODO WAF: Shell upload vulnerability in VtigerCRM 6.4.0 and earlier (CVE-2016-1713 & CVE-2015-6000)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES:PHPSESSID "@eq 26" \
"chain,t:none,t:length"
SecRule FILES "!@rx \.(?:gif|p?jpe?g|(?:x-)?png)$" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains alt_doc.php" \
"id:240960,chain,msg:'COMODO WAF: XSS vulnerability in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 (CVE-2015-8759)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:/data\[tt_content\]\[\d+]\[header_link\](_hr)?/ "@pm javascript:" \
"t:none,t:lowercase,t:urlDecodeUni"
SecRule REQUEST_URI "@pm /typo3/index.php" \
"id:240990,chain,msg:'COMODO WAF: XSS vulnerability in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier (CVE-2015-5956)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:redirect_url "@rx data\:[\w\/]+\;base64" \
"t:none,t:lowercase,t:removeWhitespace"
SecRule REQUEST_FILENAME "@pm show_rechis.php" \
"id:240991,chain,msg:'COMODO WAF: Cross site scripting vulnerability in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier (CVE-2015-5956)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:returnUrl "@rx data\:[\w\/]+\;base64" \
"t:none,t:lowercase,t:removeWhitespace"
SecRule REQUEST_FILENAME "@pm mod/lesson/view.php mod/lesson/mediafile.php" \
"id:241121,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.moodle_ls=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_ls=300',t:none,t:lowercase"
SecRule SESSION:moodle_ls "@eq 1" \
"id:241122,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm mod/lesson/view.php mod/lesson/mediafile.php" \
"id:241123,chain,msg:'COMODO WAF: CSRF vulnerability in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 (CVE-2015-5338)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:id "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:moodle_ls "!@eq 1" \
"t:none"
SecRule IP:magento_rss_order_counter "@ge 5" \
"id:241140,msg:'COMODO WAF: IP Blocked for 300 secs. Information Disclosure vulnerability in Magento before 1.9.2.3 (CVE-2016-2212)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /rss/order/status/" \
"id:241141,chain,msg:'COMODO WAF: Tracking possible Information Disclosure vulnerability in Magento before 1.9.2.3 (CVE-2016-2212)||%{tx.domain}|%{tx.mode}|2',phase:2,pass,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:data "@rx (?:increment|customer)_id:(\D+)" \
"setvar:'TX.magento_rss_order=1',expirevar:'TX.magento_rss_order=300',t:none,t:urlDecodeUni,t:base64DecodeExt,t:cmdLine,t:removeWhitespace"
SecRule &TX:magento_rss_order "@ge 1" \
"id:241142,chain,msg:'COMODO WAF: Information Disclosure vulnerability in Magento before 1.9.2.3 (CVE-2016-2212)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule RESPONSE_HEADERS:Set-Cookie "@contains frontend" \
"t:none"
SecRule &TX:magento_rss_order "@ge 1" \
"id:241143,chain,msg:'COMODO WAF: Blocking IP. Information disclosure vulnerability in Magento before 1.9.2.3 (CVE-2016-2212)||%{tx.domain}|%{tx.mode}|2',phase:5,pass,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule RESPONSE_HEADERS:Set-Cookie "@contains frontend" \
"initcol:ip=%{REMOTE_ADDR},setvar:'ip.magento_rss_order_counter=+5',expirevar:'ip.magento_rss_order_counter=300',t:none"
SecRule ARGS_GET:p "@streq user" \
"id:241170,chain,phase:2,pass,nolog,t:none,t:lowercase,skip:1,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"chain,setvar:'SESSION.gecko_cms=1',expirevar:'SESSION.gecko_cms=300',t:none,t:lowercase"
SecRule SESSION:gecko_cms "@eq 1" \
"t:none"
SecRule ARGS_GET:p "@streq user" \
"id:241171,chain,msg:'COMODO WAF: CSRF vulnerability in Gecko CMS 2.2 and 2.3 (CVE-2015-1424)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:gecko_cms "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith admin/registration/register.php" \
"id:241180,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.moodle_rg=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_rg=300',t:none,t:lowercase"
SecRule SESSION:moodle_rg "@eq 1" \
"id:241181,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/registration/register.php" \
"id:241182,chain,msg:'COMODO WAF: CSRF vulnerability in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 (CVE-2015-5335)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:moodle_rg "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith mod/glossary/editcategories.php" \
"id:241230,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.moodle_gl=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_gl=300',t:none,t:lowercase"
SecRule SESSION:moodle_gl "@eq 1" \
"id:241231,phase:2,pass,nolog,skip:1,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith mod/glossary/editcategories.php" \
"id:241232,chain,msg:'COMODO WAF: CSRF vulnerability in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 (CVE-2015-0213)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:moodle_gl "!@eq 1" \
"t:none"
SecRule &REQUEST_COOKIES:dcxd "@ge 1" \
"id:241260,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in Dotclear before version 2.8.2 (CVE-2015-8832)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq media.php" \
"chain,t:none,t:lowercase"
SecRule FILES "@rx \.(?:(?:p|s)?h(?:p[2-7s]?|(?:tm)?l?)|dll|exe|js|pl|rb|sh|\.htaccess)$" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith asys/site/files/upload.php" \
"id:241380,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in Adminsystems CMS before 4.0.2 (CVE-2015-1604)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:name "@rx \.(?:php[\d]?|js|pl|rb|sh|p?html|asp|exe|com|htaccess)$" \
"t:none,t:lowercase"
SecRule &ARGS:_alt "@ge 1" \
"id:241390,chain,msg:'COMODO WAF: Absolute path traversal vulnerability in Roundcube before 1.0.6 and 1.1.x before 1.1.2 (CVE-2015-8794)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:_task "@streq addressbook" \
"chain,t:none,t:lowercase"
SecRule ARGS:_action "@streq import" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@contains roundcube" \
"t:none"
SecRule &ARGS_POST:yii_csrf_token "@ge 1" \
"id:241430,chain,msg:'COMODO WAF: Arbitrary File Upload in X2Engine X2CRM before 5.0.9 (CVE-2015-5074)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:phpsessid "@ge 1" \
"chain,t:none"
SecRule &REQUEST_COOKIES:yii_csrf_token "@ge 1" \
"chain,t:none"
SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key)$" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /libraries/sql-parser/autoload.php" \
"id:241570,msg:'COMODO WAF: Information Disclosure in phpMyAdmin 4.5.x before 4.5.4 (CVE-2016-2044)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith graph_view.php" \
"id:241580,chain,msg:'COMODO WAF: SQL Injection Vulnerability in Cacti 0.8.8g and earlier (CVE-2016-3659)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"chain,setvar:'TX.cacti=1',t:none"
SecRule ARGS:host_group_data "!@rx ^(?:graph_template|data_query)\:\d+$" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:host_group_data "!@contains data_query_index" \
"t:none"
SecRule TX:cacti "@eq 1" \
"id:241581,chain,msg:'COMODO WAF: SQL Injection Vulnerability in Cacti 0.8.8g and earlier (CVE-2016-3659)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:host_group_data "@rx ^(?:data_query_index\:\d+\:(.+))$" \
"chain,capture,t:none,t:urlDecodeUni"
SecRule TX:1 "@pm ( )" \
"t:none"
SecRule REQUEST_URI "@rx shop-\d+\/category:" \
"id:241590,chain,msg:'COMODO WAF: SQL injection vulnerability in the Microweber CMS 0.95 before 20141209 (CVE-2014-9464)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "!@rx category:\d+$" \
"t:none,t:lowercase"
SecRule REQUEST_HEADERS:X-HTTP-Method-Override "!@streq %{REQUEST_METHOD}" \
"id:241600,chain,msg:'COMODO WAF: CSRF protection bypass in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_HEADERS:X-HTTP-Method-Override "@ge 1" \
"chain,t:none,t:length"
SecRule REQUEST_COOKIES_NAMES "@contains cakephp" \
"t:none,t:lowercase"
SecRule ARGS:_method "!@streq %{REQUEST_METHOD}" \
"id:241601,chain,msg:'COMODO WAF: CSRF protection bypass vulnerability in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:_method "@ge 1" \
"chain,t:none,t:length"
SecRule REQUEST_COOKIES_NAMES "@contains cakephp" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith libraries/phpseclib/crypt/rijndael.php" \
"id:241620,msg:'COMODO WAF: Information Disclosure in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 (CVE-2016-2042)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith libraries/phpseclib/crypt/aes.php" \
"id:241621,msg:'COMODO WAF: Information Disclosure in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 (CVE-2016-2042)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/nos/login" \
