File: //usr/local/cwaf/rules/29_Apps_Drupal.conf
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------
SecRule &TX:XSS_SQLi "@eq 0" \
"id:232390,msg:'COMODO WAF: Track same forbidden symbols to Ignore signature for Drupal||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'IGNORE_SFS_SIG_XSS_SQLi_Drupal',rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &TX:drupal "@eq 0" \
"id:233030,msg:'COMODO WAF: Track unauthenticated request in Drupal||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'Drupal_Skip_URF_231000',rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule TX:drupal "@eq 1" \
"id:231000,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal (CVE-2016-1913)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains redhen/contact" \
"chain,t:none,t:lowercase"
SecRule ARGS:first_name|ARGS:middle_name|ARGS:last_name "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231001,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal (CVE-2016-1913)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS:score "@ge 1" \
"chain,t:none"
SecRule ARGS:label "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@contains structure/redhen/engagement_scores/" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:231002,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal (CVE-2016-1913)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@pm structure/taxonomy/note_type/ taxonomy/term" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:241790,chain,msg:'COMODO WAF: XSS vulnerability in the CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-7307)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains cms-updater" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_GET:cmsu_payment_url "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231020,chain,msg:'COMODO WAF: XSS vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal (CVE-2015-6807)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq mass_contact_admin_edit" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:category "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@contains mass_contact" \
"t:none,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:231030,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Time Tracker module 7.x-1.x before 7.x-1.4 for Drupal (CVE-2015-6751)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@within time_tracker_activity_table_form time_tracker_time_entry_form" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:note|ARGS_POST:/activities\[\d+\]\[name\]/|ARGS_POST:add_new_activity[new_activity_name] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231050,chain,msg:'COMODO WAF: XSS vulnerability in the administration interface in the Path Breadcrumbs module 7.x-3.x before 7.x-3.3 for Drupal (CVE-2015-6754)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@within path_breadcrumbs_ui_edit_form path_breadcrumbs_ui_add_form" \
"chain,t:none"
SecRule ARGS_POST:name "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@contains system/ajax" \
"t:none,t:urlDecodeUni,t:normalizePath"
SecRule TX:drupal "@eq 1" \
"id:231060,chain,msg:'COMODO WAF: XSS vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal (CVE-2016-3144)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@within block_add_block_form block_admin_configure" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:q|REQUEST_FILENAME "@contains /structure/block/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:css_class "@rx \x22" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231070,chain,msg:'COMODO WAF: XSS vulnerability in the Camtasia Relay module 6.x-2.x before 6.x-3.2 and 7.x-2.x before 7.x-1.3 for Drupal (CVE-2015-5487)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq camtasia_relay_node_form" \
"chain,t:none"
SecRule ARGS_POST:title|ARGS_POST:'/^camtasia_relay_(?:date|profile|duration|presenter_(?:email|name)|recorder_(?:email|name))/' "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231080,chain,msg:'COMODO WAF: XSS vulnerability in the Smart Trim module 7.x-1.x before 7.x-1.5 for Drupal (CVE-2015-5489)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq field_ui_display_overview_form" \
"chain,t:none"
SecRule ARGS:q|REQUEST_FILENAME "@contains system/ajax" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:'/^fields.+(?:trim_suffix|more_text)/' "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231090,chain,msg:'COMODO WAF: XSS vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal (CVE-2015-5514)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /content/migrate/groups/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:field_mappings[name][default_value]|ARGS_POST:field_mappings[description][default_value]|ARGS_POST:field_mappings[parent][default_value]|ARGS_POST:field_mappings[parent_name][default_value]|ARGS_POST:field_mappings[format][default_value]|ARGS_POST:field_mappings[weight][default_value]|ARGS_POST:field_mappings[path][default_value] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231100,chain,msg:'COMODO WAF: XSS vulnerability in the Webform Matrix Component module 7.x-4.12 for Drupal (CVE-2015-5494)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /webform/components/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:/extra\[element\]\[element-\d+\]\[label_name\]/ "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231111,chain,msg:'COMODO WAF: XSS vulnerability in the Mobile sliding menu module 7.x-2.x before 7.x-2.1 for Drupal (CVE-2015-5495)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI|REQUEST_FILENAME|ARGS:q "@contains /admin/structure/menu/" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS:link_title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &TX:drupal "@ge 1" \
