Fixed files overwriting in installer; added OWASP CRS.

2025-10-01 03:57:47 +03:00 · 2013-02-05 16:36:29 -08:00
parent 635a573894
commit c1ba71ab16
134 changed files with 33445 additions and 0 deletions
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_joomla.data
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_joomla.data
@@ -0,0 +1,45 @@
+/acomponents/com_mamboleto/mamboleto.php
+/admin.rssreader.php
+/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php
+/administrator/components/com_jwmmxtd/admin.jwmmxtd.php
+/administrator/components/com_sqlreport/ajax/print.php
+/administrator/components/com_universal/includes/config/config.html.php
+/administrator/components/com_xcloner-backupandrestore/cloner.cron.php
+/administrator/components/com_xcloner-backupandrestore/index2.php
+/com_koesubmit/koesubmit.php
+/com_ongumatimesheet20/lib/onguma.class.php
+/com_rwcards/rwcards.advancedate.php
+/com_swmenupro/ImageManager/Classes/ImageManager.php
+/com_xmovie/helpers/img.php
+/components/com_ajaxchat/tests/ajcuser.php
+/components/com_banners/banners.class.php
+/components/com_ezine/class/php/d4m_ajax_pagenav.php
+/components/com_intuit/models/intuit.php
+/components/com_jcalpro/cal_popup.php
+/components/com_mediaslide/viewer.php
+/components/com_mgm/help.mgm.php
+/components/com_mojo/wp-comments-post.php
+/components/com_mojo/wp-trackback.php
+/components/com_moofaq/includes/file_includer.php
+/components/com_morfeoshow/morfeoshow.html.php
+/components/com_smartformer/smartformer.php
+/components/com_xgallery/helpers/img.php
+/config.dadamail.php
+/database/table/user.php
+/example.php
+/gmail.php
+/index.php
+/letterman.class.php
+/models/category.php
+/modules/mod_mainmenu/menu.php
+/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php
+/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php
+/plugins/authentication/ldap.php
+/plugins/search/categories.php
+/plugins/search/contacts.php
+/plugins/search/content.php
+/plugins/search/sections.php
+/plugins/search/weblinks.php
+/plugins/user/example.php
+/real_estate/index.php
+admin.ponygallery.html.php
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_lfi.data
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_lfi.data
@@ -0,0 +1,162 @@
+/123flashchat.php
+/ADM_Pagina.php
+/ST_browsers.php
+/ST_countries.php
+/ST_platforms.php
+/_conf/core/common-tpl-vars.php
+/_footer.php
+/_functions.php
+/acopia/manager/DiagCaptureFileListActionBody.do
+/acopia/manager/DiagLogListActionBody.do
+/acopia/sat/ViewInventoryErrorReport.do
+/acopia/sat/ViewSatReport.do
+/active_auctions.php
+/addedit-render.php
+/admin/admin_groups_reapir.php
+/admin/admin_smilies.php
+/admin/admin_words.php
+/admin/loadplugin.php
+/admin/thumbnailformpost.inc.php
+/admin/upgrade_unattended.php
+/administrator/components/com_xcloner-backupandrestore/cloner.cron.php
+/api/download_launch.php
+/arch.php
+/artmedic_print.php
+/authenticate/sessions.php
+/baconmap/admin/updatelist.php
+/bin/qte_init.php
+/block_center_down.php
+/block_center_top.php
+/block_left.php
+/block_right.php
+/body_default.php
+/books/getConfig.php
+/centre.php
+/chat/dac.php
+/classes/BxDolGzip.php
+/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php
+/classes/flash_mp3_player/extras/external_feeds/getfeed.php
+/cms_detect.php
+/com_xmovie/helpers/img.php
+/components/com_intuit/models/intuit.php
+/components/com_mediaslide/viewer.php
+/components/com_moofaq/includes/file_includer.php
+/components/com_xgallery/helpers/img.php
+/config.dadamail.php
+/config.php
+/container.php
+/content/dynpage_load.php
+/cron.php
+/cuenta/cuerpo.php
+/cultbooking.php
+/debugger/debug_php.php
+/detail.php
+/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php
+/dm-albums/template/album.php
+/doku.php
+/download.php
+/examples/tbs_us_examples_0view.php
+/export.php
+/footer.inc.php
+/forum.php
+/gradebook/open_document.php
+/header.inc.php
+/header.php
+/include/global.php
+/include/timesheet.php
+/include/unverified.inc.php
+/includes/esqueletos/skel_null.php
+/includes/function_core.php
+/includes/header.php
+/includes/initsystem.php
+/includes/startmodules.inc.php
+/index.php
+/index_inc.php
+/infusions/last_seen_users_panel/last_seen_users_panel.php
+/init.php
+/latestposts.php
+/lib/function.php
+/lib/lcUser.php
+/library/setup/rpc.php
+/locales.php
+/locms/smarty.php
+/login.tpl.php
+/main.inc.php
+/maincore.php
+/message_class.php
+/mini.php
+/mods/ckeditor/filemanager/connectors/php/connector.php
+/module.php
+/modules/3rdparty/adminpart/add3rdparty.php
+/modules/articles/adminpart/addarticles.php
+/modules/brandnews/adminpart/addbrandnews.php
+/modules/comments.php
+/modules/contact/adminpart/addcontact.php
+/modules/core/security/init.php
+/modules/game/adminpart/addgame.php
+/modules/login.php
+/modules/maticmarket/bleu/blanc/bas.php
+/modules/maticmarket/bleu/blanc/haut.php
+/modules/maticmarket/bleu/default/bas.php
+/modules/maticmarket/bleu/default/haut.php
+/modules/maticmarket/bleu/gold/bas.php
+/modules/maticmarket/bleu/gold/haut.php
+/modules/maticmarket/deco/blanc/bas.php
+/modules/maticmarket/deco/blanc/haut.php
+/modules/newsletter/adminpart/addnewsletter.php
+/modules/plain/adminpart/addplain.php
+/modules/polling/adminpart/addpolling.php
+/modules/product/adminpart/addproduct.php
+/modules/profile/user.php
+/modules/tour/adminpart/addtour.php
+/news/search.php3
+/news_show.php
+/oldnews_reader.php
+/op/op.Login.php
+/passwiki.php
+/pcltar.lib.php
+/plog-includes/lib/phpthumb/phpThumb.php
+/plugin/gateway/gnokii/init.php
+/plugin/themes/default/init.php
+/plugins/PluginController.php
+/plugins/filemanager/get_file.php
+/plugins/templateie/lib/templateie_install.class.php
+/pmscript.php
+/portfolio/css.php
+/preview.php
+/qlib/smarty.inc.php
+/qte_web.php
+/resource_categories_view.php
+/scr/soustab.php
+/section.php
+/server_request.php
+/show_joined.php
+/sitemap.xml.php
+/snippet.reflect.php
+/spaw_control.class.php
+/stage1.php
+/stage4.php
+/stage6.php
+/telecharger.php
+/templater.php
+/templates/layout_lyrics.php
+/threadstop/threadstop.php
+/tiki-jsplugin.php
+/update_trailer.php
+/urheber.php
+/util/barcode.php
+/vars.inc.php
+/viewsource.php
+/website.php
+/windetail.php
+/window_down.php
+/window_top.php
+/wp-content/plugins/jquery-mega-menu/skin.php
+/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php
+/wp-content/plugins/ungallery/source_vuln.php
+/wp-content/plugins/wp-publication-archive/includes/openfile.php
+/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php
+app=urchin.cgi
+functions_navlinks.php
+profile_send.php
+viewtopic_PM-link.php
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_phpbb.data
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_phpbb.data
@@ -0,0 +1,10 @@
+.php
+/acp_lcxbbportal.php
+/admin/admin_acronyms.php
+/admin/admin_groups_reapir.php
+/admin/admin_smilies.php
+/admin/admin_words.php
+/admin_hacks_list.php
+/include/global.php
+/index.php
+/portal_block.php
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_rfi.data
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_rfi.data
@@ -0,0 +1,485 @@
+.php
+/123flashchat.php
+/2checkout_return.inc.php
+/ADM_Pagina.php
+/Admin/ResellersManager.class.php
+/Base/example_1.php
+/Clickheat/Cache.php
+/Clickheat_Heatmap.php
+/CoupleDB.php
+/Customers/PDPEmailReplaceConstants.class.php
+/DB_adodb.class.php
+/Framework/EmailTemplates.class.php
+/GlobalVariables.php
+/HTMLSax3.php
+/LSTable.php
+/OpenSiteAdmin/pages/pageHeader.php
+/ST_browsers.php
+/ST_countries.php
+/ST_platforms.php
+/SezHooTabsAndActions.php