"id:241690,chain,msg:'COMODO WAF: Open redirect vulnerability in Novius OS 5.0.1 (Elche) (CVE-2015-5354)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:fuelfid "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:redirect "@beginsWith http" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /libraries/config/messages.inc.php" \
"id:241720,msg:'COMODO WAF: Information Disclosure in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 (CVE-2015-8669)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:adminPassword "@contains ;" \
"id:241740,chain,msg:'COMODO WAF: Arbitrary Code Execution in Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6008)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:adminUserName|&ARGS:pathToMYSQL|&ARGS:databaseStructureFile "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith install.php" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"t:none"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:241781,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@pm user_list group_list" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.pwg=1',expirevar:'SESSION.pwg=300',t:none,t:lowercase"
SecRule SESSION:pwg "@eq 1" \
"id:241782,phase:2,pass,nolog,t:none,skip:1,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:241783,chain,msg:'COMODO WAF: CSRF vulnerability in Piwigo before 2.6.2 (CVE-2014-4614)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:pwg "!@eq 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:format "@streq json" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:method "@rx ^pwg\.(?:users|groups|permissions)\.(?:add|delete|setinfo|remove)" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith manager/assets/fileapi/fileapi.flash.image.swf" \
"id:241950,chain,msg:'COMODO WAF: XSS vulnerability in the MODX Revolution 2.3.2-pl (CVE-2014-8992)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:callback "@contains )" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_URI "@contains /manager/" \
"id:241960,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:a "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.modx=1',expirevar:'SESSION.modx=300',t:none,t:lowercase"
SecRule SESSION:modx "@eq 1" \
"id:241961,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith connectors/security/profile.php" \
"id:241962,chain,msg:'COMODO WAF: CSRF vulnerability in MODX Revolution 2.x before 2.2.15 (CVE-2014-8773 & CVE-2014-8775)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:modx "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith admin/extensions.php" \
"id:242181,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:ext "@streq contact_form" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.lunar_ex=1',expirevar:'SESSION.lunar_ex=300',t:none,t:lowercase"
SecRule SESSION:lunar_ex "@eq 1" \
"id:242182,phase:2,pass,nolog,t:none,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/extensions.php" \
"id:242183,chain,msg:'COMODO WAF: CSRF vulnerability in the Lunar CMS before 3.3-3 (CVE-2014-4718)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:ext "@streq contact_form" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:lunar_ex "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith admin/user_create.php" \
"id:242184,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.lunar_user=1',expirevar:'SESSION.lunar_user=300',t:none,t:lowercase"
SecRule SESSION:lunar_user "@eq 1" \
"id:242185,phase:2,pass,nolog,t:none,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/user_create.php" \
"id:242186,chain,msg:'COMODO WAF: CSRF vulnerability in the Lunar CMS before 3.3-3 (CVE-2014-4718)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:access "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:Submit "@streq submit" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:lunar_user "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith admin/admin_users.php" \
"id:242230,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:mnm_user "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.pligg_user=1',expirevar:'SESSION.pligg_user=300',t:none,t:lowercase"
SecRule SESSION:pligg_user "@eq 1" \
"id:242231,phase:2,pass,nolog,t:none,skip:1,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/admin_users.php" \
"id:242232,chain,msg:'COMODO WAF: CSRF vulnerability in the Pligg CMS 2.0.2 (CVE-2015-6655)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:mnm_user "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:pligg_user "!@eq 1" \
"t:none"
SecRule &REQUEST_COOKIES:clickheat "@ge 1" \
"id:242241,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq config" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.clickheat_con=1',expirevar:'SESSION.clickheat_con=300',t:none,t:lowercase"
SecRule SESSION:clickheat_con "@eq 1" \
"id:242242,phase:2,pass,nolog,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:clickheat "@ge 1" \
"id:242243,chain,msg:'COMODO WAF: CSRF vulnerability in the ClickHeat 1.14 (CVE-2015-4659)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "@streq config" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:clickheat_con "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith filemanager.php" \
"id:242280,chain,msg:'COMODO WAF: Absolute path traversal vulnerability in AuraCMS 3.0 (CVE-2014-3975)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:Login "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:viewdir "!@beginsWith files" \
"t:none,t:urlDecodeUni,t:lowercase,t:normalizePath"
SecRule &REQUEST_COOKIES:GeniXCMS "@ge 1" \
"id:242291,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq users" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.genix_user=1',expirevar:'SESSION.genix_user=300',t:none,t:lowercase"
SecRule SESSION:genix_user "@eq 1" \
"id:242292,phase:2,pass,nolog,t:none,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:GeniXCMS "@ge 1" \
"id:242293,chain,msg:'COMODO WAF: CSRF vulnerability in the MetalGenix GeniXCMS before 0.0.2 (CVE-2015-2680)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq users" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:genix_user "!@eq 1" \
"t:none"
SecRule &REQUEST_COOKIES:sid "@ge 1" \
"id:242301,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:profilefields "@ge 1" \
"chain,t:none"
SecRule REQUEST_URI "@contains admin.php" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.ilch_profile=1',expirevar:'SESSION.ilch_profile=300',t:none,t:lowercase"
SecRule SESSION:ilch_profile "@eq 1" \
"id:242302,phase:2,pass,nolog,t:none,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:sid "@ge 1" \
"id:242303,chain,msg:'COMODO WAF: CSRF vulnerability in the Ilch CMS (CVE-2015-2680)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:profilefields "@ge 1" \
"chain,t:none"
SecRule &SESSION:ilch_profile "!@eq 1" \
"chain,t:none"
SecRule REQUEST_URI "@contains admin.php" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"t:none,t:lowercase"
SecRule &ARGS:TBLName "@ge 1" \
"id:242350,chain,msg:'COMODO WAF: SQL injection vulnerability in phpRechnung before 1.6.5 (CVE-2015-5648)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm methodofpayment tax category posgroup position invoice addressbook payment syslog config cashbook message user offer" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith list.php" \
"t:none,t:lowercase"
SecRule &ARGS_GET:address_book "@ge 1" \
"id:242380,chain,msg:'COMODO WAF: SQL injection vulnerability in TomatoCart 1.1.8.6.1 (CVE-2014-3978)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:new "@streq save" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains account.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:firstname|ARGS_POST:lastname "@detectSQLi" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith fileupload.php" \
"id:242420,chain,msg:'COMODO WAF: File upload vulnerability in the PivotX before 2.3.11 (CVE-2014-8363)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:path "@eq 1" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES_NAMES:phpsessid "@eq 1" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES_NAMES:pivotxsession "@eq 1" \
"chain,t:none,t:lowercase"
SecRule ARGS:name "@rx \..{0,399}\.(?:(?:p|s)?h(?:p[2-7s]?|(?:tm)?l?)|dll|exe|js|pl|rb|sh)$" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /setup/lib/common.inc.php" \
"id:242490,msg:'COMODO WAF: Information disclosure vulnerability in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 (CVE-2016-2038)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:_username "@gt 4096" \
"id:242530,chain,msg:'COMODO WAF: Denial of Service in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 (CVE-2016-4423)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:length,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"t:none"
