File: //usr/local/cwaf/rules/16_Outgoing_FilterPHP.conf
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------
SecRule RESPONSE_BODY "<b>Warning</b>.{0,100}?:.{0,1000}?\bon line\b" \
"id:214420,msg:'COMODO WAF: PHP Information Leakage||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterPHP'"
SecRule RESPONSE_BODY "(?:\b(?:call_user_func|f(?:get(?:c|s{0,1}s)|open|read|scanf|tp_(?:nb_){0,1}f{0,1}(?:ge|pu)t|write)|gz(?:compress|open|read|(?:encod|writ)e)|move_uploaded_file|read(?:dir|(?:gz){0,1}file)|s(?:candir|ession_start)|(?:bz|proc_)open)|\$_(?:session|(?:ge|pos)t))\b" \
"id:214620,msg:'COMODO WAF: PHP source code leakage||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterPHP'"
SecRule RESPONSE_BODY "<\?(?!xml)" \
"id:214630,chain,msg:'COMODO WAF: PHP source code leakage||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterPHP'"
SecRule RESPONSE_BODY "!(?:\b(?:gif|(?:cws|f(?:lv|ws)|i(?:d3|hdr|nterplay)|m(?:ovi|thd)|r(?:ar\!|iff)|varg|(?:ex|jf)if)\b)|B(?:%pdf|\.ra)\b)" \
"capture,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',t:none"
SecRule RESPONSE_BODY "@pmf bl_output_php" \
"id:217800,msg:'COMODO WAF: PHP Information Leakage||%{tx.domain}|%{tx.mode}|3',phase:2,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterPHP'"