+/Thumbnail.php
+/_conf/core/common-tpl-vars.php
+/_footer.php
+/_functions.php
+/acomponents/com_mamboleto/mamboleto.php
+/acopia/manager/DiagCaptureFileListActionBody.do
+/acopia/manager/DiagLogListActionBody.do
+/acopia/sat/ViewInventoryErrorReport.do
+/acopia/sat/ViewSatReport.do
+/acp_lcxbbportal.php
+/action.php
+/active_auctions.php
+/activities/workflow-activities.php
+/add_comments.php
+/addedit-render.php
+/adm/krgourl.php
+/admin.googlebase.php
+/admin.rssreader.php
+/admin/admin_groups_reapir.php
+/admin/admin_news_bot.php
+/admin/admin_smilies.php
+/admin/admin_words.php
+/admin/frontpage_right.php
+/admin/global.php
+/admin/loadplugin.php
+/admin/thumbnailformpost.inc.php
+/admin/upgrade_unattended.php
+/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php
+/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php
+/administrator/components/com_jwmmxtd/admin.jwmmxtd.php
+/administrator/components/com_universal/includes/config/config.html.php
+/administrator/components/com_xcloner-backupandrestore/cloner.cron.php
+/application/views/public/commentform.php
+/arch.php
+/archive.php
+/ardeaCore/lib/core/ardeaBlog.php
+/ardeaCore/lib/core/ardeaInit.php
+/ardeaCore/lib/core/mvc/ardeaMVC.php
+/artmedic_print.php
+/assets/plugins/mp3_id/mp3_id.php
+/authenticate/sessions.php
+/awcm/control/common.php
+/awcm/header.php
+/awcm/includes/window_top.php
+/baconmap/admin/updatelist.php
+/base/Archive.php
+/base/Comments.php
+/base/News.php
+/base/SendFriend.php
+/base_qry_common.php
+/base_stat_common.php
+/basicfogfactory.class.php
+/bazar/picturelib.php
+/berylium-classes.php
+/bin/qte_init.php
+/block.php
+/block_center_down.php
+/block_center_top.php
+/block_left.php
+/block_right.php
+/blocks/file/controller.php
+/blocks/headerfile.php
+/body_comm.inc.php
+/body_default.php
+/centre.php
+/ch_readalso.php
+/chat/dac.php
+/checkout.php
+/class.csv.php
+/class.phpmailer.php
+/class_yapbbcooker.php
+/classes/excel/class.writeexcel_workbook.inc.php
+/classes/excel/class.writeexcel_worksheet.inc.php
+/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php
+/classes/flash_mp3_player/extras/external_feeds/getfeed.php
+/cms/modules/form.lib.php
+/cms_detect.php
+/collectivite.class.php
+/com_del.php
+/com_koesubmit/koesubmit.php
+/com_ongumatimesheet20/lib/onguma.class.php
+/com_rwcards/rwcards.advancedate.php
+/com_swmenupro/ImageManager/Classes/ImageManager.php
+/com_xmovie/helpers/img.php
+/comments.php
+/common.php
+/common/errormsg.php
+/common/func.php
+/components/com_ajaxchat/tests/ajcuser.php
+/components/com_banners/banners.class.php
+/components/com_ezine/class/php/d4m_ajax_pagenav.php
+/components/com_intuit/models/intuit.php
+/components/com_jcalpro/cal_popup.php
+/components/com_mediaslide/viewer.php
+/components/com_mgm/help.mgm.php
+/components/com_mojo/wp-comments-post.php
+/components/com_mojo/wp-trackback.php
+/components/com_moofaq/includes/file_includer.php
+/components/com_morfeoshow/morfeoshow.html.php
+/components/com_smartformer/smartformer.php
+/components/com_smf/smf.php
+/components/com_xgallery/helpers/img.php
+/config.dadamail.php
+/config.php
+/container.php
+/content/dynpage_load.php
+/content/themes/softsaurus_default/pages/subHeader.php
+/content/themes/softsaurus_stretched/pages/subHeader.php
+/core/includes/gfw_smarty.php
+/courrier.class.php
+/cron.php
+/cuenta/cuerpo.php
+/cultbooking.php
+/customer_ftp.php
+/datumscalc.php
+/debugger.php
+/debugger/debug_php.php
+/define.php
+/detail.php
+/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php
+/display.php
+/dm-albums/template/album.php
+/doku.php
+/dompdf.php
+/don3_requiem.php
+/dosearch.php
+/download.php
+/downloads.php
+/dp_logs.php
+/e-pay/src/a_affil.php
+/e107_handlers/secure_img_handler.php
+/e107_plugins/trackback/trackbackClass.php
+/editor/edit_htmlarea.php
+/editors/FCKeditor/editor_registry.php
+/editors/dhtmltextarea/editor_registry.php
+/editors/tinymce/editor_registry.php
+/emailsender.php
+/embedforum.php
+/engine/api/api.class.php
+/example_clientside_javascript.php
+/examples/tbs_us_examples_0view.php
+/examples/widget8.php
+/export.php
+/export_batch.inc.php
+/extensions/saurus4/captcha_image.php
+/familynews.php
+/faq.php
+/filepool.php
+/files/blocks/latest_files.php
+/filters/headerfile.php
+/fonctions_racine.php
+/footer.inc.php
+/footer.php
+/forum.php
+/forums/blocks/latest_posts.php
+/frontpage.php
+/ftp.php
+/functionen/ref_kd_rubrik.php
+/functions.php
+/functions_install.php
+/gallery2/lib/adodb/adodb-error.inc.php
+/gbookmx/gbook.php
+/get_header.php
+/global.php
+/groups/headerfile.php
+/gunaysoft.php
+/handle/proxy.php
+/handlers/page/show.php
+/header.inc.php
+/header.php
+/heatmap/_main.php
+/heatmap/main.php
+/help.php
+/hg_referenz_jobgalerie.php
+/html.php
+/html2.php
+/iframe.php
+/inc/articles.inc.php
+/inc/content.inc.php
+/inc/logingecon.php
+/include/_bot.php
+/include/addons/version/pages/index.inc.php
+/include/admin.lib.inc.php
+/include/admin/device_admin.php
+/include/classes/file.class.php
+/include/engine/content/elements/menu.php
+/include/global.php
+/include/header.php
+/include/libs/internals/core.process_compiled_include.php
+/include/libs/internals/core.write_compiled_include.php
+/include/libs/plugins/function.config_load.php
+/include/logout.php
+/include/pages/specials.inc.php
+/include/payment/payflow_pro.php
+/include/prodler.class.php
+/include/timesheet.php
+/include/top_graph_header.php
+/include/unverified.inc.php
+/includes/Cache/Lite/Output.php
+/includes/ajax_listado.php
+/includes/classes/pctemplate.php
+/includes/common.php
+/includes/competitions/add.php
+/includes/competitions/competitions.php
+/includes/converter.inc.php
+/includes/esqueletos/skel_null.php
+/includes/file_manager/special.php
+/includes/footer.php
+/includes/function_core.php
+/includes/header.inc.php
+/includes/header.php
+/includes/hnmain.inc.php3
+/includes/include.php
+/includes/includes.php
+/includes/init.php
+/includes/initsystem.php
+/includes/language.php
+/includes/messages.inc.php
+/includes/settings.inc.php
+/includes/settings/settings.php
+/includes/startmodules.inc.php
+/includes/workspace.php
+/index.php
+/index_inc.php
+/index_logged.php
+/infusions/last_seen_users_panel/last_seen_users_panel.php
+/init.php
+/install.clickheat.php
+/install/di.php
+/js/wptable-button.php
+/js/wptable-tinymce.php
+/language/1/splash.lang.php
+/last_gallery.php
+/latestposts.php
+/layout_admin_cfg.php
+/layout_cfg.php
+/layouts/standard.php
+/left_menu.php
+/lib.module.php
+/lib/FSphp.php
+/lib/action/rss.php
+/lib/addressbook.php
+/lib/function.php
+/lib/layout/layoutHeaderFuncs.php
+/lib/layout/layoutManager.php
+/lib/layout/layoutParser.php
+/lib/lcUser.php
+/lib/navigation.php
+/lib/page/pageDescriptionObject.php
+/lib/pathwirte.php
+/lib/smarty/SmartyFU.class.php
+/libraries/database.php
+/libraries/lib-remotehost.inc.php
+/library/setup/rpc.php
+/libs/db.php
+/libs/ftp.php
+/libs/lom.php
+/libsecure.php
+/linkadmin.php
+/links/blocks/links.php
+/load_lang.php
+/locales.php
+/locms/smarty.php
+/login.php
+/login.tpl.php
+/logout.php
+/lom_update.php
+/ltdialogo.php
+/main.inc.php
+/main/forum/komentar.php
+/main_prepend.php
+/maincore.php
+/membres/membreManager.php
+/menu/headerfile.php
+/message_class.php
+/mini.php
+/mod/image/index.php
+/mod/liens/index.php
+/mod/liste/index.php
+/mod/special/index.php
+/mod/texte/index.php
+/mod/vm/controller/AccessController.php
+/mod/vm/model/dao.php
+/mods/ckeditor/filemanager/connectors/php/connector.php
+/module.php
+/module/referenz.php