SecRule REQUEST_FILENAME "@pm admin/users/api-keys admin/users/add admin/settings/edit-security" \
"id:242621,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@rx ^[a-f0-9]{32}$" \
"capture,setsid:'%{TX.1}',t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains admin/users/api-keys" \
"id:242622,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.omeka_api=1',expirevar:'SESSION.omeka_api=300',t:none,t:lowercase"
SecRule &SESSION:omeka_api "!@eq 1" \
"id:242623,chain,msg:'COMODO WAF: CSRF vulnerability in the Omeka before 2.2.1 (CVE-2014-5100)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:update_api_keys "@streq updateapikeys" \
"chain,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains admin/users/api-keys" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/users/add" \
"id:242624,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.omeka_add=1',expirevar:'SESSION.omeka_add=300',t:none,t:lowercase"
SecRule &SESSION:omeka_add "!@eq 1" \
"id:242625,chain,msg:'COMODO WAF: CSRF vulnerability in the Omeka before 2.2.1 (CVE-2014-5100)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:role "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:submit "@streq adduser" \
"chain,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/users/add" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/settings/edit-security" \
"id:242626,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.omeka_sec=1',expirevar:'SESSION.omeka_sec=300',t:none,t:lowercase"
SecRule &SESSION:omeka_sec "!@eq 1" \
"id:242627,chain,msg:'COMODO WAF: CSRF vulnerability in the Omeka before 2.2.1 (CVE-2014-5100)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:5,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:disable_default_file_validation "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/settings/edit-security" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:u "@pm serve/attachment serve/smiley" \
"id:242700,chain,msg:'COMODO WAF: Directory traversal vulnerability in Codoforum 2.5.1 (CVE-2014-9261)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith index.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:path "@rx \.\.|^\/" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule REQUEST_FILENAME "@endsWith /js/get_scripts.js.php" \
"id:242860,chain,msg:'COMODO WAF: DoS vulnerability in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 (CVE-2016-5706)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:scripts[] "@gt 35" \
"t:none"
SecRule REQUEST_FILENAME "@rx x2engine\/(index.php\/)?users\/create" \
"id:242871,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.x2engine_csrf=1',expirevar:'SESSION.x2engine_csrf=300',t:none,t:lowercase"
SecRule &SESSION:x2engine_csrf "!@eq 1" \
"id:242872,chain,msg:'COMODO WAF: CSRF vulnerability in the X2Engine X2CRM before 5.2 (CVE-2015-5075)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx x2engine\/(index.php\/)?users\/create" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"t:none,t:lowercase"
SecRule ARGS:referer "@contains :" \
"id:242970,chain,msg:'COMODO WAF: Multiple open redirect vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 (CVE-2015-6012)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:urlDecodeUni,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule RESPONSE_STATUS "@streq 302" \
"chain,t:none"
SecRule REQUEST_BASENAME "@within user_login.php user_logout.php modify.php user_options_modify.php user_validation.php" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:Set-Cookie "@contains phpsessid" \
"t:none,t:lowercase"
SecRule &REQUEST_COOKIES:MoodleSession "!@ge 1" \
"id:242990,phase:2,pass,nolog,t:none,skip:6,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith mod/assign/adminmanageplugins.php" \
"id:242991,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:2,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:action "!@pm hide show" \
"chain,t:none,t:lowercase"
SecRule &ARGS_GET:subtype "@ge 1" \
"setvar:'SESSION.moodle_assignsubmission_sh=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_assignsubmission_sh=300',t:none,t:lowercase"
SecRule ARGS_GET:subtype "@streq assignsubmission" \
"id:242992,chain,msg:'COMODO WAF: CSRF vulnerability in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 (CVE-2016-2157)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:action "@ge 1" \
"chain,t:none"
SecRule &ARGS_GET:plugin "@ge 1" \
"chain,t:none"
SecRule &SESSION:moodle_assignsubmission_sh "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith mod/assign/adminmanageplugins.php" \
"id:242993,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:2,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:subtype "@ge 1" \
"setvar:'SESSION.moodle_assignsubmission=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_assignsubmission=300',t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/plugins.php" \
"id:242994,chain,msg:'COMODO WAF: CSRF vulnerability in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 (CVE-2016-2157)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:uninstall "@ge 1" \
"chain,t:none"
SecRule &ARGS_GET:confirm "@ge 1" \
"chain,t:none"
SecRule &SESSION:moodle_assignsubmission "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith admin/plugins.php" \
"id:242995,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,skip:2,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.moodle_assignsubmission_unin=1',setvar:'SESSION.TIMEOUT=300',expirevar:'SESSION.moodle_assignsubmission_unin=300',t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith admin/plugins.php" \
"id:242996,chain,msg:'COMODO WAF: CSRF vulnerability in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 (CVE-2016-2157)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:uninstall|&ARGS_POST:delete "@ge 1" \
"chain,t:none"
SecRule &ARGS_POST:confirm "@ge 1" \
"chain,t:none"
SecRule &SESSION:moodle_assignsubmission_unin "!@eq 1" \
"t:none"
SecRule &REQUEST_COOKIES:/cpg\d+x_data/ "@ge 1" \
"id:243220,chain,msg:'COMODO WAF: Open redirect vulnerability in the Coppermine Photo Gallery before 1.5.36 (CVE-2015-3922)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:referer "!@beginsWith index.php" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith mode.php" \
"t:none,t:lowercase"
SecRule &ARGS_POST:xd_check|&ARGS_POST:do "!@eq 0" \
"id:243260,chain,phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:p "@streq importexport" \
"chain,t:none,t:lowercase"
SecRule ARGS:type "@streq import" \
"chain,t:none,t:lowercase"
SecRule ARGS:module "@streq dcimportfeed" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES:dcxd "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith plugin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:feed_url "@rx \:(\d+)" \
"chain,capture,t:none,t:urlDecodeUni"
SecRule TX:1 "!@within 80 443" \
"t:none"
SecRule REQUEST_FILENAME "@streq /.profile" \
"id:243320,msg:'COMODO WAF: Information disclosure vulnerability in Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP Buildpack Cf-release before 242, as used in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.38 and 1.7.x before 1.7.19 and other products (CVE-2016-6639)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:sessionID "@ge 1" \
"id:243341,chain,phase:2,pass,nolog,t:none,skip:1,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith www/admin/account-user-name-language.php" \
"setvar:'SESSION.revive-adserver=1',expirevar:'SESSION.revive-adserver=300',t:none,t:lowercase,t:urlDecodeUni,t:normalizePath"
SecRule &SESSION:revive-adserver "!@eq 1" \
"id:243342,chain,msg:'COMODO WAF: CSRF vulnerability in the Revive Adserver before 3.2.2 (CVE-2015-7366)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:sessionID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:submitsettings "@streq savechanges" \
"chain,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith www/admin/account-user-name-language.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule RESPONSE_STATUS "@streq 400" \
"id:243420,chain,msg:'COMODO WAF: Information disclosure vulnerability in Eclipse Jetty before 9.2.9.v20150224 (CVE-2015-2080)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES|ARGS|ARGS_NAMES|REQUEST_BODY|!ARGS:data[email]|!ARGS:downloaders "!@validateByteRange 0-31" \
"t:none"
SecRule REQUEST_BASENAME "@streq sendemail" \
"id:243470,chain,msg:'COMODO WAF: CRLF injection vulnerability in dotCMS before 3.3.2 (CVE-2016-4803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:from "@ge 1" \
"chain,t:none"
SecRule &ARGS_POST:to "@ge 1" \
"chain,t:none"
SecRule &REQUEST_COOKIES:_JSESSIONID "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:subject "@rx (?:\n|\r)" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains expcomment/showcomments/content_id/" \
