REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf 3.72 KiB
# Do not inspect the 'pwd' arg of wp-login.php requests (disable all
# CRS rules).
#
# Already included in the set of exceptions when tx.crs_exclusions_wordpress=1
# is set in crs-setup.conf.
#SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1000,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
SecRule REQUEST_URI "@beginsWith /wp-admin/site-health.php" \
"id:1001,\
pass,\
nolog,\
ctl:ruleEngine=Off"
SecRule REQUEST_FILENAME "@endsWith /wp-admin/themes.php" \
"id:1002,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newcontent"
# Make the eventlist plugin work (SIGH for the lack of regexps).
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:1004,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][title],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][cat_filter],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][num_events],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][location_length],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][title],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][cat_filter],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][num_events],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][location_length],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][title],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][cat_filter],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][num_events],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][location_length],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][title],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][cat_filter],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][num_events],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][location_length],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][title],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][cat_filter],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][num_events],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][location_length]"
# More eventlist plugin workarounds.
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:1005,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveByTag=language-powershell"
# Filter out certain args (all URIs) for the pgp email plugin.
SecRule REQUEST_URI "@beginsWith /" \
"id:1006,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:message_from_name,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:message_from_mail,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:message_body,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:text"
# Gutenberg-related requests.
SecRule REQUEST_URI "@beginsWith /wp-json/batch/v1" \
"id:1007,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:requests.requests.body.instance.raw.content"
SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/widget-types/text/encode" \
"id:1008,\
pass,\
nolog,\
ctl:ruleEngine=Off"
SecRule REQUEST_URI "@beginsWith /wp-admin/network/site-settings.php" \
"id:1009,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:option[wp-piwik-tracking_code],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:option[wp-piwik-noscript_code]"