+/modules/3rdparty/adminpart/add3rdparty.php
+/modules/admin/include/config.php
+/modules/articles/adminpart/addarticles.php
+/modules/brandnews/adminpart/addbrandnews.php
+/modules/comments.php
+/modules/contact/adminpart/addcontact.php
+/modules/core/logger/init.php
+/modules/core/security/init.php
+/modules/dfss/lgsl/lgsl_players.php
+/modules/dfss/lgsl/lgsl_settings.php
+/modules/formmailer/formmailer.admin.inc.php
+/modules/game/adminpart/addgame.php
+/modules/guestbook/blocks/control.block.php
+/modules/login.php
+/modules/maticmarket/bleu/blanc/bas.php
+/modules/maticmarket/bleu/blanc/haut.php
+/modules/maticmarket/bleu/default/bas.php
+/modules/maticmarket/bleu/default/haut.php
+/modules/maticmarket/bleu/gold/bas.php
+/modules/maticmarket/bleu/gold/haut.php
+/modules/maticmarket/deco/blanc/bas.php
+/modules/maticmarket/deco/blanc/haut.php
+/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php
+/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php
+/modules/newsletter/adminpart/addnewsletter.php
+/modules/noevents/templates/mfa_theme.php
+/modules/plain/adminpart/addplain.php
+/modules/polling/adminpart/addpolling.php
+/modules/product/adminpart/addproduct.php
+/modules/profile/user.php
+/modules/tour/adminpart/addtour.php
+/modules/users/headerfile.php
+/monatsblatt.php
+/mtdialogo.php
+/mw_plugin.php
+/nettools.popup.php
+/news.php
+/news/blocks/latest_news.php
+/news/search.php3
+/news_show.php
+/newscat.php
+/nucleus/libs/PLUGINADMIN.php
+/nucleus/media.php
+/nucleus/xmlrpc/server.php
+/obj/action.class.php
+/obj/architecte.class.php
+/obj/avis.class.php
+/obj/bible.class.php
+/obj/blocnote.class.php
+/oldnews_reader.php
+/op/op.Login.php
+/overview/main.php
+/passwiki.php
+/pcltar.lib.php
+/pcltrace.lib.php
+/pear.php
+/pingsvr.php
+/plugin/HP_DEV/cms2.php
+/plugin/gateway/gnokii/init.php
+/plugin/themes/default/init.php
+/plugin_admin.php
+/plugins/PluginController.php
+/plugins/filemanager/get_file.php
+/plugins/templateie/lib/templateie_install.class.php
+/pmscript.php
+/portal_block.php
+/portfolio/css.php
+/prepend.php
+/preview.php
+/produkte_nach_serie.php
+/produkte_nach_serie_alle.php
+/profil.class.php
+/psg.smarty.lib.php
+/public/code/cp_html2xhtmlbasic.php
+/qlib/smarty.inc.php
+/qte_web.php
+/real_estate/index.php
+/ref_kd_rubrik.php
+/resource_categories_view.php
+/resources/includes/class.Smarty.php
+/rss_importer_functions.php
+/run_auto_suspend.cron.php
+/safehtml.php
+/scorm/lib.inc.php
+/scr/soustab.php
+/scripts/check-lom.php
+/scripts/weigh_keywords.php
+/search.php
+/section.php
+/send_email_cache.php
+/send_reminders.php
+/server_request.php
+/settings.php
+/settings/headerfile.php
+/show_joined.php
+/site_conf.php
+/sitemap.xml.php
+/skins/header.php
+/skins/phpchess/layout_t_top.php
+/slogin_lib.inc.php
+/smallaxe-0.3.1/inc/linkbar.php
+/snippet.reflect.php
+/spaw_control.class.php
+/stage1.php
+/stage4.php
+/stage6.php
+/standard/1/lay.php
+/standard/3/lay.php
+/startup.php
+/sublink.php
+/surfer_aendern.php
+/surfer_anmeldung_NWL.php
+/system/pageTemplate.php
+/system/utilities.php
+/templater.php
+/templates/default/tpl_message.php
+/templates/layout_lyrics.php
+/test/pages/contact.php
+/theme/format.php
+/threadstop/threadstop.php
+/tiki-jsplugin.php
+/tmsp/add_tmsp.php
+/tmsp/edit_tmsp.php
+/tmsp/subscription.php
+/tmsp/tmsp.php
+/toolbar.php
+/tools/filemanager/skins/mobile/admin1.template.php
+/update_trailer.php
+/urheber.php
+/user/turbulence.php
+/utdb_access.php
+/utgn_message.php
+/util/barcode.php
+/utilisateur.class.php
+/vars.inc.php
+/velid3/getid3.php
+/velid3/module.archive.gzip.php
+/view_blog_archives.php
+/view_blog_comments.php
+/view_messages.php
+/views/print/printbar.php
+/viewsource.php
+/viewver.php
+/watermark.php
+/web/lom.php
+/website.php
+/windetail.php
+/window_down.php
+/window_top.php
+/wordtube-button.php
+/wp-content/plugins/jquery-mega-menu/skin.php
+/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php
+/wp-content/plugins/ungallery/source_vuln.php
+/wp-content/plugins/wp-publication-archive/includes/openfile.php
+/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php
+/www/lib/head_auth.php
+admin.ponygallery.html.php
+app=urchin.cgi
+crea.php
+create_file.php
+droit.class.php
+functions_navlinks.php
+plugins/links/functions.inc
+plugins/polls/functions.inc
+plugins/spamx/BlackList.Examine.class.php
+plugins/spamx/DeleteComment.Action.class.php
+plugins/spamx/EditHeader.Admin.class.php
+plugins/spamx/EditIP.Admin.class.php
+plugins/spamx/EditIPofURL.Admin.class.php
+plugins/spamx/IPofUrl.Examine.class.php
+plugins/spamx/Import.Admin.class.php
+plugins/spamx/LogView.Admin.class.php
+plugins/spamx/MTBlackList.Examine.class.php
+plugins/spamx/MailAdmin.Action.class.php
+plugins/spamx/MassDelTrackback.Admin.class.php
+plugins/spamx/MassDelete.Admin.class.php
+plugins/staticpages/functions.inc
+profile_send.php
+viewtopic_PM-link.php
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_sqli.data
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_sqli.data
@@ -0,0 +1,398 @@
+/ASPKAT.ASP
+/DocPay.w2b
+/G_Display.php
+/HABERLER.ASP
+/HaberDetay.asp
+/News/page.asp
+/OmegaMw7.asp
+/ProductDetails.asp
+/Search/DisplayResults.php
+/SecureLoginManager/list.asp
+/SelGruFra.asp
+/Types.asp
+/ViewBugs.php
+/ViewCat.php
+/ViewReport.php
+/WorkOrder.do
+/account_change.php
+/activeNews_categories.asp
+/activeNews_comments.asp
+/activenews_search.asp
+/activenews_view.asp
+/actualpic.asp
+/ad.asp
+/add2.php
+/add_comment.php
+/addrating.php
+/admin.asp
+/admin.php
+/admin/admin_acronyms.php
+/admin/admin_annonce/changeannonce.php
+/admin/admin_annonce/okvalannonce.php
+/admin/admin_mail_adressee.asp
+/admin/admin_membre/fiche_membre.php
+/admin/cms/opentree.php
+/admin/code/tce_xml_user_results.php
+/admin/config.php
+/admin/edit.asp
+/admin/memberlist.php
+/admin/modules/modules.php
+/admin_check_user.asp
+/admin_hacks_list.php
+/admincp.php
+/admincp/attachment.php
+/administration/administre2.php
+/administrator/components/com_sqlreport/ajax/print.php
+/albmgr.php
+/annonce_detail.php
+/applications/SecureLoginManager/inc_secureloginmanager.asp
+/aramayap.asp
+/archives.php
+/articles.asp
+/artreplydelete.asp
+/auth.php
+/badword.asp
+/banner.php
+/bb-includes/formatting-functions.php
+/bexfront.php
+/blocks/block-Old_Articles.php
+/boxx/ShowAppendix.asp
+/bry.asp
+/bt-trackback.php
+/bus_details.asp
+/calendar_detail.asp
+/cart.inc.php
+/cart.php
+/cat.asp
+/categoria.php
+/category.php
+/cats.asp
+/cchatbox.php
+/cgi-bin/reorder2.asp
+/check_vote.php
+/class/debug/debug_show.php
+/class/table_broken.php
+/classes/class.news.php
+/classes/class_session.php
+/classified_img.php
+/code/guestadd.php
+/com_comment.php
+/comersus_optReviewReadExec.asp
+/comment.php
+/comments.php
+/compareHomes.asp
+/compare_product.php
+/connexion.php
+/content.asp
+/content.php
+/content/rubric/index.php
+/country_escorts.php
+/coupon_detail.asp
+/dagent/downloadreport.asp
+/database/table/user.php
+/db_ecard.php
+/default.asp
+/default2.asp
+/detail.asp
+/detail.php
+/details.asp
+/dettaglio.asp
+/devami.asp
+/diary.php
+/dirSub.asp
+/dircat.asp
+/directions.php
+/directory.php
+/dispimage.asp
+/displayCalendar.asp
+/display_review.php
+/displaypic.asp
+/dl.php
+/dlwallpaper.php
+/down.asp
+/down_indir.asp
+/download_image.asp
+/dsp_page.cfm
+/duyuru.asp
+/eWebQuiz.asp
+/edit.asp
+/edit_day.php
+/email.php
+/error.asp
+/etkinlikbak.asp
+/example.php
+/faq.php
+/faqDsp.asp
+/filecheck.php
+/filelist.asp
+/filemgmt/singlefile.php
+/forgotpass.asp
+/forum.asp
+/forum.php