"id:243490,chain,msg:'COMODO WAF:SQL injection vulnerability in the Exponent CMS v2.4.0 or older (CVE-2016-9481)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule MATCHED_VAR "!@rx content_id\/(?:\d+$)?$" \
"t:none,t:lowercase,t:removeWhitespace"
SecRule REQUEST_FILENAME "@contains /api/vhosts/" \
"id:243510,chain,msg:'COMODO WAF: Denial of Service in RabbitMQ before 3.6.1 (CVE-2015-8786)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:lengths_age|ARGS:lengths_incr "@gt 3" \
"chain,t:none,t:length"
SecRule &REQUEST_COOKIES:auth "@ge 1" \
"t:none"
SecRule REQUEST_FILENAME "@contains /api/vhosts/" \
"id:243511,chain,msg:'COMODO WAF: Denial of Service in RabbitMQ before 3.6.1 (CVE-2015-8786)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:auth "@ge 1" \
"chain,t:none"
SecRule ARGS:lengths_age|ARGS:lengths_incr "@rx ^[5-9][0-9][1-9]$" \
"t:none"
SecRule REQUEST_URI "@contains address/addcontenttosearch/id/" \
"id:243520,chain,msg:'COMODO WAF:SQL injection vulnerability in the Exponent CMS v2.4.0 or older (CVE-2016-9283)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule MATCHED_VAR "!@rx id\/(?:\d+$)?$" \
"t:none,t:lowercase,t:removeWhitespace"
SecRule &REQUEST_COOKIES_NAMES:dcxd "@ge 1" \
"id:243630,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in the Dotclear before 2.10.3 (CVE-2016-7902)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:upfiletitle "@ge 1" \
"chain,t:none"
SecRule FILES "@rx \.(?:php[\d]?|js|pl|rb|sh|p?html|asp|exe|com|htaccess)" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq racemasterlist.jsp" \
"id:243750,chain,msg:'COMODO WAF: XSS vulnerability in eClinicalWorks Patient Portal 7.0 build 13 (CVE-2017-5599)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:race "@rx [^\w\ \-\/]" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:MSM_MACRO_NAME "@contains |" \
"id:243770,chain,msg:'COMODO WAF: OS command injection vulnerability in Radisys MRF Web Panel (SWMS) 9.0.1 (CVE-2016-10043)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /swms/ms.cgi" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:page "@streq menus" \
"id:243840,chain,msg:'COMODO WAF: SQL injection vulnerability in GeniXCMS through 1.0.2 (CVE-2017-6065)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@contains genixcms" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST_NAMES "@rx [^\[\]\w]" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES_NAMES:GeniXCMS "@ge 1" \
"id:243870,chain,msg:'COMODO WAF: Arbitrary Code Execution & Unrestricted file upload vulnerability in the GeniXCMS 0.0.8 (CVE-2017-5520)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:target "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:cmd "@streq rename" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:name "@rx \.(?:php[\d]?|js|pl|rb|sh|p?html|asp|exe|com|htaccess)$" \
"t:none,t:lowercase"
SecRule &REQUEST_COOKIES:GeniXCMS "@ge 1" \
"id:243890,chain,phase:2,pass,nolog,skip:1,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq users" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.GeniXCMS_user=1',expirevar:'SESSION.GeniXCMS_user=300',t:none,t:lowercase"
SecRule &REQUEST_COOKIES:GeniXCMS "@ge 1" \
"id:243891,chain,msg:'COMODO WAF: CSRF token bypass in GeniXCMS before 1.0.2 (CVE-2017-5959)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq users" \
"chain,t:none,t:lowercase"
SecRule &ARGS_POST:edituser|&ARGS_POST:adduser "@ge 1" \
"chain,t:none"
SecRule &ARGS_POST:token "@ge 1" \
"chain,t:none"
SecRule &SESSION:GeniXCMS_user "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@contains symphony/system/extensions" \
"id:243900,chain,msg:'COMODO WAF: Directory traversal vulnerability & XSS vulnerability in the Symphony CMS before 2.6.10 (CVE-2017-5541 & CVE-2017-5542)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:existing-folder|ARGS_POST:new-folder "@pm .. <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &ARGS:upper_limit "@gt 1" \
"id:243920,chain,msg:'COMODO WAF: Local file write vulnerability in Munin before 2.999.6 (CVE-2017-6188)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains munin-cgi-graph" \
"chain,t:none,t:lowercase"
SecRule ARGS:/upper_limit/ "@contains /" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_HEADERS:Content-Type "@gt 500" \
"id:243930,chain,msg:'COMODO WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:removeWhitespace,t:length,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_HEADERS:Content-Type "!@rx ^(?:\w+\/[\w\-\.]+)(?:;(?:charset=[\w\-]{1,18}|boundary=[\w\-]+)?)?$" \
"t:none,t:urlDecodeUni,t:removeWhitespace"
SecRule &FILES "@gt 0" \
"id:244050,chain,msg:'COMODO WAF: Possible arbitrary file upload using Uploadify||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith uploadify/uploadify.php" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith bigtree" \
"id:244060,chain,msg:'COMODO WAF: Start tracking BigTree CMS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains admin/settings/edit/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule MATCHED_VAR "@pm colophon nav-social" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.bigtree_settings=1',expirevar:'SESSION.bigtree_settings=300',t:none,t:lowercase"
SecRule &ARGS_POST:_bigtree_post_check "@ge 1" \
"id:244061,chain,msg:'COMODO WAF: CSRF vulnerability in the BigTree CMS 4.1.18 and 4.2.16 (CVE-2017-6915 & CVE-2017-6916 & CVE-2017-6917 & CVE-2017-6918)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith bigtree" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains admin/settings/update" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule &SESSION:bigtree_settings "!@eq 1" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith /concrete/tools/files/selector_data.php" \
"id:244080,chain,msg:'COMODO WAF: XSS vulnerability in concrete5 before 5.6.3.4 (CVE-2017-6908)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:fID "@rx \x22|(?:java)?script\:" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:244230,chain,msg:'COMODO WAF: Arbitrary file upload vulnerability in BigTree CMS before 4.2.17 (CVE-2017-7695)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /ajax/file-browser/upload/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule FILES "@rx \.(?:(?:p|s|x|d)?h(?:p[2-7s]?|(?:tm)?l?)|dll|exe|js|p(?:l|y)|rb|sh|cgi|com|bat|aspx?)" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_GET:pivotxsession "@ge 1" \
"id:244240,chain,msg:'COMODO WAF: Arbitrary code execution in PivotX 2.3.11 (CVE-2017-7570)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:file "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:page "@streq media" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:pivotxsession "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:answer "@rx \.(?:(?:p|s|x|d)?h(?:p[2-7s]?|(?:tm)?l?)|dll|exe|js|p(?:l|y)|rb|sh)$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:x "@streq filemanager" \
"id:244270,chain,msg:'COMODO WAF: Arbitrary File Upload in Pixie 1.0.4 (CVE-2017-7402)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pixie_login "@ge 1" \
"chain,t:none"
SecRule FILES "@rx \.(?:(?:p|s|x|d)?h(?:p[2-7s]?|(?:tm)?l?)|dll|exe|js|p(?:l|y)|rb|sh)\." \
"t:none,t:lowercase"
SecRule ARGS:confirm_hash "@eq 0" \
"id:244280,chain,msg:'COMODO WAF: Arbitrary password reset in MantisBT through 2.3.0 (CVE-2017-7615)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:length,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:id "@ge 1" \
"chain,t:none"
SecRule REQUEST_COOKIES_NAMES|RESPONSE_HEADERS:Set-Cookie "@contains phpsessid" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq verify.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /certs/mxview.key" \
"id:244290,msg:'COMODO WAF: Information disclosure in Moxa MXView 2.8 (CVE-2017-7455)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq permalink_page.php" \
"id:244390,chain,msg:'COMODO WAF: Permalink injection vulnerability in MantisBT before 1.3.11, 2.x before 2.3.3 and 2.4.x before 2.4.1 (CVE-2017-7620)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:url "@beginsWith \/" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"t:none"
SecRule &FILES "@ge 1" \
"id:244490,chain,msg:'COMODO WAF: Unrestricted upload of file with dangerous type in PivotX 2.3.11 (CVE-2017-8402)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:path "@ge 1" \
"chain,t:none"
SecRule FILES|ARGS:name "@streq .htaccess" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq fileupload.php" \
"chain,t:none,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"t:none"
SecRule REQUEST_FILENAME "@contains /admin/developer/" \