"id:231140,chain,msg:'COMODO WAF: XSS vulnerability in the Navigate module 6.x-1.1 for Drupal (CVE-2015-5500)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_FILENAME "@contains /navigate/process" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:module|ARGS_POST:name "@pm navigate_favorites navigate_custom set-export set-import" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:content|ARGS_POST:value "@contains <" \
"t:none,t:urlDecodeUni"
SecRule &TX:drupal "@ge 1" \
"id:231150,chain,msg:'COMODO WAF: XSS vulnerability in the EntityBulkDelete module 7.x-1.0 for Drupal (CVE-2015-4386)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|ARGS_GET:destination|REQUEST_FILENAME "@contains admin/structure/taxonomy/tags" \
"chain,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath"
SecRule ARGS_POST:form_id "@streq taxonomy_form_term" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231151,chain,msg:'COMODO WAF: XSS vulnerability in the EntityBulkDelete module 7.x-1.0 for Drupal (CVE-2015-4386)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|ARGS_GET:destination|REQUEST_FILENAME "@pm node/add/article node node/add/page" \
"chain,t:none,t:urlDecodeUni,t:normalizePath"
SecRule ARGS_POST:form_id "@pm page_node_form article_node_form" \
"chain,t:none"
SecRule ARGS_POST:title|ARGS_POST:field_tags[und] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231152,chain,msg:'COMODO WAF: XSS vulnerability in the EntityBulkDelete module 7.x-1.0 for Drupal (CVE-2015-4386)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq comment_node_article_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx comment\/\d+\/edit|comment\/reply\/\d+" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:subject "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule &TX:drupal "@ge 1" \
"id:231160,chain,msg:'COMODO WAF: XSS vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal (CVE-2015-4381)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/system/invoice" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:form_id "@streq invoice_settings_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:default_supplier_company_name|ARGS_POST:default_supplier_coc_number|ARGS_POST:default_supplier_vat_number|ARGS_POST:supplier_company_name|ARGS_POST:supplier_coc_number|ARGS_POST:supplier_vat_number "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231170,chain,msg:'COMODO WAF: XSS vulnerability in the Inline Entity Form module 7.x-1.x before 7.x-1.6 for Drupal (CVE-2015-5507)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:instance[description] "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@contains field_ui_field_edit_form" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:231180,chain,msg:'COMODO WAF: XSS vulnerability in the MailChimp Signup submodule in the MailChimp module 7.x-3.x before 7.x-3.3 for Drupal (CVE-2015-5488)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq mailchimp_signup_form" \
"chain,t:none"
SecRule ARGS_POST:title|ARGS_POST:description|ARGS_POST:settings[confirmation_message] "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:q|REQUEST_FILENAME "@contains mailchimp/signup" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:231190,chain,msg:'COMODO WAF: XSS vulnerability in the Shibboleth authentication module 6.x-4.x before 6.x-4.2 and 7.x-4.x before 7.x-4.2 for Drupal (CVE-2015-5513)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:shib_auth_link_text "@contains <" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@within block_admin_configure shib_auth_admin_general" \
"chain,t:none"
SecRule ARGS:q|REQUEST_FILENAME "@contains shib_auth" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:231200,chain,msg:'COMODO WAF: XSS vulnerability in the Web Links module 6.x-2.x before 6.x-2.6 and 7.x-1.x before 7.x-1.0 for Drupal (CVE-2015-5497)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq weblinks_node_form" \
"chain,t:none"
SecRule ARGS_POST:title|ARGS_POST:/body\[und\]\[[0-9]+\]\[value\]/ "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231210,chain,msg:'COMODO WAF: XSS vulnerability in Taxonews module 7.x-1.0 for Drupal (CVE-2015-3369)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /structure/block/manage/taxonews/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:taxonews_empty_messages "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231220,chain,msg:'COMODO WAF: XSS vulnerability in MAYO theme 7.x-1.2 for Drupal (CVE-2014-8079)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /appearance/settings/mayo" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@streq system_theme_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:header_bg_file "@rx \x22" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231230,chain,msg:'COMODO WAF: XSS vulnerability in Touch theme 7.x-1.7 for Drupal (CVE-2014-4303)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /appearance/settings/touch" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@streq system_theme_settings" \