+/forum/include/error/autherror.cfm
+/forum/modules/gallery/post.php
+/forum/pop_up_member_search.asp
+/forum2.asp
+/forums.php
+/friend.php
+/functions.php
+/functions/functions_filters.asp
+/gallery.asp
+/gallery.php
+/game.php
+/game_listing.php
+/getnewsitem.php
+/giris.asp
+/giris_yap.asp
+/glossaire-p-f.php
+/gmail.php
+/goster.asp
+/guestbook.php
+/h_goster.asp
+/haber.asp
+/haberdetay.asp
+/haberoku.asp
+/hilfsmittel.php
+/home.php
+/homeDetail.asp
+/html/studentmain.php
+/i-search.php
+/imprimir.php
+/inc/class_users.php
+/inc/common.php
+/inc_listnews.asp
+/include.php
+/includes/a_register.asp
+/includes/mambo.php
+/includes/nsbypass.php
+/includes/rating.php
+/index.asp
+/index.cfm
+/index.php
+/index1.asp
+/info_book.asp
+/info_user.asp
+/informacion_general.php
+/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php
+/infusions/teams_structure/team.php
+/inlinemod.php
+/inout/status.asp
+/inout/update.asp
+/install.php
+/interna.php
+/item.asp
+/item.php
+/item_list.asp
+/item_show.asp
+/ixm_ixpnews.php
+/journal.php
+/jtfwcpnt.jsp
+/jump.php
+/kategori.asp
+/kernel/group.php
+/kullanicilistesi.asp
+/letterman.class.php
+/lib/entry_reply_entry.php
+/links.php
+/linkslist.asp
+/lire-avis.php
+/list.asp
+/list.php
+/list_comments.php
+/listfull.asp
+/listings.asp
+/listmain.asp
+/listmembers.php
+/listpics.asp
+/login.asp
+/login.php
+/login/register.asp
+/logon_user.php
+/low.php
+/mailer.w2b
+/main.asp
+/main/auth/my_progress.php
+/main_page.php
+/mainfile.php
+/manufacturer.php
+/meal_rest.asp
+/members.asp
+/mesajkutum.asp
+/mezungiris.asp
+/minbrowse.php
+/mod.php
+/mod_banners.php
+/model-kits.php
+/models/category.php
+/modules.php
+/modules/Advertising/admin/index.php
+/modules/News/index.php
+/modules/Surveys/modules.php
+/modules/admin/modules/gallery.php
+/modules/bms/invoices_discount_ajax.php
+/modules/comments/json.php
+/modules/mod_mainmenu/menu.php
+/moscomment.php
+/mystats.php
+/navigacija.php
+/news.asp
+/news.php
+/news_detail.asp
+/news_page.asp
+/newsdetail.asp
+/newsletters/edition.php
+/nickpage.php
+/notaevento.php
+/nukesentinel.php
+/ogretmenkontrol.asp
+/oku.asp
+/openPolicy.asp
+/open_tree.php
+/openlink.asp
+/orange.asp
+/order-track.php
+/ossim/repository/repository_attachment.php
+/outputs.php
+/page.asp
+/page.php
+/pages/addcomment2.php
+/pfs/pfs.edit.inc.php
+/philboard_forum.asp
+/phonemessage.asp
+/php-stats.recphp.php
+/plugins/authentication/ldap.php
+/plugins/campsiteattachment/attachments.php
+/plugins/ipsearch/ipsearch.admin.php
+/plugins/mp3playlist/mp3playlist.php
+/plugins/pdfClasses/pdfgen.php
+/plugins/search/categories.php
+/plugins/search/contacts.php
+/plugins/search/content.php
+/plugins/search/sections.php
+/plugins/search/weblinks.php
+/plugins/user/example.php
+/plus/feedback_js.php
+/pms.php
+/pollmentorres.asp
+/polls.php
+/pop_profile.asp
+/post.php
+/postingdetails.php
+/preferences.asp
+/prikazInformacije.php
+/print.asp
+/print.php
+/printarticle.asp
+/printmain.asp
+/printview.php
+/process.php
+/prodList.asp
+/product.asp
+/product_review.php
+/productdetail.asp
+/products.asp
+/products.php
+/program/moduler_banner_aabn.php
+/public/code/cp_downloads.php
+/public/code/cp_menu_data_file.php
+/publication_view.asp
+/publications_list.asp
+/qte_result.php
+/question.php
+/rating.asp
+/read/index.php
+/recipe.php
+/refund_request.php
+/register.php
+/repass.php
+/res_details.asp
+/result.asp
+/result.php
+/roleManager.jsp
+/rss.asp
+/rss/show_webfeed.php
+/samples/with_db/loaddetails.php
+/save.php
+/search.asp
+/search.php
+/search_listing.asp
+/searchkey.asp
+/searchmain.asp
+/searchoption.asp
+/section/default.asp
+/send_password_preferences.asp
+/sendarticle.asp
+/set_preferences.asp
+/shared/code/cp_authorization.php
+/shared/code/cp_functions_downloads.php
+/shopgiftregsearch.asp
+/show_joined.php
+/show_news.php
+/show_owned.php
+/showcats.php
+/showfile.asp
+/simplog/archive.php
+/simplog/index.php
+/site_info.php
+/slideshow.asp
+/sptrees/default.aspx
+/style.php
+/stylesheet.php
+/subcat.php
+/system/core/users/users.register.inc.php
+/system/index.php
+/takefreestart.php
+/tde_busca/processaPesquisa.php
+/templates/modif.html
+/thread.php
+/thumbnails.asp
+/thumbnails.php
+/topic_title.php
+/torrents.php
+/tracking/courseLog.php
+/types.asp
+/update_profile.php
+/urunbak.asp
+/user.asp
+/user.php
+/user_confirm.asp
+/user_pages/page.asp
+/userdetail.php
+/usergroups.php
+/usermgr.php
+/users.php
+/utilities/usermessages.asp
+/uye_giris_islem.asp
+/vBSupport.php
+/vdateUsr.asp
+/vehiclelistings.asp
+/verify.php
+/vf_memberdetail.asp
+/view.php
+/view_gallery.asp
+/view_profile.php
+/view_recent.asp
+/viewad.asp
+/viewcat.php
+/viewimage.php
+/viewlinks.asp
+/viewthread.php
+/virtuemart_parser.php
+/visu_user.asp
+/voirannonce.php
+/wallpaper.php
+/wbsearch.aspx
+/web/classes/autocomplete.php
+/windows.asp
+/wp-admin/admin-ajax.php
+/wp-admin/admin-functions.php
+/wp-content/plugins/1-flash-gallery/massedit_album.php
+/wp-content/plugins/cpl/cplphoto.php
+/wp-content/plugins/flash-album-gallery/lib/hitcounter.php
+/wp-content/plugins/forum-server/feed.php
+/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php
+/wp-trackback.php
+/xNews.php
+/xmlrpc.php
+graph_view.php
+tree.php
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_wordpress.data
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_wordpress.data
@@ -0,0 +1,41 @@
+/books/getConfig.php
+/js/modalbox/tests/functional/_ajax_method_get.php
+/js/wptable-button.php
+/js/wptable-tinymce.php
+/plugins/accept-signups/accept-signups_submit.php
+/plugins/feedlist/handler_image.php
+/plugins/inline-gallery/browser/browser.php
+/plugins/socialgrid/static/js/inline-admin.js.php
+/rss/show_webfeed.php
+/sidebar.php
+/wordtube-button.php
+/wp-admin/admin-ajax.php
+/wp-admin/admin-functions.php
+/wp-admin/admin.php
+/wp-content/plugins/1-flash-gallery/folder.php
+/wp-content/plugins/1-flash-gallery/massedit_album.php
+/wp-content/plugins/audio/getid3/demos/demo.browse.php
+/wp-content/plugins/cpl/cplphoto.php
+/wp-content/plugins/firestats/php/window-add-excluded-ip.php
+/wp-content/plugins/firestats/php/window-add-excluded-url.php
+/wp-content/plugins/firestats/php/window-new-edit-site.php
+/wp-content/plugins/flash-album-gallery/lib/hitcounter.php
+/wp-content/plugins/forum-server/feed.php
+/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php
+/wp-content/plugins/jquery-mega-menu/skin.php
+/wp-content/plugins/lazyest-gallery/lazyest-popup.php
+/wp-content/plugins/nextgen-gallery/xml/media-rss.php
+/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php
+/wp-content/plugins/ungallery/source_vuln.php
+/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php
+/wp-content/plugins/wp-cumulus/tagcloud.swf
+/wp-content/plugins/wp-publication-archive/includes/openfile.php
+/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php
+/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php
+/wp-content/plugins/xcloner-backup-and-restore/index2.php
+/wp-content/plugins/zotpress/zotpress.image.php
+/wp-login.php
+/wp-trackback.php
+/xmlrpc.php
+page=eshop-orders.php
+page=eshop-templates.php
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_xss.data
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_xss.data
@@ -0,0 +1,179 @@
+/Aris/wflogin.jsp
+/Default.aspx
+/English_manual_version_2.php
+/Forms/home_1
+/ReadMsg.php
+/ReqWebHelp/advanced/workingSet.jsp
+/ReqWebHelp/basic/searchView.jsp
+/SearchCenter/Pages/AllResults.aspx
+/WebEditor/Authentication/LoginPage.aspx
+/WorkArea/reterror.aspx