"id:244500,chain,msg:'COMODO WAF: start tracking Bigtree CMS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule MATCHED_VAR "@rx (?:upgrade\/|packages\/view\/)$" \
"chain"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.bigtree_dev=1',expirevar:'SESSION.bigtree_dev=300',t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains /admin/developer/" \
"id:244501,chain,msg:'COMODO WAF: CSRF vulnerability in the BigTree CMS through 4.2.18 (CVE-2017-9444)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule MATCHED_VAR "@rx (?:upgrade\/(?:ignore\/|set-ftp-directory\/)|packages\/delete\/\d+\/)$" \
"chain"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule &SESSION:bigtree_dev "!@eq 1" \
"t:none"
SecRule ARGS_GET:muraAction "@pm cusers.listusers carch.loadsiteflat carch.list" \
"id:244610,chain,msg:'COMODO WAF: XSS vulnerability in Mura CMS 7.0.6967 (CVE-2017-8302)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:CFID|&REQUEST_COOKIES:CFTOKEN "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains /admin/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:siteid|ARGS_GET:report|ARGS_GET:activeTab "@rx <|\)" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:244640,chain,msg:'COMODO WAF: Start tracking Piwigo||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq cat_options" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.piwigo_cat=1',expirevar:'SESSION.piwigo_cat=300',t:none,t:lowercase"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:244641,chain,msg:'COMODO WAF: CSRF vulnerability in Piwigo through 2.9.1 (CVE-2017-10680 and CVE-2017-10681)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq cat_options" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS_POST:cat_true[]|&ARGS_POST:cat_false[] "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &SESSION:piwigo_cat "!@eq 1" \
"t:none"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:244650,chain,msg:'COMODO WAF: Start tracking Piwigo||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq permalinks" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.piwigo_link=1',expirevar:'SESSION.piwigo_link=300',t:none,t:lowercase"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:244651,chain,msg:'COMODO WAF: CSRF vulnerability in Piwigo through 2.9.1 (CVE-2017-10678)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:page "@streq permalinks" \
"chain,t:none,t:lowercase"
SecRule &ARGS_POST:cat_id "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &SESSION:piwigo_link "!@eq 1" \
"t:none"
SecRule TX:Subrion_CMS "@eq 1" \
"id:244680,chain,msg:'COMODO WAF: Start tracking Subrion CMS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@pm admin/blog/add admin/blog/edit" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.Subrion_blog=1',expirevar:'SESSION.Subrion_blog=300',t:none,t:lowercase"
SecRule TX:Subrion_CMS "@eq 1" \
"id:244681,chain,msg:'COMODO WAF: CSRF vulnerability in Subrion CMS 4.0.5 (CVE-2017-6069 & CVE-2017-6002)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:Subrion_blog "!@eq 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@pm admin/blog/add admin/blog/edit" \
"t:none,t:urlDecodeUni,t:normalisePath"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:244780,chain,msg:'COMODO WAF: Open redirect vulnerability in Piwigo 2.9 and probably prior versions (CVE-2017-9464)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:redirect "!@beginsWith /" \
"chain,t:none,t:urlDecodeUni,t:normalisePath"
SecRule REQUEST_BASENAME "@streq identification.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith ajax/getdropdownvalue.php" \
"id:244810,chain,msg:'COMODO WAF: SQL injection in GLPI before 9.1.5 (CVE-2017-11329)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@beginsWith glpi_" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:entity_restrict "@rx [^\[\]\d\-]" \
"t:none,t:urlDecodeUni,t:cmdLine,t:removeWhitespace"
SecRule TX:GLPI "@eq 1" \
"id:244880,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith front/user.form.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.glpi_user=1',expirevar:'SESSION.glpi_user=300',t:none,t:lowercase"
SecRule TX:GLPI "@eq 1" \
"id:244881,chain,msg:'COMODO WAF: CSRF vulnerability in GLPI 0.90.4 (CVE-2016-7507)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:glpi_user "!@eq 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith front/user.form.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:SenayanAdmin "@ge 1" \
"id:244950,chain,phase:2,pass,nolog,t:none,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin/modules/system/app_user.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.slims_user=1',expirevar:'SESSION.slims_user=300',t:none,t:lowercase"
SecRule &REQUEST_COOKIES:SenayanAdmin "@ge 1" \
"id:244951,chain,msg:'COMODO WAF: CSRF vulnerability in SLiMS 8 Akasia through 8.3.1 (CVE-2017-12584)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:realName "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith admin/modules/system/app_user.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &SESSION:slims_user "!@eq 1" \
"t:none"
SecRule ARGS:avgnan "!@within last avg nan" \
"id:244960,chain,msg:'COMODO WAF: Possible arbitrary code execution in Cacti before 1.1.16 (CVE-2017-12065)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq spikekill.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains /admin/dashboard/vitals-statistics/404/" \
"id:244970,chain,msg:'COMODO WAF: Start tracking Bigtree CMS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.bigtree_vitals_statistics=1',expirevar:'SESSION.bigtree_vitals_statistics=300',t:none,t:lowercase"
SecRule &ARGS_POST:clear|&ARGS_POST:from "@ge 1" \
"id:244971,chain,msg:'COMODO WAF: CSRF vulnerability in the BigTree CMS through 4.2.18 (CVE-2017-9379)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule &SESSION:bigtree_vitals_statistics "!@eq 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains /admin/dashboard/vitals-statistics/404/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule MATCHED_VAR "@rx (?:create\-301|clear)\/$" \
"t:none"
SecRule REQUEST_FILENAME "@endsWith /admin/developer/email/" \
"id:245000,chain,msg:'COMODO WAF: start tracking Bigtree CMS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"setsid:'%{REQUEST_COOKIES.PHPSESSID}',t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:245001,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /admin/developer/email/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.bigtree_email=1',expirevar:'SESSION.bigtree_email=300',t:none,t:lowercase"
SecRule &ARGS_POST:bigtree_from "@ge 1" \
"id:245002,chain,msg:'COMODO WAF: CSRF vulnerability in the BigTree CMS through 4.2.17 (CVE-2017-7881)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule &SESSION:bigtree_email "!@eq 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith /admin/developer/email/update/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule TX:Subrion_CMS "@eq 1" \
"id:245100,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /admin/database/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.Subrion_database=1',expirevar:'SESSION.Subrion_database=300',t:none,t:lowercase"
SecRule TX:Subrion_CMS "@eq 1" \
"id:245101,chain,msg:'COMODO WAF: CSRF vulnerability in Subrion CMS before 4.2.0 (CVE-2017-15063)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /admin/database/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:Subrion_database "!@eq 1" \
"t:none"
SecRule TX:Subrion_CMS "@eq 1" \
"id:245110,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /admin/blocks/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.Subrion_blocks=1',expirevar:'SESSION.Subrion_blocks=300',t:none,t:lowercase"
SecRule TX:Subrion_CMS "@eq 1" \
"id:245111,chain,msg:'COMODO WAF: CSRF vulnerability in Subrion CMS 4.0.5 (CVE-2017-6068)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /admin/blocks/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule &SESSION:Subrion_blocks "!@eq 1" \
"t:none"
SecRule &ARGS_GET:playlist "@ge 1" \
"id:245150,chain,msg:'COMODO WAF: SQL injection vulnerability in PHPSUGAR PHP Melody before 2.7.3 (CVE-2017-15579)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq watch.php" \
"chain,t:none,t:lowercase"
SecRule REQUEST_COOKIES:aa_pages_per_page "@rx \D" \
"t:none"
SecRule &REQUEST_COOKIES:october_session "@ge 1" \
"id:245200,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in OctoberCMS 1.0.425 (aka Build 425) (CVE-2017-15284)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith backend/backend/users/myaccount" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule FILES "!@rx \.(?:jpe?g|gif|bmp|png|webp)$" \
"t:none,t:lowercase"
SecRule &ARGS_POST:image_assetID "@ge 1" \