"chain,t:none"
SecRule ARGS_POST:twitter_username|ARGS_POST:facebook_username "@rx \x22" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231240,chain,msg:'COMODO WAF: XSS vulnerability in Simple Subscription module 7.x-1.0 for Drupal (CVE-2015-4367)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /block/manage/simple_subscription/subscribe/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:simple_subscription_form_header|ARGS_POST:simple_subscription_form_footer "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231250,chain,msg:'COMODO WAF: XSS vulnerability in the Registration codes module 7.x-1.1 for Drupal (CVE-2015-4359)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /config/people/regcode/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:form_id "@pm regcode_admin_settings regcode_voucher_admin_form regcode_dynamic_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:regcode_field_title|ARGS_POST:regcode_field_description|ARGS_POST:regcode_voucher_fieldset_title|ARGS_POST:regcode_voucher_field_description|ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231270,chain,msg:'COMODO WAF: XSS vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal (CVE-2013-2715)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq search_api_admin_index_workflow" \
"chain,t:none,t:lowercase"
SecRule ARGS:/^callbacks\[search_api_alter_add_aggregation\]\[settings\]\[fields\]\[search_api_aggregation_[\d]+\]\[name\]$/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231280,chain,msg:'COMODO WAF: XSS vulnerability in the Custom Search module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.15 for Drupal (CVE-2014-8745)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq taxonomy_form_vocabulary" \
"chain,t:none,t:lowercase"
SecRule ARGS:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231290,chain,msg:'COMODO WAF: XSS vulnerability in the Site Banner module 7.x-4.0 for Drupal (CVE-2014-8376)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /structure/context/list/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:reactions[plugins][change_banner_text][site_banner_tag_prepend_text]|ARGS_POST:reactions[plugins][change_banner_text][site_banner_tag_delimiter_text]|ARGS_POST:reactions[plugins][change_banner_text][site_banner_tag_append_text] "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:210310,chain,msg:'COMODO WAF: XSS vulnerability in the Profile2 Privacy module 7.x-1.x before 7.x-1.5 for Drupal (CVE-2015-4376)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq profile2_privacy_level_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/people/profile2_privacy/level" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title|ARGS_POST:description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231310,chain,msg:'COMODO WAF: XSS vulnerability in the Webform module before 6.x-3.23, 7.x-3.x before 7.x-3.23, and 7.x-4.x before 7.x-4.5 for Drupal (CVE-2015-4374)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm webform_component_edit_form webform_components_form" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+\/webform|node\/\d+\/webform\/components" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:add[name] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231320,chain,msg:'COMODO WAF: XSS vulnerability in the Image Title module before 7.x-1.1 for Drupal (CVE-2015-4372)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:current_title_image_status|&ARGS_POST:/files\[image_title_upload]/ "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231331,chain,msg:'COMODO WAF: XSS vulnerabilities in Tribune module of Drupal-CMS (CVE-2014-8705)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq tribune_node_form" \
"chain,t:none"
SecRule REQUEST_URI "@pm tribune add edit" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231341,chain,msg:'COMODO WAF: XSS vulnerabilities in Nivo Slider module of Drupal-CMS (CVE-2014-8744)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI "@contains structure/nivo-slider" \
"chain,t:none,t:lowercase,t:normalizePath"
SecRule ARGS_POST:images[0][title] "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231351,chain,msg:'COMODO WAF: XSS vulnerabilities in Google Doubleclick for Publishers module of Drupal-CMS (CVE-2014-8748)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI "@contains dfp_ads" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:slot "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231360,chain,msg:'COMODO WAF: XSS vulnerability in the Site Documentation module before 6.x-1.5 and Taxonomy Accordion module for Drupal (CVE-2015-4370 & CVE-2015-4365)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq taxonomy_form_term" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/content/taxonomy" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231370,chain,msg:'COMODO WAF: XSS vulnerability in the OG tabs module before 7.x-1.1 for Drupal (CVE-2015-4373)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:/^og_group_ref/ "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231380,chain,msg:'COMODO WAF: XSS vulnerability in the Room Reservations module before 7.x-1.0 for Drupal (CVE-2015-3359)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq room_reservations_category_node_form" \
