ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: opt / bitninja-waf3 / coreruleset / BitNinja

# SPECIFIC: Block #submit #validate #process #pre_render #post_render #element_validate #after_build #value_callback parameters
SecRule REQUEST_METHOD "^(GET|POST|HEAD)$" "chain,id:402001,t:lowercase,t:none,t:utf8toUnicode,t:urlDecodeUni,t:urldecode,block,\
severity:CRITICAL,\
msg:'Drupal Remote Code Execution - SA-CORE-2018-002: Block specific #submit #validate #process #pre_render #post_render #element_validate #after_build #value_callback parameters',\
logdata:'Drupal RCE - SA-CORE-2018-002 Specific: Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
        SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "^\#(submit|validate|pre_render|post_render|element_validate|after_build|value_callback|process)$|\[(?:\'|\")?#(submit|validate|pre_render|post_render|element_validate|after_build|value_callback|process)" \
        "setvar:tx.bn_inbound_found=+1"
SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "destination" "chain,id:402003,\
  msg:'Drupal Remote Code Execution - SA-CORE-2018-004: Block all destination q[#',\
  severity:CRITICAL,\
  logdata:'Drupal RCE - SA-CORE-2018-004 Generic: Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
  SecRule ARGS|REQUEST_COOKIES "(\?q\[(\#|(%(25)*23))|(&|%(25)*26)q\[(%(25)*23))" \
    "setvar:tx.bn_inbound_found=+1"
# GENERIC: Block all parameters starting with #
SecRule REQUEST_METHOD "^(GET|POST|HEAD)$" "chain,id:402002,t:lowercase,t:none,t:utf8toUnicode,t:urlDecodeUni,t:urldecode,block,\
severity:CRITICAL,\
msg:'Drupal Remote Code Execution - SA-CORE-2018-002: Block all parameters starting with #',\
logdata:'Drupal RCE - SA-CORE-2018-002 Generic: Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
        SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "^\#|\[(?:\'|\")?\#.*\]" \
        "setvar:tx.bn_inbound_found=+1"

[-] 405-MAGENTO-REMOTE-EXECUTION-PROTECTION.conf [edit]
[-] 400030-status.conf [edit]
[+] ..
[-] 404-SCANNER-PROTECTION.conf [edit]
[-] malware-endpoints.data [edit]
[-] 419-REQUEST-BLOCKING-EVALUATION-BN.conf [edit]
[-] 402-DRUPAL-REMOTE-EXECUTION-PROTECTION.conf [edit]
[-] 401-WORDPRESS-BACKDOOR-PROTECTION.conf [edit]
[-] 410-OTHER-BN.conf [edit]
[-] 400-BITNINJA-INITIALIZATION.conf [edit]
[-] scripting-user-agents.data [edit]
[-] 104-TYPO3-MAGENTO-EXCLUSION-RULES.conf [edit]
[-] botnet-post-request.data [edit]
[-] 407-BOTNET-PROTECTION.conf [edit]
[-] 406-WORDPRESS-PLUGIN-VULNERABILITY-PROTECTION.conf [edit]
[-] 403-MODX-REVOLUTION-REMOETE-EXECUTION-PROTECTION.conf [edit]
[-] 408-SYMFONY-PROTECTION-BN.conf [edit]
[-] 409-ANTIMALWARE-PROTECTION-BN.conf [edit]
[-] web-shell-uri.data [edit]