Rules Updates: Changelog

[TDmitry]

2015.08.18
Rules for Apache: version 1.43
Rules for LiteSpeed: version 1.37
Rules for Nginx: version 1.16
 - XSS vulnerability in WordPress before 4.2.1 (CVE-2015-3440)
 - Multiple XSS vulnerabilities in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3 for WordPress (CVE-2015-3647)
 - XSS vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress (CVE-2015-2321)
 - Directory traversal vulnerability in the Easy2Map plugin before 1.2.5 for WordPress (CVE-2015-4616)
 - SQL injection vulnerability in Domain Technologie Control (DTC) before 0.32.11 (CVE-2011-5276) and Directory traversal vulnerability in Domain Technologie Control (DTC) before 0.34.1 (CVE-2011-5273)
 - SQL injection vulnerability in Cacti before 0.8.8e (CVE-2015-4634)
 - bl_domains update

[TDmitry]

2015.08.25
Rules for Apache: version 1.44
Rules for LiteSpeed: version 1.38
Rules for Nginx: version 1.17
 - SQL injection vulnerability in WP Symposium plugin before 15.4 for WordPress (CVE-2015-3325)
 - Directory traversal vulnerability in the Easy2Map plugin before 1.2.5 for WordPress (CVE-2015-4616)
 - SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress (CVE-2015-2196)
 - Unrestricted file upload vulnerability in the Simple Ads Manager plugin before 2.5.96 for WordPress (CVE-2015-2825)
 - SQL injection vulnerabilities in the Easy2Map plugin before 1.2.5 for WordPress (CVE-2015-4614)
 - Multiple SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress (CVE-2015-2824)
 - XSS vulnerabilities in the WP Google Maps plugin before 6.0.27 for WordPress (CVE-2014-7182)
 - SQL injection vulnerabilities in the the Powerplay Gallery plugin 3.3 for WordPress (CVE-2015-5599)
 - bl_domains update

[TDmitry]

2015.09.01
Rules for Apache: version 1.45
Rules for LiteSpeed: version 1.41
Rules for Nginx: version 1.18
 - SQL injection vulnerabilities in the WP Symposium plugin before 15.8 for WordPress (CVE-2015-6522)
 - XSS vulnerability in the qTranslate plugin 2.5.39 and earlier for WordPress (CVE-2015-5535)
 - Unrestricted file upload vulnerability in the ReFlex Gallery plugin before 3.1.4 for WordPress (CVE-2015-4133)
 - XSS vulnerability in in the Plupload plugin for WordPress and other web apps (CVE-2013-0237 / CVE-2015-3439)
 - XML-RPC protection (CVE-2013-0235)
   disabled by default
 - XSS vulnerabilities in phpipam 1.1.010 (CVE-2015-6529)
 - false positives fixes
 - several fixes in previous rules
 - bl_domains update
 - bl_scanners update

[TDmitry]

2015.09.08
Rules for Apache: version 1.46
Rules for LiteSpeed: version 1.42
Rules for Nginx: version 1.19
 - SQL injection vulnerability in Cacti before 0.8.8d (CVE-2015-4342)
 - SQL injection vulnerability in Cacti before 0.8.8d (CVE-2015-4454)
 - Multiple XSS vulnerabilities in phpLiteAdmin 1.1 (CVE-2015-6518)
 - XSS vulnerability in Cacti before 0.8.8d (CVE-2015-4454)
 - XSS vulnerabilities in Coppermine Photo Gallery (CPG) 1.5.36 (CVE-2015-6528)
 - Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress (CVE-2014-4940)
 - XSS vulnerability in the Google Analytics by Yoast plugin before 5.1.3 for WordPress (CVE-2014-9174)
 - SQL injection vulnerability in the Google Doc Embedder plugin before 2.5.15 for WordPress (CVE-2014-9173)
 - XSS vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress (CVE-2014-9100)
 - bl_domains update

[TDmitry]

2015.09.15
Rules for Apache: version 1.47
Rules for LiteSpeed: version 1.43
Rules for Nginx: version 1.20
 - Unrestricted file upload vulnerability in the CformsII plugin 14.7 and earlier for WordPress (CVE-2014-9473)
 - XSS vulnerability in the Frontend Uploader plugin 0.9.2 for WordPress (CVE-2014-9444)
 - SQL injection vulnerabilities in SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress (CVE-2014-9178)
 - XSS vulnerability in the YouTube Embed plugin before 3.3.3 for WordPress (CVE-2015-6535)
 - XSS vulnerability in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5 for WordPress (CVE-2014-9098)
 - Unrestricted file upload vulnerability in the Powerplay Gallery plugin 3.3 for WordPress (CVE-2015-5681)
 - Directory traversal vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress (CVE-2015-5482)
 - XSS vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress (CVE-2015-5481)
 - XSS vulnerability in the Contact Form Clean and Simple plugin 4.4.0 and earlier for WordPress (CVE-2014-8955)
 - XSS vulnerability in the WP Symposium plugin before 14.11 for WordPress (CVE-2014-8809)
 - XSS vulnerability in the Navis DocumentCloud plugin before 0.1.1 for WordPress (CVE-2015-2807)
 - XSS vulnerability in the Relevanssi plugin before 3.3.8 for WordPress (CVE-2014-9443)
 - SQL injection vulnerability in the WP Symposium plugin before 14.11 for WordPress (CVE-2014-8810)
 - XSS vulnerability in Modern Tribe Eventbrite Tickets plugin before 3.10.2 for WordPress (CVE-2015-5485)
 - XSS vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress (CVE-2015-3300)
 - XSS injection vulnerability in Cacti before 0.8.8d (CVE-2015-2665)
 - Directory traversal vulnerability in pimcore before build 3473 (CVE-2015-4425)
 - XSS vulnerability in PHP Font Lib before 0.3.1 (CVE-2015-2570)
 - XSS vulnerability in MantisBT 1.2.13 through 1.2.17 (CVE-2014-8987)
 - XSS vulnerability in WideImage 11.02.19 (CVE-2015-5519)
 - XSS vulnerability in BlackCat CMS 1.1.2 (CVE-2015-5521)
 - bl_domains update
 - 211210 FP fix
 - nginx rules reorganization

[TDmitry]

2015.09.22
Rules for Apache: version 1.48
Rules for LiteSpeed: version 1.44
Rules for Nginx: version 1.21
 - XSS vulnerability in the sourceAFRICA plugin 0.1.3 for WordPress (CVE-2015-6920)
 - Directory traversal vulnerability in the DukaPress plugin before 2.5.4 for WordPress (CVE-2014-8799)
 - Directory traversal vulnerability in the DB Backup plugin 4.5 and earlier for WordPress (CVE-2014-9119)
 - Directory traversal vulnerability in the SE HTML5 Album Audio Player plugin 1.1.0 and earlier for WordPress (CVE-2015-4414)
 - Absolute path traversal vulnerability in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress (CVE-2015-5065)
 - XSS vulnerability in Genericons before 3.3.1, as used in WordPress before 4.2.2 (CVE-2015-3429)
 - XSS vulnerability in the MDC Private Message plugin 1.0.0 for WordPress (CVE-2015-6805)
 - XSS vulnerability in the CBI Referral Manager plugin 1.2.1 and earlier for WordPress (CVE-2014-4517)
 - XSS vulnerability in the Web Dorado Spider Video Player (aka WordPress Video Player) plugin before 1.5.2 for WordPress (CVE-2014-8584)
 - bl_domains update

[TDmitry]

2015.10.09
Rules for Apache: version 1.49
Rules for LiteSpeed: version 1.45
Rules for Nginx: version 1.22
 - XSS vulnerability in the CBI Referral Manager plugin 1.2.1 and earlier for WordPress (CVE-2014-4517)
 - CSRF & XSS vulnerabilities in the Encrypted Contact Form plugin before 1.1 for WordPress (CVE-2015-4010)
 - CSRF vulnerability in the Portfolio plugin before 1.05 for WordPress (CVE-2015-6523)
 - SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress (CVE-2014-6242)
 - XSS vulnerability in the Wordfence Security plugin before 5.1.4 for WordPress (CVE-2014-4664)
 - XSS vulnerability in the Web-Dorado Photo Gallery plugin 1.1.30 and earlier for WordPress (CVE-2014-6315)
 - Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress (CVE-2014-5460)
 - XSS vulnerability in the EWWW Image Optimizer plugin before 2.0.2 for WordPress (CVE-2014-6243)
 - XSS vulnerability in the Social Connect plugin 1.0.4 and earlier for WordPress (CVE-2014-4551)
 - XSS vulnerability in the BulletProof Security plugin before .51.1 for WordPress (CVE-2014-7958)
 - XSS vulnerability in the Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin before 2.8.16 for WordPress (CVE-2014-7139)
 - XSS vulnerability in the Appointment Booking Calendar plugin before 1.1.8 for WordPress (CVE-2015-7320)
 - SQL injection vulnerability in the BulletProof Security plugin before .51.1 for WordPress (CVE-2014-7959)
 - SQL injection vulnerability in the GB Gallery Slideshow plugin 1.5 for WordPress (CVE-2014-8375)
 - XSS vulnerability in the Gallery - Photo Albums - Portfolio plugin 1.3.47 for WordPress (CVE-2015-7386)
 - XSS vulnerability in OpenDocMan before 1.3.4 (CVE-2015-5625)
 - SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 and earlier (CVE-2015-6915)
 - bl_domains update

[TDmitry]

2015.10.20
Rules for: Apache, LiteSpeed, nginx
Version 1.50
 - CSRF & XSS vulnerability in the WP Smiley plugin 1.4.1 for WordPress (CVE-2015-4140)
 - SQL injection vulnerability in Appointment Booking Calendar plugin before 1.1.8 for WordPress (CVE-2015-7319)
 - XSS vulnerability in the WooCommerce plugin before 2.2.3 for WordPress (CVE-2014-6313)
 - XSS vulnerability in the Contact Bank plugin before 2.0.20 for WordPress (CVE-2014-3841)
 - SQL injection vulnerability in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress (CVE-2014-1854)
 - XSS vulnerability in the MyWebsiteAdvisor Simple Security plugin 1.1.5 and earlier for WordPress (CVE-2014-9570)
 - SQL injection vulnerability in the Users Ultra plugin before 1.5.16 for WordPress (CVE-2015-4109)
 - CSRF & XSS vulnerability in the Facebook Like Box (cardoza-facebook-like-box) plugin before 2.8.3 for WordPress (CVE-2014-9524)
 - XSS vulnerability in the Lazyest Gallery plugin before 1.1.21 for WordPress (CVE-2014-2333)
 - CSRF & XSS vulnerability in the Our Team Showcase (our-team-enhanced) plugin before 1.3 for WordPress (CVE-2014-9523)
 - CSRF & Directory Traversal vulnerability in the TheCartPress eCommerce Shopping Cart plugin before 1.3.9.3 for WordPress (CVE-2015-3986)
 - SQL injection vulnerability in the Serendipity before 2.0.2 (CVE-2015-6943)
 - bl_domains update

[TDmitry]

2015.10.30
Rules for: Apache, LiteSpeed, nginx
Version 1.51
- CSRF & XSS vulnerability in the Simple Share Buttons Adder plugin before 4.5 for WordPress (CVE-2014-4717)
- XSS vulnerability in the Pie Register plugin before 2.0.19 for WordPress (CVE-2015-7377)
- Absolute path traversal vulnerability in the Font plugin before 7.5.1 for WordPress (CVE-2015-7683)
- SQL injection vulnerabilities in the Pie Register plugin before 2.0.19 for WordPress (CVE-2015-7682)
- Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 (CVE-2015-6967)
- SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 and earlier (CVE-2015-6915)
- XSS vulnerability in Dotclear before 2.8.1 (CVE-2015-5651)
- SQL injection vulnerability in the Serendipity before 2.0.2 (CVE-2015-6943)
- XSS vulnerability in 4images 1.7.11 and earlier (CVE-2015-7708)
- Unrestricted file upload vulnerability in the GLPI before 0.85.3 (CVE-2015-7684)
- XSS vulnerability in the 2k11 theme in Serendipity before 2.0.2 (CVE-2015-6969)
- SQLmap check
- FPs fixed
- Revision metadata
- The mole vulnerability scanner blacklisted
- bl_domains update

[TDmitry]

2015.11.03
Rules for: Apache, LiteSpeed, nginx
Version 1.52
- SQL injection vulnerability in Joomla! 3.2 before 3.4.5 (CVE-2015-7297, CVE-2015-7857, CVE-2015-7858)
- CSRF in Revive Adserver before 3.2.2 (CVE-2015-7364)
- Multiple incomplete blacklist vulnerabilities in Serendipity before 2.0.2 (CVE-2015-6968)
- XSS vulnerability in Serendipity before 2.0.1 (CVE-2015-2289)
- bl_domains update
- false positives fix

[TDmitry]

2015.11.12
Rules for: Apache, LiteSpeed, nginx
Version 1.53
- CSRF vulnerability in Nibbleblog before 4.0.5 (CVE-2015-6966)
- XSS vulnerabilities in Nibbleblog before 4.0.2 (CVE-2014-8996)
- SQL injection vulnerability in LimeSurvey before 2.06+ Build 150618 (CVE-2015-4628)
- SQL injection vulnerability in LimeSurvey 2.06+ (CVE-2015-5078)
- False positive fix
- Few rules improved
- bl_domains update

[TDmitry]

2015.11.24
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.54
- SQL injection vulnerabilities in the J2Store (com_j2store) extension before 3.1.7 for Joomla! (CVE-2015-6513)
- XSS vulnerability in the googleSearch (CSE) (com_googlesearch_cse) component 3.0.2 for Joomla! (CVE-2015-6919)
- SQL Injection vulnerabilities in the plugin CP Reservation Calendar plugin before 1.1.7 for WordPress (CVE-2015-7235)
- SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress (CVE-2015-0894)
- CSRF vulnerability in the Banner Effect Header plugin 1.2.6 for WordPress (CVE-2015-0920)
- SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress (CVE-2015-1055)
- XSS vulnerability in Nextend Facebook Connect plugin before 1.5.6 for WordPress (CVE-2015-4413)
- XSS vulnerability in the NextGEN Gallery plugin before 1.5.2 for WordPress (CVE-2010-1186)
- SQL Injection vulnerability in the wp-championship plugin 5.8 for WordPress (CVE-2015-5308)
- XSS vulnerabilities in Welcart plugin before 1.4.18 for WordPress (CVE-2015-2973)
- SQL injection vulnerability in the Cart66 Lite plugin before 1.5.4 for WordPress (CVE-2014-9442)
- SQL Injection in FreiChat 9.6 (CVE-2015-6512)
- Multiple XSS and SQL injection vulnerabilities in the admin panel in osCMax before 2.5.1 (CVE-2012-1664, CVE-2012-1665)
- XSS vulnerability in Revive Adserver before 3.2.2 (CVE-2015-7365)
- bl_domains update

[Cwaf_Team]

2015.12.01
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.55
- XSS vulnerability in WordPress before 4.1.2 (CVE-2015-3438)
- CSRF & XSS vulnerability in the WP-ViperGB plugin before 1.3.11 for WordPress (CVE-2014-9460)
- Multiple XSS vulnerabilities in the Rezgo Online Booking plugin before 1.8.2 for WordPress (CVE-2014-4547)
- SQL Injection in FreiChat 9.6 (CVE-2015-6512)
- SQL Injection vulnerability in cygnux.org sysPass 1.0.9 and earlier (CVE-2015-6516)
- XSS and SQL Injection vulnerability in Piwigo before 2.7.4 (CVE-2015-2035)
- bl_domains update

[Cwaf_Team]

2015.12.08
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.56
- phpMyAdmin FP fixed
- XML-RPC protection improved
- bl_domains update

[Cwaf_Team]

2015.12.15
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.57

- Multiple XSS vulnerabilities in the Rezgo Online Booking plugin before 1.8.2 for WordPress (CVE-2014-4547)
- CSRF & XSS vulnerability in the Timed Popup (wp-timed-popup) plugin 1.3 for WordPress (CVE-2014-9525)
- CSRF & XSS vulnerability in the Sliding Social Icons plugin 1.61 for WordPress (CVE-2014-9437)
- CSRF & XSS vulnerability in the Simple Sticky Footer plugin before 1.3.3 for WordPress (CVE-2014-9454)
- CSRF & XSS vulnerability in the IP Ban (simple-ip-ban) plugin 1.2.3 for WordPress (CVE-2014-9413)
- SQL injection vulnerability in the Cart66 Lite plugin before 1.5.2 for WordPress (CVE-2014-9305)
- userdata_wl_content_type added
- userdata_bl_extensions added
- userdata_bl_headers added
- multiple SQLi FPs fixed
- bl_domains update