"chain,t:none"
SecRule ARGS:q|REQUEST_URI "@pm add edit room-reservations-category" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231390,chain,msg:'COMODO WAF: XSS vulnerability in the Imagefield Info module 7.x-1.x before 7.x-1.2 for Drupal (CVE-2015-4385)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm image_style_add_form image_style_form" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/media/image-styles" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:label "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:210360,chain,msg:'COMODO WAF: XSS vulnerability in the Webform module 7.x-4.x before 7.x-4.4 for Drupal (CVE-2015-4356)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS:form_build_id "@ge 1" \
"chain,t:none"
SecRule ARGS:form_id "@beginsWith webform_client_form_" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:/submitted\[[\w]*\]/ "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231400,chain,msg:'COMODO WAF: XSS vulnerability in the Ajax Timeline module before 7.x-1.1 and Public Download Count module (pubdlcnt) 7.x-1.x-dev and earlier for Drupal (CVE-2015-3392 & CVE-2015-3389)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231411,chain,msg:'COMODO WAF: XSS vulnerabilities in AddressField Tokens module of Drupal-CMS (CVE-2014-3933)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq webform_node_form" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@pm webform add edit" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:field_address_title[und][0][thoroughfare]|ARGS_POST:field_address_title[und][0][premise] "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231430,chain,msg:'COMODO WAF: XSS vulnerability in the Ubercart Webform Integration module 7.x-2.3 for Drupal (CVE-2015-4354)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq product_node_form" \
"chain,t:none"
SecRule ARGS:q|REQUEST_URI "@pm add edit product" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:title|ARGS_POST:model "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231440,chain,msg:'COMODO WAF: XSS vulnerability in the Webform module before 6.x-3.22, 7.x-3.x before 7.x-3.22, and 7.x-4.x before 7.x-4.4 for Drupal (CVE-2015-4357)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq webform_node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS:op "@streq save" \
"chain,t:none,t:lowercase"
SecRule ARGS:menu[link_title] "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:210370,chain,msg:'COMODO WAF: XSS vulnerability in the Node Access Product module for Drupal (CVE-2015-3386)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm product_node_form views_ui_edit_display_form taxonomy_form_vocabulary taxonomy_form_term" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit|admin\/structure\/taxonomy|taxonomy\/term|admin\/structure\/views" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title|ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231480,chain,msg:'COMODO WAF: XSS vulnerabilities in Date module of Drupal-CMS (CVE-2014-5169)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq field_ui_field_overview_form" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@pm structures types fields" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:fields[_add_new_field][type]|ARGS_POST:fields[_add_new_field][widget_type] "@pm date datetime datestamp date_popup date_text" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:fields[_add_new_field][label] "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231481,chain,msg:'COMODO WAF: XSS vulnerabilities in AddressField Tokens module of Drupal-CMS (CVE-2014-5169)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq field_ui_field_edit_form" \
"chain,t:none,t:lowercase"
SecRule REQUEST_URI "@pm structures types fields" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:fields[_add_new_field][label]|ARGS_POST:instance[label] "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231490,chain,msg:'COMODO WAF: XSS vulnerability in the Node Invite module before 6.x-2.5 for Drupal (CVE-2015-3372)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:node_invites_enabled "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231500,chain,msg:'COMODO WAF: XSS vulnerability in the Quizzler module before 7-x.1.16 for Drupal (CVE-2015-3376)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:quizzler_qid "@ge 1" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:title|ARGS_POST:/^quizzler_multi_option_\d_\d_value/|ARGS_POST:/^quizzler_multi_\d_question/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231520,chain,msg:'COMODO WAF: XSS vulnerability in the Classified Ads module before 6.x-3.1 and 7.x-3.x before 7.x-3.1 and Term Merge module before 7.x-1.2 for Drupal (CVE-2015-3368 & CVE-2015-3360)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq taxonomy_form_term" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231530,chain,msg:'COMODO WAF: XSS vulnerability in the Content Analysis module before 6.x-1.7 for Drupal (CVE-2015-3364)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains contentanalysis/analyze_js" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:/^ao_contentanalysis/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231540,chain,msg:'COMODO WAF: XSS vulnerability in the WikiWiki module before 6.x-1.2 for Drupal (CVE-2015-3346)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm wikiwiki_add_form wikiwiki_edit_form" \
