File: //opt/bitninja-waf/etc/BitNinja/410-OTHER-BN.conf
SecRule REQUEST_FILENAME "@pm vendor/htmlawed/htmlawed/htmLawedTest.php" \
"id:410001,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,\
logdata:'htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. (CVE-2022-35914)',\
msg:'htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. (CVE-2022-35914)'"
SecRule ARGS_NAMES "^hhook$" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@rx POST" \
"id:410002,\
chain,\
rev:'1',\
severity:critical,\
phase:2,\
t:none,\
logdata:'SQLi to file upload vulnerability in SQL manager for PrestaShop (CVE-2023-39526)',\
msg:'SQLi to file upload vulnerability in SQL manager for PrestaShop (CVE-2023-39526)'"
SecRule REQUEST_URI "@rx admin[^\/]+\/index\.php" "chain,t:none,t:normalizePath"
SecRule ARGS:controller "@streq AdminRequestSql" "chain,t:none"
SecRule ARGS:sql "@pm outfile dumpfile" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@rx ^POST$" \
"id:410003,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'RCE vulnerability in Laravel < 8.4.2 ignition module (CVE-2021-3129)',\
logdata:'RCE vulnerability in Laravel < 8.4.2 ignition module (CVE-2021-3129)'"
SecRule REQUEST_URI "@endsWith ignition/execute-solution" "chain,t:none,t:normalizePath"
SecRule ARGS:viewFile "!@endsWith .blade.php" "chain,t:none"
SecRule ARGS:viewFile "!@rx ^(\/|\.\/)" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410004,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in Solidres 2.5.1 component for Joomla (CVE-2018-5980)',\
logdata:'SQL injection vulnerability in Solidres 2.5.1 component for Joomla (CVE-2018-5980)'"
SecRule ARGS:option "@streq com_solidres" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:direction "!@within desc asc" "t:none,t:urlDecodeUni,t:lowercase,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410005,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in Zh YandexMap 6.2.1.0 Zh BaiduMap 3.0.0.1 and Zh GoogleMap 8.4.0.0 for Joomla (CVE-2018-6582 CVE-2018-6604 CVE-2018-6605)',\
logdata:'SQL injection vulnerability in Zh YandexMap 6.2.1.0 Zh BaiduMap 3.0.0.1 and Zh GoogleMap 8.4.0.0 for Joomla (CVE-2018-6582 CVE-2018-6604 CVE-2018-6605)'"
SecRule ARGS:option "@rx ^com_zh(?:baidu|yandex|google)map$" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:id "@rx \D" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410006,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in the Gallery WD 1.3.6 component for Joomla! (CVE-2018-5981)',\
logdata:'SQL injection vulnerability in the Gallery WD 1.3.6 component for Joomla! (CVE-2018-5981)'"
SecRule ARGS:option "@streq com_gallery_wd" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:tag_id|ARGS:gallery_id "@rx \D" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410007,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in DT Register 3.2.7 component for Joomla (CVE-2018-6584)',\
logdata:'SQL injection vulnerability in DT Register 3.2.7 component for Joomla (CVE-2018-6584)'"
SecRule ARGS:option "@streq com_dtregister" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:controller "@streq category" "chain,t:none,t:lowercase"
SecRule ARGS:id "@rx \D" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410008,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in JomEstate PRO through 3.7 component for Joomla (CVE-2018-6368)',\
logdata:'SQL injection vulnerability in JomEstate PRO through 3.7 component for Joomla (CVE-2018-6368)'"
SecRule ARGS:option "@streq com_jomestate" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:id "@rx \D" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410009,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in Fastball 2.5 component for Joomla (CVE-2018-6373)',\
logdata:'SQL injection vulnerability in Fastball 2.5 component for Joomla (CVE-2018-6373)'"
SecRule ARGS:option "@streq com_fastball" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:season "@rx \D" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410010,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in OS Property Real Estate 3.12.7 component for Joomla (CVE-2018-7319)',\
logdata:'SQL injection vulnerability in OS Property Real Estate 3.12.7 component for Joomla (CVE-2018-7319)'"
SecRule ARGS:option "@streq com_osproperty" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:cooling_system1|ARGS:heating_system1|ARGS:laundry "@rx \D" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410011,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in Swap Factory 2.2.1 Raffle Factory 3.5.2 Penny Auction Factory 2.0.4 component for Joomla! (CVE-2018-17379 CVE-2018-17378 CVE-2018-17384)',\
logdata:'SQL injection vulnerability in Swap Factory 2.2.1 Raffle Factory 3.5.2 Penny Auction Factory 2.0.4 component for Joomla! (CVE-2018-17379 CVE-2018-17378 CVE-2018-17384)'"
SecRule ARGS:option "@within com_rafflefactory com_pennyfactory com_swapfactory" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:filter_order "!@rx ^[\w\-\.]+?$" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410012,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in Zap Calendar Lite 4.3.4 component for Joomla',\
logdata:'SQL injection vulnerability in Zap Calendar Lite 4.3.4 component for Joomla'"
SecRule ARGS:option "@streq com_zcalendar" "chain,t:none,t:urlDecodeUni"
SecRule ARGS:eid "@rx \D" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410013,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in Pinterest Clone Social Pinboard 2.0 component for Joomla (CVE-2018-5987)',\
logdata:'SQL injection vulnerability in Pinterest Clone Social Pinboard 2.0 component for Joomla (CVE-2018-5987)'"
SecRule ARGS:option "@streq com_socialpinboard" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:pin_id|ARGS:user_id|ARGS:ends|ARGS:uid "@rx \D" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410014,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL Injection vulnerability in ccNewsletter 2.x component for Joomla (CVE-2018-5989)',\
logdata:'SQL Injection vulnerability in ccNewsletter 2.x component for Joomla (CVE-2018-5989)'"
SecRule ARGS:option "@streq com_ccnewsletter" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:task "@streq removesubscriber" "chain,t:none,t:lowercase"
SecRule ARGS:id "@contains '" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410015,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL Injection vulnerability in AllVideos Reloaded 1.2.x component for Joomla (CVE-2018-5990)',\
logdata:'SQL Injection vulnerability in AllVideos Reloaded 1.2.x component for Joomla (CVE-2018-5990)'"
SecRule ARGS:option "@streq com_avreloaded" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:view "@streq popup" "chain,t:none,t:lowercase"
SecRule ARGS:divid "@contains '" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410016,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'SQL injection vulnerability in the iJoomla com_adagency plugin 6.0.9 for Joomla! (CVE-2018-5696)',\
logdata:'SQL injection vulnerability in the iJoomla com_adagency plugin 6.0.9 for Joomla! (CVE-2018-5696)'"
SecRule ARGS:option|ARGS:controller "@pm com_adagency adagencyadvertisers" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:advertiser_status|ARGS:status_select "@contains '" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410017,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'XSS vulnerability in Joomla! before 3.8.12 (CVE-2018-15880)',\
logdata:'XSS vulnerability in Joomla! before 3.8.12 (CVE-2018-15880)'"
SecRule ARGS:option "@streq com_users" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:jform[name] "@contains <" "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410018,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'Arbitrary File Download vulnerability in Jtag Members Directory 5.3.7 component for Joomla (CVE-2018-6008)',\
logdata:'Arbitrary File Download vulnerability in Jtag Members Directory 5.3.7 component for Joomla (CVE-2018-6008)'"
SecRule ARGS:option "@streq com_jtagmembersdirectory" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:download_file "@contains .." "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410019,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'Directory traversal vulnerability in K2 component 2.8.0 for Joomla (CVE-2018-7482)',\
logdata:'Directory traversal vulnerability in K2 component 2.8.0 for Joomla (CVE-2018-7482)'"
SecRule ARGS:option "@streq com_k2" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:target "@rx ^l1_(\w+)={0,2}$" "chain,capture,t:none"
SecRule TX:1 "@contains .." "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS:view "@streq product" \
"id:410020,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,t:lowercase,\
msg:'SQLi vulnerability in J2Store plugin 3.x before 3.3.7 for Joomla! (CVE-2019-9184)',\
logdata:'SQLi vulnerability in J2Store plugin 3.x before 3.3.7 for Joomla! (CVE-2019-9184)'"
SecRule ARGS:option "@streq com_j2store" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:/^product_option\[/ "@rx \D" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_METHOD "@pm GET POST" \
"id:410021,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
msg:'Directory Traversal vulnerability in Joomla before 3.9.5 (CVE-2019-10945)',\
logdata:'Directory Traversal vulnerability in Joomla before 3.9.5 (CVE-2019-10945)'"
SecRule ARGS:option "@streq com_media" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:folder "@contains .." "t:none,t:urlDecodeUni,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_FILENAME "@endsWith /administrator/index.php" \
"id:410022,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,t:normalizePath,\
msg:'Missing input validation within the template manager in Joomla! v3.2.0-v3.9.24 (CVE-2021-23131)',\
logdata:'Missing input validation within the template manager in Joomla! v3.2.0-v3.9.24 (CVE-2021-23131)'"
SecRule ARGS:option "@streq com_templates" "chain,t:none"
SecRule ARGS:task "@streq template.overrides" "chain,t:none"
SecRule ARGS:folder "@pm ( <" "t:none,t:htmlEntityDecode,multiMatch,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_URI "@rx \/api\/index.php\/v1\/(?:config\/application|users)" \
"id:410023,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,t:normalizePath,\
msg:'Improper access check in webservice endpoints in Joomla! (CVE-2023-23752)',\
logdata:'Improper access check in webservice endpoints in Joomla! (CVE-2023-23752)'"
SecRule ARGS:public "!@rx ^$" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS:action "@streq updateProductQuantity" \
"id:410024,\
chain,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
logdata:'SQL injection vulnerability in Webkul Bundle Product 6.0.1 (CVE-2023-51210)',\
msg:'SQL injection vulnerability in Webkul Bundle Product 6.0.1 (CVE-2023-51210)'"
SecRule ARGS:id_product "[^0-9]" "t:none,setvar:'tx.bn_inbound_found=+1'"