Update: [Sun Dec 29 23:20:18 UTC 2024]

waf_patterns/apache/php.conf

@@ -11,10 +11,10 @@ SecRule REQUEST_URI "@pmFromFile php-variables.data" "id:1000,phase:1,deny,statu
 SecRule REQUEST_URI "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@pmFromFile php-function-names-933150.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@rx (?i)b(?[" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@rx [oOcC]:d+:" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@rx (?i)b(?["']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:*.**/|/.*)|#.*[sv]|")*["']*)?[sv]*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@rx [oOcC]:d+:".+?":d+:{.*}" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@rx $+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@rx (?:((?:.+)(?:[" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+));" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@pmFromFile php-function-names-933151.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
@@ -25,7 +25,7 @@ SecRule REQUEST_URI "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAG
 SecRule REQUEST_URI "@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sv]|/*.**/|(?:#|//).*)*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@rx .*.(?:phpd*|phtml)..*$" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@pm ?>" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@rx (?:((?:.+)(?:[" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+))(?:;|$)?" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
 SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"