"chain,t:none"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231550,chain,msg:'COMODO WAF: XSS vulnerability in the Field Display Label module before 7.x-1.3 for Drupal (CVE-2015-3353)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/structure/types/manage" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:instance[display_label] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231560,chain,msg:'COMODO WAF: XSS vulnerability in the Zen theme 7.x-3.2 for Drupal (CVE-2014-7980)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /appearance/settings/zen" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:var "@streq theme_zen_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:zen_jump_link_target|ARGS_POST:zen_jump_link_text "@rx \x22|<" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231570,chain,phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /appearance/settings/professional_theme" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS_POST:var "@streq theme_professional_theme_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:copyright_override "@contains <" \
"t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231580,chain,msg:'COMODO WAF: XSS vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal (CVE-2015-3357)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq wishlist_node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:log "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231590,chain,msg:'COMODO WAF: XSS vulnerability in the Course module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal (CVE-2015-3344)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS_POST:course[outline] "@ge 1" \
"chain,t:none"
SecRule ARGS_POST:form_id "@endsWith _node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231600,chain,msg:'COMODO WAF: XSS vulnerability in NewsFlash theme of Drupal-CMS (CVE-2014-8077)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI "@contains appearance" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:var|ARGS_POST:form_id "@pm theme_newsflash_settings system_theme_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:newsflash_customfont "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231620,chain,msg:'COMODO WAF: XSS vulnerability in the GD Infinite Scroll module before 7.x-1.4 for Drupal (CVE-2015-1567)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq gd_infinite_scroll_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/config/user-interface/gd-infinite-scroll" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_POST:url "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231630,chain,msg:'COMODO WAF: XSS vulnerability in the Webform prepopulate block module before 7.x-3.1 for Drupal (CVE-2015-1621)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq webform_node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231650,chain,msg:'COMODO WAF: XSS vulnerability in the Easy Social module before 7.x-2.11 for Drupal (CVE-2014-8319)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@contains easy_social" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:/easy_social_block_[\d]_title/ "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231660,chain,msg:'COMODO WAF: XSS vulnerability in the Webform module before 6.x-3.19 for Drupal (CVE-2013-2129)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@contains webform_component" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:add[name]|ARGS:name "@contains <" \
"t:none,t:urlDecodeUni,t:htmlentityDecode"
SecRule TX:drupal "@eq 1" \
"id:231680,chain,msg:'COMODO WAF: XSS vulnerability in the Webform Validation module 7.x-1.3 for Drupal (CVE-2014-8317)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_URI "@pm webform components" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:form_id "@pm webform_components_form webform_component_edit_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:name|ARGS_POST:add[name] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:242880,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Godwins Law module before 7.x-1.1 for Drupal (CVE-2014-9499)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq godwins_law_admin_settings" \
"chain,t:none,t:lowercase"
SecRule ARGS:godwins_law_message|ARGS:godwins_law_message_noaction "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231910,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Taxonomy Tools module before 7.x-1.4 for Drupal (CVE-2015-3387)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq taxonomy_form_term" \
"chain,t:none,t:lowercase"
SecRule ARGS:name "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231920,chain,msg:'COMODO WAF: XSS vulnerability in the Webform Invitation module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.4 for Drupal (CVE-2014-9498)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq webform_node_form" \
"chain,t:none,t:lowercase"
SecRule ARGS:title "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231930,chain,msg:'COMODO WAF: XSS vulnerability in the Panopoly Magic module before 7.x-1.17 for Drupal (CVE-2015-2086)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq panels_flexible_config_item_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231940,chain,msg:'COMODO WAF: XSS vulnerability in the Rules Link module 7.x-1.x before 7.x-1.1 for Drupal (CVE-2014-9740)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq rules_link_form" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:question|ARGS_POST:description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231950,chain,msg:'COMODO WAF: XSS vulnerability in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal (CVE-2014-9362)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq metatags_quick_admin_path_based_edit" \
"chain,t:none,t:lowercase"
SecRule ARGS_POST:path "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:243140,chain,msg:'COMODO WAF: XSS vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal (CVE-2013-0259)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq boxes_box_form" \
"chain,t:none,t:lowercase"
SecRule ARGS:op "@streq save" \
"chain,t:none,t:lowercase"
SecRule ARGS:title "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231960,chain,msg:'COMODO WAF: XSS vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal (CVE-2014-1611)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:/^field_anonymous_author/ "@contains <" \
"chain,t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/add|node\/\d+\/edit" \
"t:none,t:urlDecodeUni,t:normalizePath"
SecRule TX:drupal "@eq 1" \
"id:231970,chain,msg:'COMODO WAF: XSS vulnerability in the Marketo MA module before 7.x-1.5 for Drupal (CVE-2014-8379)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@pm webform_component_edit_form field_ui_field_edit_form webform_components_form field_ui_field_overview_form" \
"chain,t:none"
SecRule ARGS_POST:name|ARGS_POST:instance[label]|ARGS_POST:add[name]|ARGS_POST:fields[_add_new_field][label] "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231980,chain,msg:'COMODO WAF: XSS vulnerability in the User Ubercart Discount Coupons module 6.x-1.x before 6.x-1.8 for Drupal (CVE-2015-4358)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@pm taxonomy_form_vocabulary user_admin_role user_admin_new_role" \
"chain,t:none,t:lowercase"
SecRule ARGS:name "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:232770,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.4 for Drupal (CVE-2014-8743)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@pm content1_node_form user_admin_roles user_admin_role" \
"chain,t:none,t:urlDecodeUni"
SecRule ARGS:name|ARGS:title "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:232780,chain,msg:'COMODO WAF: XSS vulnerability in the Poll Chart Block module 7.x-1.x before 7.x-1.2 for Drupal (CVE-2014-9501)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@streq poll_node_form" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:232790,chain,msg:'COMODO WAF: XSS vulnerability in the User Relationships module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-alpha5 for Drupal (CVE-2013-0225)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@contains user_relationships_admin_type_edit" \
"chain,t:none,t:lowercase"
SecRule ARGS:name "@contains <" \
"t:none,t:htmlEntityDecode,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:232800,chain,msg:'COMODO WAF: XSS vulnerability in the Linear Case module 6.x-1.x before 6.x-1.3 for Drupal (CVE-2015-4380)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:form_id "@contains book_node_form" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:title "@contains <" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "!@eq 1" \
"id:231300,phase:2,pass,nolog,t:none,skip:2,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq petition_node_form" \
"id:231301,chain,msg:'COMODO WAF: XSS vulnerability in the Petition module 6.x-1.x before 6.x-1.3 for Drupal (CVE-2015-4377)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:title|ARGS_POST:menu[link_title]|ARGS_POST:body|ARGS_POST:appeal|ARGS_POST:thank_you_page "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule ARGS_POST:form_id "@streq petition_signup_form_data" \
"id:231302,chain,msg:'COMODO WAF: XSS vulnerability in the Petition module 6.x-1.x before 6.x-1.3 for Drupal (CVE-2015-4377)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:comment "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecMarker Drupal_Skip_URF_231000
SecRule ARGS_POST:form_id "@streq spider_contacts_category_edit" \
"id:231890,chain,msg:'COMODO WAF: XSS vulnerability in the Spider Contacts module for Drupal (CVE-2015-4348)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:category_name|ARGS_POST:category_description "@contains <" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecMarker IGNORE_SFS_SIG_XSS_SQLi_Drupal
SecRule &TX:drupal "@eq 0" \
"id:233040,msg:'COMODO WAF: Track unauthenticated request in Drupal||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'Drupal_Skip_URF_221270',rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule TX:drupal "@eq 1" \
"id:221270,chain,msg:'COMODO WAF: XSS vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal (CVE-2013-4380)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI "@contains mediafront/preset/admin" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS_POST:player_settings[presentation][height]|ARGS_POST:player_settings[presentation][width] "@rx \D" \
"t:none"
SecRule TX:drupal "@eq 1" \
"id:221280,chain,msg:'COMODO WAF: RCE vulnerability in the Flag module 7.x-3.0, 7.x-3.5 and earlier for Drupal (CVE-2014-3453)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_POST:form_id "@streq flag_import_form" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:q|REQUEST_FILENAME "@contains flags/import" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule ARGS_POST:import "@rx \b(?:(?!array)(?!flags\[))(\$)*([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\s*(\[.{0,399}|\(.{0,399}))" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &TX:drupal "@ge 1" \
"id:231130,chain,msg:'COMODO WAF: Open redirect vulnerability in the Content Construction Kit 6.x-2.9 for Drupal (CVE-2015-5510)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q|REQUEST_FILENAME "@contains /content/node-type/" \
"chain,t:none,t:normalizePath,t:lowercase,t:urlDecodeUni"
SecRule ARGS:/^destinations\[\d+\]/ "@contains //" \
"t:none,t:urlDecodeUni"
SecRule TX:drupal "@eq 1" \
"id:231460,chain,msg:'COMODO WAF: Open redirect vulnerability in the Node basket module for Drupal (CVE-2015-3383)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node\/\d+\/(?:pick-up|throw-out)" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:destination "!@rx node\/\d+$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:210430,chain,msg:'COMODO WAF: Open redirect vulnerability in the Node Invite module before 6.x-2.5 for Drupal (CVE-2015-3371)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx node_invite\/(?:revoke|resend|rsvp)\/\d" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:destination "!@pm admin/settings/node_invite/manage node/4/manage_invites" \
"t:none,t:urlDecodeUni,t:normalizePath"
SecRule TX:drupal "@eq 1" \
"id:231670,chain,msg:'COMODO WAF: Directory traversal vulnerability in the Avatar Uploader module before 7.x-1.0-beta6 for Drupal (CVE-2014-9155)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule REQUEST_URI|ARGS:q "@contains au/view" \
"chain,t:none,t:lowercase"
SecRule ARGS_GET:file "@contains .." \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
SecRule TX:drupal "@eq 1" \
"id:231700,chain,msg:'COMODO WAF: Open redirect vulnerability in the Perfecto module before 7.x-1.2 for Drupal (CVE-2015-3371)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:q|REQUEST_FILENAME "@contains admin/settings/perfecto/delete" \
"chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule ARGS_GET:destination "!@streq admin/settings/perfecto" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecRule TX:drupal "@eq 1" \
"id:231760,chain,msg:'COMODO WAF: Arbitrary files delete vulnerability in the Spider Video Player module for Drupal (CVE-2015-4351)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_GET:tag_id|ARGS_GET:playlist_id|ARGS_GET:video_id "@rx \D" \
"chain,t:none"
SecRule ARGS_GET:q|REQUEST_FILENAME "@rx admin\/settings\/spider_video_player\/(?:tags|videos|playlists)\/delete$" \
"t:none,t:urlDecodeUni,t:normalizePath,t:lowercase"
SecMarker Drupal_Skip_URF_221270
SecRule ARGS|REQUEST_COOKIES|REQUEST_BODY "@pm exec passthru" \
"id:231990,chain,msg:'COMODO WAF: RCE vulnerability in Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 (CVE-2018-7600, CVE-2018-7602)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES|REQUEST_BODY "@rx ^(?:\[?[\'\x22]?)?#|(?:\[)(?:[\'\x22]?)?#" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@rx index\.php$|\/$" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:destination|ARGS:edit[destination] "@contains //" \
"id:241860,chain,msg:'COMODO WAF: Open redirect vulnerability in Drupal 6.x before 6.38 (CVE-2016-3167)||%{tx.domain}|%{tx.mode}|2',phase:3,deny,status:403,log,t:none,t:urlDecodeUni,rev:5,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule RESPONSE_HEADERS:Set-Cookie "@rx ^sess[0-9a-f]{32}\=[0-9a-z]{26}\;" \
"t:none,t:lowercase"
SecRule ARGS_GET:_format "@streq hal_json" \
"id:232380,chain,msg:'COMODO WAF: Arbitrary code execution vulnerability in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 (CVE-2019-6340)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &TX:drupal "@eq 0" \
"chain,t:none"
SecRule REQUEST_FILENAME "@rx \/node\/\d+$" \
"chain,t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"
SecRule REQUEST_METHOD "@rx ^(?:get|head|options|trace)$" \
"t:none,t:lowercase"
SecRule ARGS:_wrapper_format "@streq drupal_ajax" \
"id:232980,chain,msg:'COMODO WAF: RCE vulnerability in Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 (CVE-2018-7600, CVE-2018-7602)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule &ARGS:ajax_form "@ge 1" \
"chain,t:none"
SecRule ARGS "@pm exec passthru" \
"chain,t:none"
SecRule REQUEST_FILENAME "@contains user/register" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS "@rx \/[a-z]+\/#value" \
"t:none,t:urlDecodeUni,t:lowercase"
SecRule &ARGS_POST:form_build_id "@ge 1" \
"id:232981,chain,msg:'COMODO WAF: data leakage vulnerability in Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 (CVE-2018-7600, CVE-2018-7602)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'Drupal'"
SecRule ARGS:q "@rx ^file\/ajax\/name\/#value\/" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@rx index\.php$|\/$" \
"t:none,t:urlDecodeUni,t:lowercase"