+/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php
+/action_create/index.php
+/addons/kcfinder/browse.php
+/addressbook.cgi
+/admin/editListing.php
+/admin/queuedMessage.do
+/admin/rp-menu.php
+/admin/upgrade_unattended.php
+/administrator/components/com_xcloner-backupandrestore/index2.php
+/all_photos.html
+/annonce.php
+/appdev/sample/web/hello.jsp
+/archiva/admin/addLegacyArtifactPath!commit.action
+/archiva/admin/confirmDeleteRepository.action
+/archiva/admin/deleteNetworkProxy!confirm.action
+/archiva/deleteArtifact!doDelete.action
+/archiva/security/roleedit.action
+/archiva/security/useredit.action
+/archiva/security/userlist!show.action
+/awards.php
+/awstats/awstats.pl
+/basicstats.php
+/bizdir/bizdir.cgi
+/browseCat.php
+/browseSubCat.php
+/cacti/utilities.php
+/calendar.php
+/cand_login.asp
+/cat.php
+/catalogo.php
+/cgi/surgeftpmgr.cgi
+/config/edituser.php
+/configure_plugin.tpl.php
+/console.php
+/contact/index.php
+/core/themes.php
+/cultbooking.php
+/dailyview.php
+/de/create_account.asp
+/de/pda/dev_logon.asp
+/devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php
+/en/front_content.php
+/explanation.php
+/faces/jsf/tips.jsp
+/fetchmailprefs.php
+/footer.php
+/forcerestart.php
+/forcesd.php
+/frontend/x3/files/fileop.html
+/gnatsweb.pl
+/header.php
+/hlstats.php
+/html/11-login.asp
+/html/studentmain.php
+/implicit-objects.jsp
+/include/sessionRegister.php
+/index.php
+/js/modalbox/tests/functional/_ajax_method_get.php
+/jscripts/folder_rte_files/module_table.php
+/lib/jscalendar/test.php
+/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php
+/listmembers.php
+/listmovies.php
+/loan.php
+/login.php
+/main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php
+/mods/ckeditor/filemanager/connectors/php/upload.php
+/module_bbcodeloader.php
+/module_div.php
+/module_email.php
+/module_image.php
+/module_link.php
+/modules.php
+/modules/boonex/custom_rss/post_mod_crss.php
+/modules/dl/download.php
+/news.asp
+/news.php
+/news/list/index.php
+/news/search.php3
+/newsletter/create/index.php
+/openBrowser.php
+/openTutorial.php
+/order_form.php
+/patch/single_winner1.php
+/picture.php
+/plugins/accept-signups/accept-signups_submit.php
+/plugins/csstidy/css_optimiser.php
+/plugins/feedlist/handler_image.php
+/plugins/inline-gallery/browser/browser.php
+/plugins/photosmash-galleries/index.php
+/plugins/socialgrid/static/js/inline-admin.js.php
+/printcal.pl
+/private/blade_leds.php
+/private/cindefn.php
+/private/ipmi_bladestatus.php
+/private/pm_temp.php
+/private/power_management_policy_options.php
+/private/power_module.php
+/profiles/html/simpleSearch.do
+/rating/postcomments.php
+/rating/rate.php
+/register.php
+/reportItem.do
+/room/info_book.asp
+/room/week.asp
+/scripts/prodList.asp
+/search.5.html
+/search.php
+/search/list/action_search/index.php
+/sendcard.php
+/sendmail.php
+/sessions
+/settings.php
+/shared/code/cp_authorization.php
+/shared/config/cp_config.php
+/shipping/methods/fedex_v7/label_mgr/js_include.php
+/shipping/pages/popup_shipping/js_include.php
+/shopcontent.asp
+/showown.php
+/sidebar.php
+/siteminderagent/forms/smpwservices.fcc
+/skins/header.php
+/snarf_ajax.php
+/sqledit.php
+/stats.php
+/tagcloud-ru.swf
+/tagcloud.swf
+/templates/admin_default/confirm.tpl.php
+/templates/recruitment/jobVacancy.php
+/tiki-featured_link.php
+/topFrame.php
+/user/User_ChkLogin.asp
+/users/payment.php
+/usersettings.php
+/usrmgr/registerAccount.asp
+/vBTube.php
+/verify/asp/n6plugindestructor.asp
+/vtigerservice.php
+/we/include/weTracking/econda/weEcondaImplement.inc.php
+/we/include/we_modules/messaging/messaging_show_folder_content.php
+/we/include/we_modules/shop/edit_shop_editorFrameset.php
+/weapons.php
+/web/msgList/viewmsg/actions/msgAnalyse.asp
+/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp
+/web/msgList/viewmsg/viewHeaders.asp
+/web/phpinfo.php
+/workarea/medialist.aspx
+/wp-content/plugins/1-flash-gallery/folder.php
+/wp-content/plugins/audio/getid3/demos/demo.browse.php
+/wp-content/plugins/firestats/php/window-add-excluded-ip.php
+/wp-content/plugins/firestats/php/window-add-excluded-url.php
+/wp-content/plugins/firestats/php/window-new-edit-site.php
+/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php
+/wp-content/plugins/lazyest-gallery/lazyest-popup.php
+/wp-content/plugins/nextgen-gallery/xml/media-rss.php
+/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php
+/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php
+/wp-content/plugins/wp-cumulus/tagcloud.swf
+/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php
+/wp-content/plugins/xcloner-backup-and-restore/index2.php
+/wp-content/plugins/zotpress/zotpress.image.php
+/wp-content/themes/redoable/header.php
+/wp-content/themes/redoable/searchloop.php
+/xperience.php
+/zimplit.php
+_invoice.asp
+page=eshop-orders.php
+page=eshop-templates.php
+stconf.nsf
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf
@@ -0,0 +1,150 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from:
+#	
+#	http://www.emergingthreats.net/ 
+#
+
+SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_phpbb.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_PHPBB_RULES"
+
+# (2008964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion
+SecRule REQUEST_LINE "@contains /portal_block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2008965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion
+SecRule REQUEST_LINE "@contains /acp_lcxbbportal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion
+SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:pfad "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2002731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt
+SecRule REQUEST_LINE "@contains .php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002731,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',tag:'web-application-attack'"
+SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=(ftps?|https?|php))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005967) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT
+SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005967,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
+SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT
+SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005968,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
+SecRule ARGS:id "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT
+SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
+SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE
+SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
+SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII
+SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
+SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE
+SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
+SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2006969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT
+SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
+SecRule ARGS:hack_id "(?i:.+SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2006970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT
+SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
+SecRule ARGS:hack_id "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2006971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT
+SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
+SecRule ARGS:hack_id "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2006972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE
+SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