"id:245290,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in Perch Content Management System 3.0.3 (CVE-2017-15948)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:resourceBucket "@ge 1" \
"chain,t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith core/apps/assets/edit/" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule FILES "!@rx \.(?:jpe?g|gif|bmp|png)$" \
"t:none,t:lowercase"
SecRule TX:serendipity_admin "@eq 1" \
"id:245310,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:serendipity[adminAction] "@streq addnew" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq serendipity_admin.php" \
"setvar:'SESSION.serendipity_plugins=1',expirevar:'SESSION.serendipity_plugins=300',t:none,t:urlDecodeUni,t:lowercase"
SecRule TX:serendipity_admin "@eq 1" \
"id:245311,chain,msg:'COMODO WAF: CSRF vulnerability in Serendipity through 2.0.5 (CVE-2017-5476)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:serendipity[install_plugin] "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule REQUEST_BASENAME "@streq serendipity_admin.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &SESSION:serendipity_plugins "!@eq 1" \
"t:none"
SecRule &REQUEST_COOKIES:Cacti "@ge 1" \
"id:245370,chain,msg:'COMODO WAF: Local file inclusion in Cacti 1.1.27 (CVE-2017-16661)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq clog.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:filename "!@within cacti.log" \
"t:none,t:lowercase"
SecRule ARGS_POST:name|ARGS:dir "@rx (?:\x22|>|\.\.)" \
"id:245390,chain,msg:'COMODO WAF: XSS vulnerability in WBCE v1.1.10 and earlier(CVE-2017-2118)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@rx ^wb\-\d+?\-sid$" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@rx \/admin\/media\/(?:create|rename2?)\.php$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:session_b2evo "@ge 1" \
"id:245410,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in b2evolution 6.8.8 (CVE-2017-6902)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /htsrv/quick_upload.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS:qqfile "@rx \.(?:(?:p|s|x|d)?h(?:p[2-7s]?|(?:tm)?l?)|dll|exe|js|p(?:l|y)|rb|sh|cgi|com|bat|aspx?)$" \
"t:none,t:lowercase"
SecRule &REQUEST_COOKIES:CONCRETE5 "@ge 1" \
"id:245450,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith index.php/dashboard/files/search" \
"setvar:'SESSION.imageeditor=1',expirevar:'SESSION.imageeditor=300',t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:CONCRETE5 "@ge 1" \
"id:245451,chain,msg:'COMODO WAF: CSRF vulnerability in concrete5 8.1.0 (CVE-2017-8082)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS:imgData "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith index.php/tools/required/files/importers/imageeditor" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &SESSION:imageeditor "!@eq 1" \
"t:none"
SecRule &REQUEST_COOKIES:/allendisk(?:[a-z0-9]{13})/ "@ge 1" \
"id:245460,chain,msg:'COMODO WAF: Captcha Bypass vulnerability in Allen Disk 1.6 (CVE-2017-9090)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq reg.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:captcha "@eq 0" \
"t:none,t:removeWhitespace,t:length"
SecRule ARGS:xoops_redirect "@beginsWith http" \
"id:245480,chain,msg:'COMODO WAF: Open redirect vulnerability in XOOPS Core 2.5.8 (CVE-2017-12138)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &RESPONSE_HEADERS:Location "@ge 1" \
"chain,t:none"
SecRule RESPONSE_HEADERS:Set-Cookie "@contains xoops_user_" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@contains /modules/profile/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_GET:selected_events[] "@contains ;" \
"id:245500,chain,msg:'COMODO WAF: XSS vulnerability in the EyesOfNetwork web interface aka eonweb 5.0 (CVE-2017-6087)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /module/monitoring_ged/ged_actions.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:VIMBADMIN3 "@ge 1" \
"id:245520,chain,msg:'COMODO WAF: XSS vulnerability in ViMbAdmin 3.0.15 (CVE-2017-5870)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:domain|ARGS_POST:transport|ARGS_POST:name|ARGS_POST:/^goto\[/ "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@pm domain mailbox alias" \
"chain,t:none"
SecRule MATCHED_VAR "@rx \/(?:add|edit\/(?:d|m|al)id\/\d+?)$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule TX:ADMIDIO "@eq 1" \
"id:245530,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:mode "!@eq 3" \
"chain,t:none"
SecRule &ARGS_GET:usr_id "@ge 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq get" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith adm_program/modules/members/members_function.php" \
"setvar:'SESSION.ADMIDIO_user=1',expirevar:'SESSION.ADMIDIO_user=300',t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule TX:ADMIDIO "@eq 1" \
"id:245531,chain,msg:'COMODO WAF: CSRF vulnerability in admidio 3.2.8 (CVE-2017-8382)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:mode "@eq 3" \
"chain,t:none"
SecRule &ARGS_GET:usr_id "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith adm_program/modules/members/members_function.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &SESSION:ADMIDIO_user "!@eq 1" \
"t:none"
SecRule ARGS_GET:page "@within configuration batch_manager" \
"id:245590,chain,phase:2,pass,nolog,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES_NAMES:pwg_id "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.piwigo_config=1',expirevar:'SESSION.piwigo_config=300',t:none,t:lowercase"
SecRule ARGS_GET:page "@within configuration batch_manager" \
"id:245591,chain,msg:'COMODO WAF: CSRF vulnerability in the Piwigo through 2.9.2 (CVE-2017-17827)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:gallery_title|&ARGS_POST:element_ids "@ge 1" \
"chain,t:none"
SecRule &REQUEST_COOKIES_NAMES:pwg_id "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule &SESSION:piwigo_config "!@eq 1" \
"t:none"
SecRule &ARGS_POST:iDisplayStart "@ge 1" \
"id:245620,chain,msg:'COMODO WAF: SQL Injection vulnerability in Piwigo 2.9.2 (CVE-2017-17822)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq user_list_backend.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:/^sSortDir_/ "!@within asc desc" \
"t:none,t:lowercase"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"id:245650,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:page "@rx ^album\-\d+?(\-properties)?$" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.piwigo_album=1',expirevar:'SESSION.piwigo_album=300',t:none,t:lowercase"
SecRule &ARGS_POST:name "@ge 1" \
"id:245651,chain,msg:'COMODO WAF: CSRF vulnerability in the Piwigo through 2.9.2 (CVE-2017-17774)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:pwg_id "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq admin.php" \
"chain,t:none,t:lowercase"
SecRule &SESSION:piwigo_album "!@eq 1" \
"chain,t:none"
SecRule ARGS_GET:page "@rx ^album\-\d+?(\-properties)?$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS_POST:SecurityID "@ge 1" \
"id:245710,chain,msg:'COMODO WAF: XSS vulnerability in SilverStripe CMS before 3.6.1 (CVE-2017-14498)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule FILES "@contains .svg" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@rx admin\/(?:assets\/add\/edit|pages\/editortoolbar\/media)form\/field\/assetuploadfield\/upload$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_BASENAME "@streq tiki-ajax_services.php" \
"id:245730,chain,msg:'COMODO WAF: XSS & Unrestricted file upload vulnerability in Tiki before 18 (CVE-2018-7188)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSIDCV "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:controller "@streq file" \
"chain,t:none,t:lowercase"
SecRule FILES "@endsWith .svg" \
"t:none,t:lowercase"
SecRule &ARGS_GET:addressString "@ge 1" \
"id:245890,chain,msg:'COMODO WAF: XSS vulnerability in Zurmo 3.2.3 (CVE-2017-18004)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@eq 1" \
"chain,t:none"
SecRule REQUEST_URI "@contains /maps/default/mapandpoint" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:latitude|ARGS_GET:longitude "@rx \)}" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_COOKIES_NAMES "@beginsWith dolsessid" \
"id:246120,chain,msg:'COMODO WAF: SQLi vulnerability in Dolibarr ERP/CRM before 7.0.1 (CVE-2018-10094)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith adherents/list.php" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:statut "@contains )" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:mydms_session "@ge 1" \
"id:246410,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in SeedDMS before 5.1.8 (CVE-2018-12940)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq op.uploadchunks.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:qqfilename "@rx \.(?:(?:p|s|x|d)?h(?:p[2-7s]?|(?:tm)?l?)|dll|exe|js|p(?:l|y)|rb|sh|cgi|com|bat|aspx?)" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith intelli_" \
"id:246430,chain,msg:'COMODO WAF: Arbitrary File Upload vulnerability in Subrion CMS 4.2.1 (CVE-2018-14840)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:cmd "@streq upload" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith /panel/uploads/read.json" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule FILES "@rx \.(?:(?:p|s|x|d)?h(?:p[2-7s]?|(?:tm)?l?)|dll|exe|js|p(?:l|y)|rb|sh|cgi|com|bat|aspx?)" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:246720,chain,msg:'COMODO WAF: Directory Traversal vulnerability in Monstra CMS through 3.0.4 (CVE-2018-9038)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:id "@streq filesmanager" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:delete_dir "@contains ./" \
"t:none,t:urlDecodeUni"
SecRule TX:YzmCMS "@ge 1" \
"id:247241,chain,phase:2,pass,nolog,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith admin_manage/add.html" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.yzmphp_user=1',expirevar:'SESSION.yzmphp_user=300',t:none,t:lowercase"
SecRule TX:YzmCMS "@ge 1" \
"id:247242,chain,msg:'COMODO WAF: CSRF vulnerability in YzmCMS 3.8 (CVE-2018-10223)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:roleid "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith admin_manage/add.html" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &SESSION:yzmphp_user "!@eq 1" \
"t:none"
SecRule TX:FrontAccounting "@ge 1" \
"id:247350,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq users.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.FrontAccounting_user=1',expirevar:'SESSION.FrontAccounting_user=300',t:none,t:lowercase"
SecRule &ARGS_POST:user_id "@ge 1" \
"id:247351,chain,msg:'COMODO WAF: CSRF vulnerability in FrontAccounting 2.4.3 (CVE-2018-7176)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule TX:FrontAccounting "@ge 1" \
"chain,t:none"
SecRule REQUEST_BASENAME "@streq users.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule &SESSION:FrontAccounting_user "!@eq 1" \
"t:none"
SecRule &REQUEST_COOKIES:cscms_session "@ge 1" \
"id:247380,chain,phase:2,pass,nolog,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains admin.php/links" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.cscms_session_user=1',expirevar:'SESSION.cscms_session_user=300',t:none,t:lowercase"
SecRule &REQUEST_COOKIES:cscms_session "@ge 1" \
"id:247381,chain,msg:'COMODO WAF: CSRF vulnerability in CScms 4.1 (CVE-2019-6779)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:none,rev:1,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:cscms_session_user "!@eq 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@rx admin\.php\/links\/(?:save|del)$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule TX:YzmCMS "@ge 1" \
"id:247530,chain,phase:2,pass,nolog,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx \/role\/(?:add|edit)" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.yzmphp_user=1',expirevar:'SESSION.yzmphp_user=300',t:none,t:lowercase"
SecRule TX:YzmCMS "@ge 1" \
"id:247531,chain,msg:'COMODO WAF: CSRF vulnerability in YzmCMS v5.2 (CVE-2018-20015)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:rolename "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx \/role\/(?:add|edit)\.html$" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &SESSION:yzmphp_user "!@eq 1" \
"t:none"
SecRule ARGS_GET:case "@streq table" \
"id:247540,chain,phase:2,pass,nolog,t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"setsid:'%{REQUEST_COOKIES.PHPSESSID}',t:none"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247541,chain,phase:2,pass,nolog,t:none,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_GET:admin_dir "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:case "@streq table" \
"chain,t:none,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.CMSEasy_user=1',expirevar:'SESSION.CMSEasy_user=300',t:none,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:247542,chain,msg:'COMODO WAF: CSRF vulnerability in CmsEasy 6.1 (CVE-2018-11679)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:6,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &ARGS_POST:catid "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:act "@streq add" \
"chain,t:none,t:lowercase"
SecRule &SESSION:CMSEasy_user "!@eq 1" \
"t:none"
SecRule &REQUEST_COOKIES:cscms_session "@ge 1" \
"id:247670,chain,phase:2,pass,nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@endsWith admin.php/setting" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.cscms_session_user=1',expirevar:'SESSION.cscms_session_user=300',t:none,t:lowercase"
SecRule &REQUEST_COOKIES:cscms_session "@ge 1" \
"id:247671,chain,msg:'COMODO WAF: CSRF vulnerability in CScms 4.1 (CVE-2018-16337)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:cscms_session_user "!@eq 1" \
"chain,t:none"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@endsWith admin.php/setting/save" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith user/group/index.php" \
"id:247700,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 (CVE-2014-3992)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:sortorder "@rx !(asc|desc)" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@contains widgets/widgets/log.widget.php" \
"id:247730,chain,msg:'COMODO WAF: XSS vulnerabilities in pfSense before 2.1.4 (CVE-2014-4687)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:actblock|ARGS:actpass|ARGS:actreject "!@rx ^(pass|block|reject)$" \
"t:none,t:lowercase"
SecRule ARGS:normalizeTo "!@within 1nf 2nf 3nf" \
"id:247740,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 (CVE-2016-2561)||%{tx.domain}|%{tx.mode}|2',phase:2,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_COOKIES_NAMES "@contains pmapass" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith normalization.php" \
"t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith logview/logview.php" \
"id:247770,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (CVE-2014-5462)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:OpenEMR "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:sortby "!@pm date event user groupname patient_id success comments" \
"t:none,t:lowercase"
SecRule &REQUEST_HEADERS:Authorization|&REQUEST_COOKIES:JSESSIONID "@ge 1" \
"id:247780,chain,msg:'COMODO WAF: Information Disclosure vulnerability in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 (CVE-2016-0782)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@contains /api/jolokia" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_BODY "@contains mbean:com.sun.management:type=hotspotdiagnostic" \
"chain,t:none,t:urlDecodeUni,t:cmdLine,t:removeWhitespace"
SecRule REQUEST_BODY "@contains operation:dumpheap" \
"t:none,t:urlDecodeUni,t:cmdLine,t:removeWhitespace"
SecRule &REQUEST_COOKIES:dili_session "@ge 1" \
"id:247810,chain,phase:2,pass,nolog,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx \/(?:role|user)\/view" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.delicms_user=1',expirevar:'SESSION.delicms_user=300',t:none,t:lowercase"
SecRule &REQUEST_COOKIES:dili_session "@ge 1" \
"id:247811,chain,msg:'COMODO WAF: CSRF vulnerability in the DiliCMS through 2.4.0 (CVE-2018-19291)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:delicms_user "!@eq 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx \/(?:role|user)\/del\/\d$" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule TX:YzmCMS "@ge 1" \
"id:247860,chain,phase:2,pass,nolog,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@rx tag\/(?:add|init)\.html$" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule REQUEST_METHOD "@streq get" \
"setvar:'SESSION.yzmphp_user=1',expirevar:'SESSION.yzmphp_user=300',t:none,t:lowercase"
SecRule TX:YzmCMS "@ge 1" \
"id:247861,chain,msg:'COMODO WAF: CSRF vulnerability in YzmCMS 3.8 (CVE-2018-10224)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_METHOD "@streq post" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@rx tag\/(?:add|del)\.html$" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &SESSION:yzmphp_user "!@eq 1" \
"t:none"
SecRule REQUEST_BASENAME "@streq downloads.php" \
"id:247910,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:orderby "!@rx ^download\_(?:id|user|title|count|datestamp)$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@streq postedit.php" \
"id:247911,chain,msg:'COMODO WAF: Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 (CVE 2013-1803)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_NAMES "@rx delete_attach_([^0-9]){1,}" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &REQUEST_COOKIES:MANTIS_STRING_COOKIE "@ge 1" \
"id:247950,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in MantisBT in 1.3.x before 1.3.0-rc2 and 1.2.x before 1.2.19 (CVE-2016-5364)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:return|ARGS:redirect_url|ARGS:ref|REQUEST_HEADERS:Referer "@contains javascript:" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BASENAME "@rx ^(?:account_prefs_update|manage_(?:config_revert|custom_field_(?:delete|update))|print_all_bug_options_update|set_project)\.php$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@rx /ilfile/.{0,399}\.php$" \
"id:248040,msg:'COMODO WAF: File upload and multiple RCE, XSS vulnerabilities in ILIAS 4.4.1 (CVE-2014-2088, CVE-2014-2089, CVE-2014-2090)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'OtherApps'"
<LocationMatch /options-general\.php>
SecRuleRemoveById 220150
</LocationMatch>
<LocationMatch /sql\.php>
SecRuleRemoveById 220150
</LocationMatch>
<LocationMatch /lib/exe/ajax\.php>
SecRuleRemoveById 220150
</LocationMatch>
<LocationMatch /export\.php>
SecRuleRemoveById 220150
</LocationMatch>
SecRule &REQUEST_COOKIES_NAMES:sesid "@ge 1" \
"id:248050,chain,msg:'COMODO WAF: SQL vulnerability exists in Ashop Shopping Cart Software||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:blacklistitemid "@rx \D" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith admin/bannedcustomers.php" \
"t:none,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:248060,chain,msg:'COMODO WAF: SQL vulnerability exists in SEACMS (CVE-2018-16445)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:tid "@rx \D" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith admin/admin_topic_vod.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith sidc" \
"id:248070,chain,msg:'COMODO WAF: XSS vulnerability exists in Peel Shopping v9_1 (CVE-2018-1000887)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:nom_en "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@endsWith /administrer/sites.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:edit___cfg_webname "@contains <" \
"id:248080,chain,msg:'COMODO WAF: XSS vulnerability exists in SEACMS on v6.61 or below (CVE-2018-12431)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith admin/admin_config.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:248090,chain,msg:'COMODO WAF: XSS vulnerability exists in SEACMS v6.64 or below (CVE-2018-17321)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:maxHit|ARGS_POST:time "@rx \D" \
"chain,t:none"
SecRule REQUEST_FILENAME "@endsWith admin/admin_datarelate.php" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith SMSESSION" \
"id:248100,chain,msg:'COMODO WAF: XSS vulnerability exists in SiteMagic CMS v4.4 (CVE-2019-10238)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:SMExt "@streq smfiles" \
"chain,t:none,t:lowercase"
SecRule FILES "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:iCMS_iCMS_AUTH "@ge 1" \
"id:248110,chain,msg:'COMODO WAF: XSS vulnerability in idreamsoft iCMS V7.0.14 (CVE-2019-11426)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq admincp.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:tab "@contains <" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq semcms_inquiry.php" \
"id:248120,chain,msg:'COMODO WAF: SQL injection vulnerability in SEMCMS V3.4 (CVE-2019-11518)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:CF "@streq inquriy" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:AID[] "@rx \D" \
"t:none"
SecRule REQUEST_BASENAME "@within semcms_categories.php semcms_products.php" \
"id:248130,chain,msg:'COMODO WAF: XSS vulnerability in SEMCMS V3.4 (CVE-2018-18738, CVE-2018-18743, CVE-2018-18739)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:CF "@within category products" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:category_name|ARGS_POST:category_key|ARGS_POST:products_key|ARGS_POST:products_name "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule &ARGS_GET:mact "@ge 1" \
"id:248140,chain,msg:'COMODO WAF: Directory traversal vulnerability in CMS Made Simple 2.2.7 (CVE-2018-10522)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq moduleinterface.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:m1_file "@contains .." \
"chain,t:none,t:base64Decode"
SecRule REQUEST_COOKIES_NAMES "@beginsWith cmssessid" \
"t:none,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@beginsWith gpeasy" \
"id:248150,chain,msg:'COMODO WAF: XSS vulnerability exists in Typesetter CMS v5.1 (CVE-2018-16639)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:title "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_URI "@contains index.php/admin/menu/ajax" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:librenms_session "@ge 1" \
"id:248160,chain,msg:'COMODO WAF: SQL injection vulnerability in LibreNMS (CVE-2018-20678)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:sort[hostname] "!@within asc desc" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@endsWith ajax/table/device" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:/^[a-f0-9]{32}$/ "@ge 1" \
"id:248170,chain,msg:'COMODO WAF: XSS vulnerability exists in Omeka before v2.6.1 (CVE-2018-13423)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:tags "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "@rx \/admin\/items\/(?:add|edit)" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule &REQUEST_COOKIES:librenms_session "@ge 1" \
"id:248180,chain,msg:'COMODO WAF:SQL injection vulnerability in LibreNMS (CVE-2018-18478)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq ajax_form.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:dashboard_name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:PHPSESSID "@ge 1" \
"id:248190,chain,msg:'COMODO WAF: Directory traversal vulnerability exists in BAGECMS (CVE-2019-5887)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_GET:s "@endsWith /appminialipaylist/delete.html" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:id "@contains .." \
"t:none,t:urlDecodeUni"
SecRule REQUEST_BASENAME "@streq ecard.php" \
"id:248200,chain,msg:'COMODO WAF: XSS vulnerability exists in the Coppermine Photo Gallery on or before 1.5.46 (CVE-2018-14478)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS_POST:sender_name|ARGS_POST:recipient_name|ARGS_POST:recipient_email|ARGS_POST:greetings "@rx \x22" \
"chain,t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES_NAMES:/cpg\d+x_data/ "@ge 1" \
"t:none"
SecRule &REQUEST_COOKIES:cscms_session "@ge 1" \
"id:248210,chain,msg:'COMODO WAF: Directory traversal vulnerability in CScms 4.1 (CVE-2018-17125)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_URI "@contains admin.php/plugins/del" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:dir "@contains .." \
"t:none,t:urlDecodeUni"
SecRule &REQUEST_COOKIES:mydms_session "@ge 1" \
"id:248220,chain,msg:'COMODO WAF: XSS vulnerability in SeedDMS before 5.1.8 (CVE-2018-12944)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_BASENAME "@streq op.categories.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule ARGS_POST:filterType "@contains )" \
"id:248230,chain,msg:'COMODO WAF: SQLi vulnerability in FrontAccounting 2.4.6 (CVE-2019-5720)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule REQUEST_FILENAME "@endsWith /admin/void_transaction.php" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_COOKIES_NAMES "@rx ^FA[a-f0-9]{32}$" \
"t:none,t:urlDecodeUni"
SecRule REQUEST_FILENAME "AjaxFileUploadHandler\.axd" \
"id:248240,chain,msg:'COMODO WAF: Path traversal vulnerability in ajaxcontroltoolkit||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:urlDecode,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:fileId "@contains ../" \
"t:none,t:urlDecode,t:normalizePath"
SecRule REQUEST_URI "@contains /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm" \
"id:248250,chain,msg:'COMODO WAF: File upload vulnerability in ColdFusion||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS:action "@streq upload" \
"chain,t:none"
SecRule FILES "\.(?:php[\d]?|js|pl|rb|sh|p?html|asp|exe|com|htaccess)" \
"t:none,t:urlDecode"
SecRule REQUEST_URI|ARGS "\/assets\/file:\x2f\x2f" \
"id:248260,msg:'COMODO WAF: Path traversal vilnerability in Sprockets||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:urlDecode,t:normalizePath,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule ARGS|REQUEST_HEADERS|REQUEST_URI|REQUEST_BODY|REQUEST_COOKIES|REQUEST_LINE|QUERY_STRING "@rx \$\{jndi:(ldaps?|rmi|dns|iiop|nis|nds|corba|\$\{(?:lower|upper)):" \
"id:248270,msg:'COMODO WAF: Remote code execution in Apache log4j||%{tx.domain}|%{tx.mode}|2',phase:2,deny,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"