+SecRule ARGS:hack_id "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2006973) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII
+SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006973,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
+SecRule ARGS:hack_id "(?i:.+ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2006974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE
+SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
+SecRule ARGS:hack_id "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004606) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT
+SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004606,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
+SecRule ARGS:c "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004607) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT
+SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004607,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
+SecRule ARGS:c "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT
+SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
+SecRule ARGS:c "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004609) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE
+SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004609,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
+SecRule ARGS:c "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004610) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII
+SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004610,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
+SecRule ARGS:c "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004611) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE
+SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004611,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
+SecRule ARGS:c "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion
+SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion
+SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+# (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion
+SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
+
+
+SecMarker END_SLR_ET_PHPBB_RULES
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf
@@ -0,0 +1,564 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from:
+#	
+#	http://www.emergingthreats.net/ 
+#
+
+SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_wordpress.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_WORDPRESS_RULES"
+
+# (2011256) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-ip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011256,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:edit "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011257) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-url.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:edit "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-new-edit-site.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011258,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:site_id "(?i:site_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT
+SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005152,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'"
+SecRule ARGS:wcHeadlines "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005153) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT
+SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005153,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'"
+SecRule ARGS:wcHeadlines "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005155) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT
+SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005155,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'"
+SecRule ARGS:wcHeadlines "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005154) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE
+SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005154,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'"
+SecRule ARGS:wcHeadlines "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005156) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII
+SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005156,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'"
+SecRule ARGS:wcHeadlines "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE
+SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'"
+SecRule ARGS:wcHeadlines "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2003508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt
+SecRule REQUEST_LINE "@contains /wp-login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003508,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt',tag:'web-application-attack',tag:'url,www.inliniac.net/blog/?p=71'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:redirect_to=(ht|f)tps?\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2003685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH
+SecRule REQUEST_LINE "@contains /js/wptable-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003685,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3824'"
+SecRule ARGS:wpPATH "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2003686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH
+SecRule REQUEST_LINE "@contains /wordtube-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3825'"
+SecRule ARGS:wpPATH "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2003885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php
+SecRule REQUEST_LINE "@contains /sidebar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003885,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT
+SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004011,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'"
+SecRule ARGS:cookie "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004012) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT
+SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004012,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'"
+SecRule ARGS:cookie "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004013) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT
+SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004013,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'"
+SecRule ARGS:cookie "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE
+SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004014,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'"
+SecRule ARGS:cookie "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII
+SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004015,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'"
+SecRule ARGS:cookie "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE
+SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004016,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'"
+SecRule ARGS:cookie "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT
+SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004404) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT
+SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004404,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004405) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT
+SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004405,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004406) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE
+SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004406,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII
+SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE
+SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004654) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT
+SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004654,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004655) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT
+SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004655,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT
+SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE
+SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004657,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII
+SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004658,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2004659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE
+SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005657,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005658,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005660,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005661,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005662,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005865) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005865,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005866) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005866,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005867,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005868) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005868,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005869) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005869,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2005870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE
+SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005870,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2008725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection
+SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008725,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection',tag:'web-application-attack'"
+SecRule ARGS:newsletter "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2009010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure
+SecRule REQUEST_LINE "@contains /books/getConfig.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009010,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',tag:'web-application-attack',tag:'bugtraq,32966'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains book_id=" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2010473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt
+SecRule REQUEST_LINE "@contains /js/wptable-tinymce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010473,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:ABSPATH "(?i:ABSPATH\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2010728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt
+SecRule REQUEST_LINE "@contains /wp-admin/admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010728,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt',tag:'web-application-attack',tag:'cve,2009-2334'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains page=" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/nextgen-gallery/xml/media-rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-1186'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:mode "(?i:(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011044,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:postid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011045,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:postid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:postid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011046,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:postid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:postid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011107) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-cumulus/tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011107,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains mode=tags" "chain"
+SecRule ARGS:tagcloud "(?i:tagcloud\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2011942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011942,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:gid "(?i:gid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012009) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /plugins/feedlist/handler_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012009,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:i "(?i:i\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012072) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-safe-search/wp-safe-search-jx.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012072,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:v1 "(?i:v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /plugins/accept-signups/accept-signups_submit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:email "(?i:email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/audio/getid3/demos/demo.browse.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012353,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:showfile "(?i:showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /js/modalbox/tests/functional/_ajax_method_get.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012356,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:param "(?i:param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability
+SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012407,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains /options-runnow-iframe.php?wpabs=/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability
+SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012408,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains /options-view_log-iframe.php?wpabs=/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&logfile\=\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012411,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:post_id "(?i:post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012412) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt  updateAJAX.php post_id SELECT
+SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012412,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt  updateAJAX.php post_id SELECT',tag:'web-application-attack'"
+SecRule ARGS:post_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt  updateAJAX.php post_id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT
+SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012413,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT',tag:'web-application-attack'"
+SecRule ARGS:post_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT
+SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012414,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT',tag:'web-application-attack'"
+SecRule ARGS:post_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE
+SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012415,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE',tag:'web-application-attack'"
+SecRule ARGS:post_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII
+SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012416,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII',tag:'web-application-attack'"
+SecRule ARGS:post_id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE
+SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012417,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',tag:'web-application-attack'"
+SecRule ARGS:post_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012428,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'"
+SecRule REQUEST_LINE "@contains task=dologin" "chain"
+SecRule ARGS:option "(?i:option\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012429,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'"
+SecRule ARGS:mosmsg "(?i:mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT
+SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012431,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT',tag:'web-application-attack'"
+SecRule ARGS:topic "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT
+SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012432,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT',tag:'web-application-attack'"
+SecRule ARGS:topic "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT
+SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012433,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT',tag:'web-application-attack'"
+SecRule ARGS:topic "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012434) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE
+SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012434,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE',tag:'web-application-attack'"
+SecRule ARGS:topic "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII
+SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012435,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII',tag:'web-application-attack'"
+SecRule ARGS:topic "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE
+SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012436,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',tag:'web-application-attack'"
+SecRule ARGS:topic "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/zotpress/zotpress.image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012437,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:citation "(?i:citation\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/folder.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012476,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:type "(?i:type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012477) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT
+SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012477,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT',tag:'web-application-attack'"
+SecRule ARGS:gall_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT
+SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012478,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT',tag:'web-application-attack'"
+SecRule ARGS:gall_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT
+SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012479,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT',tag:'web-application-attack'"
+SecRule ARGS:gall_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE
+SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012480,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE',tag:'web-application-attack'"
+SecRule ARGS:gall_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012481) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII
+SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012481,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII',tag:'web-application-attack'"
+SecRule ARGS:gall_id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012482) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE
+SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012482,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',tag:'web-application-attack'"
+SecRule ARGS:gall_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/jquery-mega-menu/skin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012571,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:skin "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012581) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012581,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:image "(?i:image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012601) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012601,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:image "(?i:image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-publication-archive/includes/openfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012705,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012722) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability
+SecRule REQUEST_LINE "@contains /plugins/socialgrid/static/js/inline-admin.js.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012722,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability',tag:'web-application-attack'"
+SecRule ARGS:default_services "(?i:default_services\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2012946) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /plugins/inline-gallery/browser/browser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012946,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46781'"
+SecRule ARGS:do "(?i:do\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013155) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013155,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:pid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013156) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013156,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:pid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013157,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:pid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013158) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013158,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:pid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013159) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013159,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:pid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013308,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:page "(?i:page=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013309,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013310) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013310,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:title "(?i:title\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains page=eshop-templates.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013425,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:eshoptemplate "(?i:eshoptemplate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains page=eshop-orders.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:action "(?i:action\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt
+SecRule REQUEST_LINE "@contains page=eshop-orders.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt',tag:'web-application-attack'"
+SecRule ARGS:viewemail "(?i:viewemail\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+# (2013464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt
+SecRule REQUEST_LINE "@contains /wp-content/plugins/ungallery/source_vuln.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2013464,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt',tag:'web-application-attack'"
+SecRule REQUEST_LINE "@contains GET " "chain"
+SecRule ARGS:pic "(?i:\\x2e\\x2e\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
+
+
+SecMarker END_SLR_ET_WORDPRESS_RULES
--- a/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf