Changelog

🐧Linux
🔄Reliable-Auto-Update
Windows
🧱WAF Rules
🛠️Vulnerability Patches

bitninja (3.10.30) Frequent Beta Mon, 04 Nov 2024 10:22

SqlScanner

Fixed an issue when workers didn’t stop after disabling the module.

SandBoxScanner

Fixed an issue when workers didn’t stop after disabling the module.

bitninja (3.10.29) Frequent Beta Wed, 09 Oct 2024 15:32

MalwareDetection

Fixed an issue that caused memory issues because of the CreateSignature command.

bitninja (3.10.28) Frequent Beta Wed, 09 Oct 2024 12:36

MalwareDetection

Fixed and improved a few things about our caching.
Fixed issues with adding, publishing, and removing signature commands.
Created a CLI command that can validate the draft signatures.
Added the option to discard signature when restoring it with CLI command.
Fixed issues with the create signature command.

DataProvider

Fixed issues with the message queue.

bitninja (3.10.27) Frequent Beta Mon, Sept 2024 14:48

MalwareDetection

Handle an error when the agent is unable to open the database file

SenseLog

Refactored the ApacheWpLoginReauth rule

SpamDetection

Fixed an issue that caused memory issues

bitninja (3.10.26) Stable Frequent Thu, 19 Sept 2024 13:14

MalwareDetection

Added a new middleware type, which is searching for RCE malware crons
Handle an Uncaught PDOException correctly

Process Analysis

Fixed an issue with Redis message queue

Shogun

Iframely added to domain whitelist

bitninja (3.10.25) Fri, 30 Aug 2024 07:22

Dependency problem fixed from BitNinja Agent 3.10.24 version.

bitninja (3.10.24) Thu, 29 Aug 2024 12:54

SslTerminating

Fixed an issue that caused problems in the collection order of certificates.

LogAnalysis

Fixed an issue in reloading logic.

MalwareDetection

AuditD is now default file monitoring for new installations.
Fixed an issue responsible for catching files.
In the case when changing from Inotify to Auditd, purging all Inotify processes completely.
After installation, MalwareDetection will start with Auditd if it is configured in CloudConfig.
Fixed an issue with Audispd package install.
Periodically check the inode values.
Fixed an issue with reloading logic when changing between monitor types.

bitninja (3.10.23) Fri, Aug 2024 11:15

MalwareDetection

Added a new middleware type, which is searching for malware downloader crons

WafManager

Fixed an issue with configuration updating

CloudConfig

Fine-tuned default config options

Changelog was added to the BitNinja package.
From this version, BitNinja will automatically install BitNinja-Reliable-Auto-Update which is a self-updater software.
Bitninja Reliable Auto Update 1.0.1

This standalone service runs in the background alongside BitNinja, using minimal resources, and is responsible for keeping BitNinja up-to-date.
Currently, it checks every 6 hours if there is an up-to-date version of BitNinja and updates it.
This package is only available from the BitNinja Linux Agent 3.10.23 version.

bitninja (3.10.22) Tue, 16 July 2024 14:59

SslTerminating

Fixed an issue that cause invalid cert problems in cert collection ordering

bitninja (3.10.21) Thu, 04 July 2024 12:52

Process Analysis 1.0.5

Fixed some issues with shutdown

Preparing to change the location of PID files

bitninja (3.10.20) Tue, 25 June 2024 11:11

MalwareDetection

Fixed an issue where a crash could have happened when new Yara rules added to the signature collection

SslTerminating

If the user manually adds certificates to the JSON file, those certificates will be used first.
A new config option has been added to allow users to set the number of minutes to run the certificate check. This defaults to 5 minutes. Configuration name is: periodicCertCollection (Agent), Periodic SSL Certificate collection (Dashboard)

Fixed an issue that caused app_ids to disappear.

bitninja (3.10.19) Wed, 12 June 2024 13:23

SpamDetection

Fixed an issue that caused an error in stopping SpamDetection

DataProvider

Fixed an issue in DataProvider, that caused, in the case of Enhance Control Panel, the domain not detected correctly

MalwareDetection

Added a new CronInjector signature to the MalwareDetection

Fixed some issues with the hosted user counter script

bitninja (3.10.18) Wed, 29 May 2024 10:23

ConfigParser

Fixed some bugs in the Enhance service detector

bitninja (3.10.17) Wed, 22 May 2024 22:15

MalwareDetection

Fixed a bug where time zone mismatches could occur.

IpFilter

Fixed a problem where an IP address could be on both a global allow list and a global challenge list at the same time.

bitninja (3.10.16) Mon, 13 May 2024 15:32

CloudConfig

Minimum resource usage changed (System): 40 → 60
Minimum malwareDetection memory limit changed (MalwareDet): 100 → 600
Minimum scan niceness changed (MalwareDet): 0 - 1 → 0 - 0.1

MalwareDetection

Added config option to scan or not scan /var/spool/cron periodically.

IpFilter

When an IP address is put on the allow list, it is removed from the challenge list, avoiding the case where an IP address cannot be on both the allow list and the challenge list.

Process Analysis 1.0.3

Add new php binaries path
Validating exist binary path
Remove Goroutine for new running processes, caused a concurrency

Auditd monitor handling Enable and Disable

bitninja (3.10.15) Tue, 30 Apr 2024 09:42

MalwareDetection

Fixed an issue where 400 Bad Request errors could have been happened when hashes uploaded to the API.

Vulnerability Patcher

Added new patches to the data collections, against the following CVE vulnerabilities: CVE-2023-6985, CVE-2024-0699, CVE-2024-0668, CVE-2024-0428, CVE-2024-0761,CVE-2024-0842, CVE-2024-1072, CVE-2024-0685, CVE-2023-6875, CVE-2023-6933

Details

bitninja (3.10.14) Thu, 25 Apr 2024 18:40

Patcher

Fixed an issue where some information could be missing while sending information to the API.
Added a new rule against WP-Core cross-site scripting (XSS) vulnerability

Process Analysis

A new module is included in this package: Process Analysis module capable of finding malware that only exist in memory. It is disabled by default and can not be enabled from the dashboard, as it's in a closed Beta state for now.

bitninja (3.10.13) Tue, 09 Apr 2024 13:56

Patcher

Fixed an issue regarding the cloud-config when BitNinja is installed.

IpFilter

Fixed an issue where a crash could have happened.

bitninja (3.10.12) Tue, 09 Apr 2024 13:56

CloudConfig

Fixed an issue regarding the cloud-config when BitNinja is installed.

bitninja (3.10.11) Tue, 09 Apr 2024 13:56

The Agent is now compatible with native OpenLiteSpeed
SslTerminating

Fixed some problems that significantly increased the start of SslTerminating for large certificate volumes

MalwareDetection

Implemented config options that significantly reduce the resource consumption of MalwareDetection. At the same time, the scan time is increased. It only works with AI Scan and when the Optimize for low server performance impact option is enabled.

load_friendly_timer - sets the amount of delay in milliseconds when processing files - Default value of the config option is 20000
high_server_load_divider - sets the divisor of the hashes sent per batch (the original value of the hashes sent is 500) - Default value of the config option is 10

IpFilter

Added ipset_timeout config option to IpFilter to manually set the TTL in seconds of the IP addresses in the challenge list. The default value is 0, which means that no TTL is manually set.

bitninja (3.10.10) Wed, 27 Mar 2024 16:34

Malware Detection

Fixed an issue which sometimes made false positive md5 catches

bitninja (3.10.9) Wed, 20 Mar 2024 13:05

Malware Detection

Fixed an issue where a crash could have happened when the type of upload permission file was incorrect.

Vulnerability Patcher

Fixed an issue where a crash could have happened when the Vulnerability Patcher did not get the patches.

SQL Scanner

Fixed an issue where a crash could have happened when the SQL Scanner collected database information.

bitninja (3.10.8) Wed, 13 Mar 2024 12:25

Malware Detection

Fixed an issue where a crash could have happened when the AI Scan did not get the upload permission from the API.
Fixed an issue regarding the validating malware signature types in case of the AI Scan where the signature state could have been missing and instead of log-only action quarantine or clean could happen.

Config Parser

Changed the new config check interval from 60 minutes to 1 minute.

SQL Scanner

Added two new SQL malware signatures to the ruleset.

SslTerminating

Added maxconn HAProxy config option to Cloud Config. Default value: 4000

Spam Detection

Fixed an issue where the sendmail_bitninja wrapper file permissions and group were not set to the same as the original sendmail permissions and group.
Added a fallback logic to the module in case there is an active CageFS service present on the server.
Added use_wrapper config option to the Cloud Config which will force the module to use the sendmail wrapper if there is no active CageFS service present.
Changed the sendmail wrapper setup script to reload the webservers instead of restarting them.

bitninja (3.10.7) Fri, 08 Mar 2024 12:25

Fixed an issue regarding a dependency version which could have caused the IpFilter module to get stuck and stop communication.

bitninja (3.10.6) Thu, 29 Feb 2024 09:45

The Patcher (Vulnerability Patcher) module has been renewed, which is now able to fix various vulnerabilities.
Two new CLI commands have been added regarding the Patcher module:

bitninjacli --module=Patcher --patch=CVE_EXAMPLE_2024_0101 --domainPath=/path/to/dir
bitninjacli --module=Patcher --restorePatch=/var/lib/bitninja/Patcher/backups/2024/01/01/example.php

UI release is scheduled for a later date.

bitninja (3.10.5) Wed, 14 Feb 2024 10:30

Fixed an issue regarding the Captcha HTTP where a wrong parameter type could throw a Request Exception in the module.
Fixed an issue regarding the Malware Detection AI Scanner where the unknown file upload could cause out-of-memory crashes.
Fixed an issue regarding the Malware Detection quarantine mechanism where during the quarantine process the unlink of the original failed and threw a warning message that it failed to rename the malicious file.

bitninja (3.10.4) Wed, 06 Feb 2024 13:50

Fixed an issue regarding the SpamDetection module where a combination of settings and software could lead to the temporary disruption of mailing services. - The issue could only occur where CloudLinux and Cagefs were present, and ea-php was used instead of alt-php.
Fixed an issue regarding the self-update mechanism on RPM-based systems where BitNinja would not auto-start after an update in some cases.

bitninja (3.10.3) Thu, 01 Feb 2024 15:25

Fixed an issue regarding the MalwareDetection scan command when it would not scan the path if it was a single file.
Fixed some custom log and certificate collection issues regarding the Config Parser module.
Increased the MalwareDetection cache cleanup percentage from 1% to 2%.
Added a mechanism to the MalwareDetection module which forces the module to scan the /var/spool/cron directory every 24 hours.
Added a new positive incident type to the Captcha which will indicate the result of a BIC or Captcha.
Extended the SpamDetection detector in a way that it will work with every SMTP solution that uses sendmail.

bitninja (3.10.2) Fri, 19 Jan 2024 12:55

Fixed the issues regarding the increased messaging error logs and stack traces introduced by the 3.10.1 version.
Minor changes in our logging system.

bitninja (3.10.1) Tue, 16 Jan 2024 11:45

Fixed an issue regarding the SslTerminating module where the 60414 and 60415 ports were open after starting BitNinja despite the Close Direct Access config option being turned on.
Fixed an issue regarding the MalwareDetection module where the AI scanner did not send the files to the AI for further analysis.
Fixed an issue regarding the WafManager module where some ModSecurity log files were not deleted after 1 day.
Fixed an issue regarding the WafManager module where it could run out of memory because of oversized request logs.
Fixed an issue regarding the SqlScanner module where if there were some errors during the scan it could crash.
Fixed an issue regarding the SqlScanner module where it could crash if there were multiple webservers present on the server.
Minor fixes regarding the error logging.
Finetuned the log detection patterns and extended the log detection paths in the SenseLog module.
Finetuned the PHP cache file detection pattern in the Malware Detection module.

bitninja (3.10.0) Thu, 14 Dec 2023 12:50

Added RHEL 9 support (Alma Linux 9, Rocky Linux 9, and Centos Stream 9 are now officially supported.)
Added tar as a dependency. (There were some cases where tar was missing.)
Changed the old BitNinja Site Protection logo to the BitNinja Server Security logo on the captcha page.
Fixed an issue regarding the Defense Robot module where the cleanup of the correlations could cause overload on the /tmp folder.
Moved the WordPress integrity check from Site Protection to the Data Provider module.

bitninja (3.9.2) Mon, 22 Nov 2023 15:02

Extended the resource limitation with cgroup v2 support.
Fixed an issue regarding the Malware Detection module filesystem cache cleaner where it could clean the database more often than it should.
Fixed an issue regarding the Malware Detection module where the incident queue could not be flushed if bitninja-mq was restarted.

bitninja (3.9.1) Tue, 05 Dec 2023 10:35

Added an automatic cleanup for correlations to the Defense Robot module. This cleanup solution ensures that only the last 7 days of correlations are being kept.
Fixed an issue regarding the SystemD service file, where the Type=fork could cause problems starting the BitNinja Agent automatically.
Fixed the user page redirection and the display of the logo in the DirectAdmin plugin.

bitninja (3.9.0) Mon, 30 Nov 2023 12:35

Fixed an issue where we used apt-key and it caused a deprecated GPG key location warning.
Changed the service manager from init.d to systemd.

bitninja (3.8.9) Mon, 22 Nov 2023 15:12

Extended the resource limitation with cgroup v2 support.
Fixed an issue regarding the Malware Detection moduleâs filesystem cache cleaner where it could clean the database more often than it should.
Fixed an issue regarding the Malware Detection module where the incident queue could not be flushed if bitninja-mq was restarted.

bitninja (3.8.8) Mon, 20 Nov 2023 14:50

Added WP Integrity Check command option to SiteProtection module

bitninja (3.8.7) Mon, 20 Nov 2023 12:10

The Malware Detection module now invalidates the Log Only results if the Log Only mode is turned off.
Fixed an issue where the redirections were wrong if a custom interface was added in Cloud Config.
Fixed an issue where an already established connection was not interrupted when the given IP was added to the greylist or to the blacklist.
Changed the SiteProtection plugin to open the login page and the dashboard on another page.
Fix an issue regarding the SiteProtection plugin where our login response handling was incorrect.

bitninja (3.8.6) Wed, 15 Nov 2023 07:10

Fixed an issue where the Malware Detection Active Scan could not start without the AI Scan enabled.

bitninja (3.8.5) Wed, 08 Nov 2023 16:10

Added Active AI scan.
Fixed several 400 Bad Request issues regarding the AI Scan.
Fixed an issue where there was an error regarding our UFW handling during the stopping of the IpFilter module.
Changed the minimum value of the resource limitation from 20 to 40 in Cloud Config.

bitninja (3.8.4)Tue, 17 Oct 2023 13:30

Fixed an issue regarding the Shogun when it lost connection to the message queue, which caused incidents not to be sent to the API.

bitninja (3.8.3) Fri, 06 Oct 2023 07:06

Fixed an issue regarding the Shogun optimization which caused some messages to get stuck in the message queue.

bitninja (3.8.2) Tue, 04 Oct 2023 14:34

Optimized incident processing and sending.
Fixed an issue regarding the Malware Detection module where some files were scanned multiple times.

bitninja (3.8.1) Tue, 03 Oct 2023 14:34

Fixed an issue regarding the locally saved module status file creation.
Fixed an issue with the AI Scan API communication error codes.

bitninja (3.8.0) Thu, 28 Sept 2023 15:26

Phase 2 (Deep Scan) has been added to the AI scan.
Excluded directories in the Malware Detection module which caused the inotify to use up many resources.
Changed rule 80_1_023 (SpamBots) to be turned off by default in SenseLog due to false positives.

bitninja (3.7.8) Wed, 21 Sept 2023 15:06

Added .discord.com to the reverse DNS whitelist.
Fixed an issue regarding the LiteSpeed config parsing where config files were not parsed correctly in the case of Enhance.

bitninja (3.7.7) Wed, 06 Sept 2023 14:12

Fixed an issue regarding the AI Scan where there were cases when empty files were uploaded for scan.
Fixed an issue where the Config Parser module did not parse the LiteSpeed configurations properly in the case of the Enhance Control Panel which caused invalid SSL Certificate errors.
Reintroduced the certMapping feature. From now on it can be used while the Cloud Config is enabled.
Cert mapping can be set in the /etc/bitninja/SslTerminating/certMappings.json manually as well as with the two new commands that have been added to the SslTerminating module.

bitninjacli --module=SslTerminating --add-cert --domain=<domain> --certFile=<certFile> --keyFile=<keyFile> | optional --chainFile=<chainFile>
bitninjacli --module=SslTerminating --del-cert --domain=<domain>

After modifying the cert mapping (even after using the add-cert and del-cert commands) a force-recollect will be needed.
Known Issues:

The certMapping feature does not support wildcard domains (*.example.com) for now.

bitninja (3.7.6) Fri, 01 Sept 2023 20:44

Fixed Captcha showing server's IP address in certain server environments.

bitninja (3.7.5) Thu, 31 Aug 2023 10:47

Fixed an issue regarding the module restart command which caused the module to stop and not start it back.
Fixed the issue which caused the DirectAdmin plugin not to install.
Added exclusion for Docker IPs during private IP auto-configuration.
Added a configuration option to the IPFilter module (enableIpsetMode ) for turning CSF into IPSet mode during integration. This option is ON by default.

The csf config location can also be set with a new config option called csf.conf. By default it is set to the default csf config path: /etc/csf/csf.conf.

bitninja (3.7.4) Wed, 23 Aug 2023 15:02

Fixed an issue where delisting blocklisted IPs did not work.
Fixed an issue regarding the Shogun where it was crashing when there were many incidents.
Fixed an issue where the Shogun could not keep up with incidents from Malware Detection.
Fixed an issue where Malware Detection could not add a signature and caused errors.
Added a new command to the Malware Detection remove-cache which adds the ability to remove a file or directory from the filesystem cache. Usage: bitninjacli --module=MalwareDetection --remove-cache=<path> --file | --dir

bitninja (3.7.3) Wed, 16 Aug 2023 09:36

Our service ports now automatically opened in UFW if it is enabled on the server.
Private IP ranges are now automatically added to the Trusted Proxy.
Private IPs are now auto-configured for WAF.
Fixed an issue where the WAFHoneypot could not turn off properly because the honeypot files were not removed.
Fixed an issue that caused redirect loops with WordPress sites behind Cloudflare.
Fixed an issue regarding the disappearing WAF and Trusted Proxy redirections.
Fixed an issue that caused changes to the WAF redirection mode not to apply immediately.

bitninja (3.7.2) Wed, 09 Aug 2023 14:22

Fixed an issue regarding the first startup sync to the cloud-config.
Fixed a Config Parser issue where the SSL certification was set in the main nginx configuration.
Fixed an issue that prevented the IpFilter module to apply changes to allowed ports when set from Cloud Config.
Fixed an issue that prevented the SslTerminating module to apply Cloud Config changes to the HAProxy configs.

bitninja (3.7.1) Wed, 02 Aug 2023 09:30

Extended the filesystem cache cleaning mechanism, ensuring the database size is kept within limits.
The filesystem cache is now re-enabled if the size is below the filesystem cache size limit.
Fixed an issue regarding the filesystem cache when the database file was not found.
Fixed an issue regarding the WAF when HEAD requests were hanging. (Also solves the Enhance file management issues.)
Added .wordpress.org to the reverse DNS whitelist.

bitninja (3.7.0) Mon, 19 Jul 2023 14:53

Added a config option called cpuUsageLimit in the System module, under the resources section.
Fixed an issue regarding the crash report uploading.
Fixed an issue regarding the SslTerminating cert mining when no certs were found.
The Nginx process and its configuration are now reloaded in case of Cloud Config changes.
Startup error logs are now more verbose instead of "Failed to access the API server" log.

bitninja (3.6.3) Mon, 10 Jul 2023 12:53

Removed HTTP fallback from the agent.

bitninja (3.6.2) Tue, 4 Jul 2023 14:20

Fixed the issue where users could not delist themselves if there were more than 1 IP addresses present in the X-Forwarded-For header.
Fixed the issue where sometimes the file sizes were not saved properly in the filesystem cache during the AI scan.
The CaptchaHttp page should now properly show the client IP.
Added worker_connections as a config option to the WAFManager module which sets the worker_connections config option for Nginx.

If this option has already been overridden in the local Nginx configs, the agent will automatically migrate it to the WAFManager config.

bitninja (3.6.1) Thu, 29 Jun 2023 14:25

Fixed an issue regarding the Malware Detection scans which caused the scans to start multiple times with AI scan.

bitninja (3.6.0) Wed, 28 Jun 2023 15:22

MalwareDetection

Added the AI scan feature. Can be enabled via the enable_ai_scan option in the config. Disabled by default.
Fixed a bug which caused AuditD to find files but the agent did not quarantine them.

ProxyFilter

Fixed the bug which caused some firewall rules to get duplicated.

bitninja (3.5.4) Tue, 20 Jun 2023 13:28

Fixed the issue which caused user level trusted proxies to get ignored by the WAF.
Fixed the issue which prevented blocking and challenging IPs coming from user level trusted proxies.
The MalwareDetection module now shows if scans are running in its process title.
Added CLI command for force recollect: bitninjacli --module=SslTerminating --force-recollect.

bitninja (3.5.3) Wed, 14 Jun 2023 11:43

General

Added a CLI switch to the DataProvider module called send-diagnostics which sends performance related diagnostics to the cloud.
Enhance control panel is now detected correctly on secondary servers in the cluster.
Fixed some configuration issues related to logging.

MalwareDetection

PostDetection scripts now receive the state and list of the signature which triggered them.

bitninja (3.5.2) Tue, 31 May 2023 16:21

MalwareDetection

Fixed an issue which caused scans to scan excluded directories during a full scan.
The honeypotify config option works properly now.
Fixed an issue which caused the file system monitor to start when the module reloads even though the module is disabled.

Updated Nginx from 1.15.6 to 1.23.3.

IPFilter

Fixed an issue regarding the IP set hierarchy, where the user-level blocklist was stronger than the global whitelist.

bitninja (3.5.1) Tue, 31 May 2023 16:21

Reloading the ConfigParser module on an Enhance server caused the module to not parse configurations properly, this has been fixed.
Post Detection scripts received the quarantined file path instead of the real file path if the MalwareDetection module was not in log only mode, this has been fixed.
Fixed memory issues with the ConfigParser module.
Fixed a minor issue in SiteProtection.
Hotfixing in Proxyfilter, iptables rules were created more than once.

bitninja (3.5.0) Tue, 25 May 2023 11:48

IpFilter

Fixed firewall-related issues when CSF is present on the server.
Reworked CSF integration.

ProxyFilter

The --status command now reports the status of the redirections.
If redirection creation fails, the module retries multiple times.
Added health check which runs every 5 minutes. This includes checking the redirections. They are recreated if missing.
Health check logs the status of the redirections.
The module can now process commands even during its setup.

SiteProtection

Fixed an issue where the login failed on some WordPress sites.
Added the ability to update/reinstall all SiteProtection related plugins.

MalwareDetection

Added the --force-clean switch to the scan command. If this is passed to the command, the module will clean malware even if it is in log only mode. This option can be passed when called from the API as well.

SslTerminating

Added tune.maxrewrite, tune.bufsize, and tune.h2.initial-window-size to the Cloud Config. These settings can be fine-tuned if you encounter any issues with upload speeds.

General

Fixed numerous firewall issues which caused the server to be unavailable for a short time.
Removed the error Could not find executable for command docker which was thrown around randomly by all modules. This did not cause any specific issues but it cluttered the logs.
Fixed a bug that caused some modules to crash when sending error logs to the API.
Fixed a bug that caused the agent to revert to HTTP on startup even if it was set to HTTPS.

bitninja (3.4.5) Wed, 10 May 2023 14:55

Fixed the issue which caused the agent to report that it is running even if it was not.
Added support for the auditd module.

Fixed an issue which caused the module to consume a lot of CPU.

Fixed an issue where the Ssh module was not respecting the config's setting for max password failures
Fixed an issue which caused the process to crash when too many IPs were blocked.
Fixed the issue where the Shogun module consumed too much CPU when there were many incidents.

bitninja (3.4.4) Wed, 03 May 2023 16:44

Fixed an issue which caused the ConfigParser to not save the files, which resulted in the inability to fetch the configurations.
Fixed an issue which caused the Network module to use a lot of CPU.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to not log all requests.
Fixed an issue which caused the DirectAdmin to crash during the cleanup phase.
Fixed an issue which caused the WAF to sometimes not block IPs.
The CaptchaHttp page now includes the client IP.
Fixed an issue which caused the IPFilter to not reload properly.
Fixed an issue which caused the SslTerminating to not reload properly.
Fixed an issue which caused the SslTerminating to not respect the correct SSL files.

bitninja (3.4.3) Tue, 25 Apr 2023 16:21

Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
Fixed an issue which caused the SslTerminating to not reload properly.

bitninja (3.4.2) Wed, 19 Apr 2023 15:10

Added the config option cert.cglSishedDomains to the SslTerminating module, which allows defining multiple domains for a single cert. Each domain should be separated by a comma.
Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.

bitninja (3.4.1) Tue, 11 Apr 2023 10:35

Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
Fixed an issue which caused the SslTerminating to not reload properly.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.

bitninja (3.4.0) Tue, 04 Apr 2023 16:21

Added the logs of the PostDetection scripts to the audit logs.
Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.
Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.

bitninja (3.3.5) Tue, 28 Mar 2023 16:21

Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.

bitninja (3.3.4) Tue, 21 Mar 2023 16:21

Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.

bitninja (3.3.3) Tue, 14 Mar 2023 16:21

Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.

bitninja (3.3.2) Tue, 07 Mar 2023 16:21

Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.

bitninja (3.3.1) Wed, 01 Mar 2023 16:21

Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.

bitninja (3.3.0) Tue, 21 Feb 2023 16:21

Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.

bitninja (3.2.6) Wed, 15 Feb 2023 16:21

Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
Fixed an issue which caused the WAF to block some CDN IPs.
Fixed an issue which caused the WAF to sometimes not log all requests.
Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.

bitninja (3.2.4) Wed, 29 Mar 2023 11:37

Fixed numerous errors related to messaging.
The message queue and the Dispatcher should be properly restarted now if they are not running.
Fixed a bug where the SiteProtection did not get the WordPress path correctly.
Fixed a bug where the SiteProtection WordPress plugin could not be uninstalled correctly.
Added more whitelisted files to the SpamProtection config.

bitninja (3.2.3)Thu, 16 Mar 2023 16:38

MalwareDetection

Added a command to create a validating signature from a file (can be called from the API),
name: CreateValidatingSignatureFromFileCommand. Accepts a single argument, which is the file path.

SslTerminating

Added tune.maxrewrite, tune.bufsize, and tune.h2.initial-window-size to the config in the haproxyGlobalSettings section. These settings can be fine-tuned if you encounter any issues with upload speeds.

IpFilter

Added a CLI command to test an IP against the ipsets for convenience: bitninjacli --checkip=ip

bitninja (3.2.2)Wed, 08 Mar 2023 18:37

Bug in the messaging system config management while using remote config is fixed

bitninja (3.2.1)Thu, 02 Mar 2023 17:15

There was a bug in SpamDetection that did not always set the whitelists.

bitninja (3.2.0) Thu, 02 Mar 2023 16:15

MalwareDetection module

Added a new signature type: md5-clean.

md5-clean signatures will clean malware efficiently during scan phase 1.
Currently, user-level md5-clean signatures only.

Real-time malware detection can be disabled with the enable_active_scan option.
The create_signatures_during_phase2 option enables the agent to create
md5 and md5-clean signatures during the phase 2 scan.

By default, the option is disabled.

Added support for inotify versions newer than 3.14.

A proxy_read_timeout option is now added to the WAFManager module.

This is a timeout threshold in the Nginx proxy.
If the option was overridden initially in the local Nginx configs, then the agent migrates the overridden value to this option.

Added whitelist to SpamDetection for sender scripts.

There is an option to add scripts by path or by file name.
Whitelisted files will not be flagged as sender scripts.

bitninja dispatcher 1.0.1

Now can restore API connection if it fails.
Logs are now moved under the /var/log/bitninja-dispatcher/ directory.
Log rotation is separate. It depends on the log size.
The current log is always indicated by current.log.

bitninja (3.1.1) Wed, 22 Feb 2023 16:06

The --create-signature CLI command sometimes did not work, this has been fixed.

bitninja (3.1.0) Wed, 22 Feb 2023 11:55

Reworked cert watching in the SslTerminating module.

This should fix most cert detection issues.

Increased default timeout in HAProxy to 5 minutes.
Added config option for manual cert mapping.
HAProxy should no longer crash if we pick up bad certificates.

Logs will indicate if a certificate is bad.

SiteProtection extensions are now properly installed for every web server on the users' server.
Added ability to toggle Malware Source Sending remotely.
Reworked config parsing.

Include directives under virtual hosts are properly handled.
Added support for LiteSpeed XML.

Fixed some crashes in the SpamDetection module.

bitninja (3.0.1) Thu, 16 Feb 2023 08:55

Messaging error fixed that caused the Shogun module to sometimes crash upon an incident

BitNinja WAF Rules 2.0.4 Mon, 26 Aug 2024 07:30

LiteSpeed Cache Incorrect Privilege Assignment

Rule ID: 406050

Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1.

Rule ID: 406051

Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1.

BitNinja WAF Rules 2.0.3 Tue, 28 May 2024 11:34

Block ClaudeBot User-Agent

Rule ID: 404005

Rule helps to block a non malicious bot using the ClaudeBot User-Agent

BitNinja WAF Rules 2.0.2 Thu, 16 May 2024 11:34

Anti RCE Malware Rule

Rule ID: 409020

Rule against PHP RCE malware (663863d403a9690a37098357, 663863da03a9690a370983a5)

BitNinja WAF Rules 2.0.1 Wed, 10 Apr 2024 13:19

Wordpress Plugin Vulnerability Protection

Rule ID: 406049

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

BitNinja WAF Rules 2.0.0 Wed, 14 Feb 2024 10:30

Virtual Honeypot

Rule ID: 400112

This rule will trigger on any request to a file with POST method. You can use this rule to create virtual honeypot locations. Example usage: Your WordPress site had been compromised. There is a malicious file at example.com/wp-uploads/evil-malware/web-shell.php. Add //evil-malware/*.php location pattern with this rule enabled. It will block every POST request on the server which try to reach any php file under any domain located in any uri containing evil-malware.

Rule ID: 400113

This rule will trigger on any request to a file with GET method. You can use this rule to create virtual honeypot locations. Example usage: Your WordPress site had been compromised. There is a malicious file at example.com/wp-uploads/evil-malware/web-shell.php. Add //evil-malware/*.php location pattern with this rule enabled. It will block every GET request on the server which try to reach any php file under any domain located in any uri containing evil-malware.

Rule ID: 400114

Prevent PHP file uploads on this location. This rule is not allowed to used on [/] location.

Rule ID: 400115

WP admin page 200 (SecRule id changed because of honeypot id conflict - 2023-08-14)

Rule ID: 400116

positive WAF rule to check a valid xmlrpc call (SecRule id changed because of honeypot id conflict - 2023-08-14)

Wordpress Backdoor Protection

Rule ID: 401001

Themes General Backdoor Access Protection. Blocks HTTP POST method php calls for the themes directory (/themes/.php)

Rule ID: 401002

Wp-includes General Backdoor Access Protection. Blocks HTTP POST method php calls for the themes directory (/wp-includes/.php)

Rule ID: 401003

Uploads General Backdoor Access Protection. Blocks HTTP POST method php calls for the themes directory (/wp-content/uploads/.php)

Rule ID: 401004

Wordpress Backdoor Protection. Arbitrary file upload in Fancy Product Designer. CVE-2021-24370

Rule ID: 401005

Wordpress Backdoor Protection. Arbitrary file upload in Fancy Product Designer. CVE-2021-24370

Rule ID: 401006

Blocks HTTP POST method php calls for wp-login.php if the referer is exists and different from the domain. Use this rule with caution, it can cause incidents if the wordpress site use multiple domains, and a user try to login from a domain which is not the default one.

Drupal Remote Execution Protection

Rule ID: 402001

Drupal Remote Code Execution - SA-CORE-2018-002. Block specific #submit #validate #process #pre_render #post_render #element_validate #after_build #value_callback parameters. Reference: https://www.drupal.org/sa-core-2018-002

Rule ID: 402002

Drupal Remote Code Execution - SA-CORE-2018-002. Block all parameters starting with #. Reference: https://www.drupal.org/sa-core-2018-002

Rule ID: 402003

Drupal Remote Code Execution - SA-CORE-2018-004. Block all destination q[#. Reference: https://www.drupal.org/sa-core-2018-004

Modx Revolution Remote Execution Protection

Rule ID: 403001

Modx Revolution < 2.6.4 - Remote Code Execution - CVE-2018-1000207

Scanner Detection

Rule ID: 404001

Scanner protection based on Hello Peppa botnet: Reference:https://dshield.org/forums/diary/Well+Hello+Again+Peppa/23860/

Rule ID: 404002

Scanner protection based on Hello Peppa botnet Reference:https://dshield.org/forums/diary/Well+Hello+Again+Peppa/23860/

Rule ID: 404003

Scripting user agent protection. Reference:https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/scripting-user-agents.data

Rule ID: 404004

WAF Rule against Bytespider User-Agent (not malicious, but you can block them with this rule if you want)

Magento Remote Execution Protection

Rule ID: 405001

Magento Shoplift Remote Code Execution

Rule ID: 405002

Multiple XSS vulnerabilities in the Magento Mass Importer (CVE-2015-2068)

Rule ID: 405003

Directory traversal vulnerability in Magento Mass Importer (CVE-2015-2067)

Rule ID: 405004

SQL Injection vulnerability in Magento (PRODSECBUG-2198)

Rule ID: 405005

Magento Webforms Arbitrary File Upload

Rule ID: 405006

Magento Webforms Upload Vulnerability

Rule ID: 405007

SQLi in Adobe Commerce and Magento Open Source before 2.4.3-p1

Rule ID: 405008

Inproper input validation in Adobe Commerce and Magento Open Source before 2.4.3

Wordpress Plugin Vulnerability Protection

Rule ID: 406001

Duplicator <= 1.2.40 - Arbitrary Code Execution Reference: https://wpvulndb.com/vulnerabilities/9123

Rule ID: 406002

OptinMonster plugin <= 2.6.4 - Authentication vulnerability protection. Reference:

Rule ID: 406003

Rank Math SEO Plugin <= 1.0.40.2 - Privilege Escalation via Unprotected REST API Endpoint Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11514

Rule ID: 406004

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init. Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11738

Rule ID: 406005

The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter. Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-16283

Rule ID: 406006

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-0992

Rule ID: 406007

Rule ID: 406008

Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1657

Rule ID: 406009

The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-3477

Rule ID: 406010

Rule ID: 406011

In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24280

Rule ID: 406012

The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1020

Rule ID: 406013

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24175

Rule ID: 406014

Rule ID: 406015

An issue was discovered in the IMPress for IDX Broker plugin before 2.6.2 for WordPress. wrappers.php allows a logged-in user (with the Subscriber role) to permanently delete arbitrary posts and pages, create new posts with arbitrary subjects, and modify the subjects of existing posts and pages (via create_dynamic_page and delete_dynamic_page). Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-9514

Rule ID: 406016

The plugin does not escape the 'code' parameter in the /pmpro/v1/order REST route before using it in a SQL statement, leading to an unauthenticated SQL injection vulnerability. Reference: https://www.tenable.com/security/research/tra-2023-2

Rule ID: 406017

The plugin does not escape the 's' parameter in the 'edd_download_search' action before using it in a SQL statement, leading to an unauthenticated SQL injection vulnerability. The vulnerable part of the code corresponds to the 'edd_ajax_download_search()' function of the './includes/ajax-functions.php' file. Reference: https://www.tenable.com/security/research/tra-2023-2

Rule ID: 406018

The plugin does not escape the ‘surveys_ids’ parameter in the 'ays_surveys_export_json' action before using it in a SQL statement, leading to an authenticated SQL injection vulnerability. The vulnerability requires the attacker to be authenticated but does not require administrator privileges Reference: https://www.tenable.com/security/research/tra-2023-2

Rule ID: 406019

The Quick Restaurant Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to update menu items, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-0554

Rule ID: 406020

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the 'Record Exclusions' option to be enabled on the vulnerable site. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-0513

Rule ID: 406021

Privilege escalation in WPGateway WordPress plugin <= 3.5 (CVE-2022-3180) Reference: https://securityonline.info/actively-exploited-zero-day-cve-2022-3180-found-in-popular-wordpress-plugin/

Rule ID: 406022

Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-45359

Rule ID: 406023

Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-45359

Rule ID: 406024

Elementor Pro, a popular page builder plugin for WordPress, a broken access control vulnerability affecting versions <=3.11.6 that could allow full site takeover. Reference: https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-wordpress-elementor-pro-plugin/

Rule ID: 406025

Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-32243

Rule ID: 406026

Rule ID: 406027

The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the 'User-Agent' header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-0992

Rule ID: 406028

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the get_remote_content REST API endpoint in versions up to, and including, 1.8.3. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Reference:https://nvd.nist.gov/vuln/detail/CVE-2023-1895

Rule ID: 406029

The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_screen_options[option]' and 'wp_screen_options[value]' parameters during a screen option update. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-2833

Rule ID: 406030

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1903

Rule ID: 406031

The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers. Reference: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/payment-gateway-stripe-and-woocommerce-integration/stripe-payment-plugin-for-woocommerce-377-authentication-bypass

Rule ID: 406032

The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the 'save_users_map_name' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'usernames' parameter. Reference: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wedevs-project-manager/wp-project-manager-264-arbitrary-usermeta-update-to-authenticated-subscriber-privilege-escalation

Rule ID: 406033

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-4634

Rule ID: 406034

The Donation Forms by Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.7.0.12 due to insufficient restriction on the 'update_core_user' function. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-4404

Rule ID: 406035

WordPress Slimstat Analytics plugin versions 5.0.9 and below suffer from cross-site scripting and remote SQL injection vulnerabilities.

Rule ID: 406036

Arbitrary File Deletion in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5212)

Rule ID: 406037

SQL Injection in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5204)

Rule ID: 406038

Unauthenticated Stored XSS in tagDiv Composer < 4.2 Wordpress plugin (CVE-2023-3169)

Rule ID: 406039

Unauthenticated File Upload Vulnerability in Royal Elementor Addons and Templates <= 1.3.78 Plugin For WordPress (CVE-2023-5360)

Rule ID: 406040

Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)

Rule ID: 406041

Possible Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)

Rule ID: 406042

Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)

Rule ID: 406043

Unauthenticated Insecure Deserialization in BuddyForms Plugin < 2.7.8 for WordPress (CVE-2023–26326)

Rule ID: 406044

Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)

Rule ID: 406045

Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)

Rule ID: 406046

Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)

Rule ID: 406047

Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)

Rule ID: 406048

Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)

Botnet Protection

Rule ID: 407001

Protection against HEXA botnet attacks

Rule ID: 407002

Apache Log4J vulnerability Rule, for jndi pattern. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Rule ID: 407003

Apache Log4J vulnerability Rule, for jndi pattern. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Symfony Protection

Rule ID: 408001

You can disable some symfony directory access with this rule (_preview_error /_wdt /_profiler*) which should never be deployed in production. PrestaShop debug mode can also trigger this WAF rule

AntiMalware Protection

Rule ID: 409001

Rule against PHP RCE malware (63bd2f7a8302fd1dfe373344)

Rule ID: 409002

hidden and default_enabled WAF rule for helper SecRules init values and checking payload values which hint for malicious activity which can we use in blocking WAF rules EDIT WITH CAUTION!

Rule ID: 409003

Rule against PHP RCE malware Payload COOKIE contains 'str_rot13' in two parts AND 'perngr_shapgvba' (which is rotated create_function) in two parts AND 'onfr64_qrpbqr' (which is rotated base64_decode) in two parts

Rule ID: 409004

Rule against PHP RCE malware (63b301bc5205bf358a4caa0c) Payload COOKIE contains 'base64_decode' in two parts AND 'YmFzZTY0X2RlY29kZQ==' (which is base64_decode('base64_decode')) in two parts

Rule ID: 409005

Rule against PHP RCE malware (63048c774603e53b7a7f78b5) Payload POST contains 'fuckyou4321' key

Rule ID: 409006

Rule against PHP RCE malware (6284da8fef85056b327414fc) REQUEST_HEADERS contains 'create_function' and 'base64_decode' values too

Rule ID: 409007

Rule against PHP RCE malware (644b8c53ff5eec21f06b36d2) GET is empty, POST has only one request_option value which is a crypted php script

Rule ID: 409008

Rule against PHP RCE malware (644b680f1173f831663f5255)

Rule ID: 409009

Rule against PHP WebShell malware (64632ac5ff5eec21f06b3768)

Rule ID: 409010

Rule against PHP RCE malware (644b680f1173f831663f5255)

Rule ID: 409011

Rule against PHP RCE malware (60e3365f6dca960e3365f6dc)

Rule ID: 409012

Rule against PHP RCE malware (wp_ajx)

Rule ID: 409013

Rule against PHP Uploader malware (xcWD23)

Rule ID: 409014

Rule against PHP RCE malware (cdshell)

Rule ID: 409015

Rule against PHP malware (6548af1f7eef18d697055726) actmet1 & actmet2

Rule ID: 409016

Rule against ALFA TEaM Shell load

Rule ID: 409017

Rule against ALFA TEaM Shell cookie

Rule ID: 409018

Rule against PHP RCE malware (coco,login,cmd)

Other Rules

Rule ID: 410001

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. Reference:https://nvd.nist.gov/vuln/detail/CVE-2022-35914

Rule ID: 410002

PrestaShop is an open-source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. Reference:https://nvd.nist.gov/vuln/detail/CVE-2023-39526

Rule ID: 410003

RCE vulnerability in Laravel < 8.4.2 ignition module (CVE-2021-3129)

Rule ID: 410004

SQL injection vulnerability in Solidres 2.5.1 component for Joomla (CVE-2018-5980)

Rule ID: 410005

SQL injection vulnerability in Zh YandexMap 6.2.1.0 Zh BaiduMap 3.0.0.1 and Zh GoogleMap 8.4.0.0 for Joomla (CVE-2018-6582 CVE-2018-6604 CVE-2018-6605)

Rule ID: 410006

SQL injection vulnerability in the Gallery WD 1.3.6 component for Joomla! (CVE-2018-5981)

Rule ID: 410007

SQL injection vulnerability in DT Register 3.2.7 component for Joomla (CVE-2018-6584)

Rule ID: 410008

SQL injection vulnerability in JomEstate PRO through 3.7 component for Joomla (CVE-2018-6368)

Rule ID: 410009

SQL injection vulnerability in Fastball 2.5 component for Joomla (CVE-2018-6373)

Rule ID: 410010

SQL injection vulnerability in OS Property Real Estate 3.12.7 component for Joomla (CVE-2018-7319)

Rule ID: 410011

SQL injection vulnerability in Swap Factory 2.2.1 Raffle Factory 3.5.2 Penny Auction Factory 2.0.4 component for Joomla! (CVE-2018-17379 CVE-2018-17378 CVE-2018-17384)

Rule ID: 410012

SQL injection vulnerability in Zap Calendar Lite 4.3.4 component for Joomla

Rule ID: 410013

SQL injection vulnerability in Pinterest Clone Social Pinboard 2.0 component for Joomla (CVE-2018-5987)

Rule ID: 410014

SQL Injection vulnerability in ccNewsletter 2.x component for Joomla (CVE-2018-5989)

Rule ID: 410015

SQL Injection vulnerability in AllVideos Reloaded 1.2.x component for Joomla (CVE-2018-5990)

Rule ID: 410016

SQL injection vulnerability in the iJoomla com_adagency plugin 6.0.9 for Joomla! (CVE-2018-5696)

Rule ID: 410017

XSS vulnerability in Joomla! before 3.8.12 (CVE-2018-15880)

Rule ID: 410018

Arbitrary File Download vulnerability in Jtag Members Directory 5.3.7 component for Joomla (CVE-2018-6008)

Rule ID: 410019

Directory traversal vulnerability in K2 component 2.8.0 for Joomla (CVE-2018-7482)

Rule ID: 410020

SQLi vulnerability in J2Store plugin 3.x before 3.3.7 for Joomla! (CVE-2019-9184)

Rule ID: 410021

Directory Traversal vulnerability in Joomla before 3.9.5 (CVE-2019-10945)

Rule ID: 410022

Missing input validation within the template manager in Joomla! v3.2.0-v3.9.24 (CVE-2021-23131)

Rule ID: 410023

Improper access check in webservice endpoints in Joomla! (CVE-2023-23752)

Rule ID: 410024

SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a remote attacker to execute arbitrary code via the id_product parameters in the UpdateProductQuantity function. Reference:https://nvd.nist.gov/vuln/detail/CVE-2023-51210

Typo3 and Magento Exclusions

Rule ID: 1040001

Remove HTML injection false-positives for TYPO3 backend edit requests

Rule ID: 1040002

Remove HTML injection false-positives for Magento backend edit requests

OWASP WAF Rules 2.0.0 Wed, 14 Feb 2024 10:30

Scanner Detection

Rule ID: 913101

Scripting/Generic User-Agents This rule detects user-agents associated with various HTTP client libraries and scripting languages. Detection suggests attempted access by some automated tool. This rule is a sibling of rule 913100.

Rule ID: 913102

Crawler User-Agents This rule detects user-agents associated with various crawlers, SEO tools, and bots, which have been reported to potentially misbehave. These crawlers can have legitimate uses when used with authorization. This rule is a sibling of rule 913100.

Rule ID: 913110

Found request header associated with security scanner

Rule ID: 913120

Found request filename/argument associated with security scanner

Protocol Attack

Rule ID: 921110

HTTP Request Smuggling Rule Logic This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name. This would point to an attempt to inject a 2nd request into the request, thus bypassing tests carried out on the primary request. References http://projects.webappsec.org/HTTP-Request-Smuggling

Rule ID: 921120

HTTP Response Splitting Rule Logic These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. These characters may cause problems if the data is returned in a response header and may be interpreted by an intermediary proxy server and treated as two separate responses. References http://projects.webappsec.org/HTTP-Response-Splitting

Rule ID: 921130

HTTP Response Splitting Attack

Rule ID: 921140

HTTP Header Injection Rule Logic These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, on their own or in combination with header field names. These characters may cause problems if the data is returned in a response header and interpreted by the client. The rules are similar to rules defending against the HTTP Request Splitting and Request Smuggling rules. References https://en.wikipedia.org/wiki/HTTP_header_injection

Rule ID: 921150

Checking for GET arguments has been moved to paranoia level 2 (921151) in order to mitigate possible false positives.

Rule ID: 921151

Detect newlines in GET argument values. These may point to a HTTP header injection attack, but can also sometimes occur in benign query parameters. See also: rule 921140, 921150

Rule ID: 921160

HTTP Header Injection Attack via payload (CR/LF and header-name detected)

Rule ID: 921170

HTTP Parameter Pollution Rule Logic These rules look for multiple parameters with the same name. 921170 counts the occurrences of the individual parameters. 921180 checks if any counter is > 1. One HPP attack vector is to try evade signature filters by distributing the attack payload across multiple parameters with the same name. This works as many security devices only apply signatures to individual parameter payloads, however the back-end web application may (in the case of ASP.NET) consolidate all of the payloads into one thus making the attack payload active. References http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html https://capec.mitre.org/data/definitions/460.html

Rule ID: 921180

HTTP Parameter Pollution (%{TX.1})

Local File Inclusion

Rule ID: 930100

Directory Traversal Attacks Ref: https://github.com/wireghoul/dotdotpwn Encoded /../ Payloads

Rule ID: 930110

Decoded /../ Payloads

Rule ID: 930120

OS File Access Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml

Rule ID: 930130

Restricted File Access Detects attempts to retrieve application source code, metadata, credentials and version control history possibly reachable in a web root.

Remote File Inclusion

Rule ID: 931100

Rule Logic These rules look for common types of Remote File Inclusion (RFI) attack methods. - URL Contains an IP Address - The PHP "include()" Function - RFI Data Ends with Question Mark(s) (?) - RFI Host Doesn't Match Local Host References http://projects.webappsec.org/Remote-File-Inclusion http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html

Rule ID: 931110

Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload

Rule ID: 931120

Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)

Rule ID: 931130

-= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)

Remote Code Execution

Rule ID: 932100

Unix command injection This rule detects Unix command injections. A command injection takes a form such as: foo.jpg;uname -a foo.jpg||uname -a The vulnerability exists when an application executes a shell command without proper input escaping/validation. To prevent false positives, we look for a 'starting sequence' that precedes a command in shell syntax, such as: ; | & $( ` <( >(

Rule ID: 932105

Therefore, some remaining commands have been split off to a separate rule. For explanation of this rule, see rule 932100.

Rule ID: 932110

This rule detects Windows shell command injections. If you are not running Windows, it is safe to disable this rule. A command injection takes a form such as: foo.jpg&ver /r foo.jpg|ver /r The vulnerability exists when an application executes a shell command without proper input escaping/validation. To prevent false positives, we look for a 'starting sequence' that precedes a command in CMD syntax, such as: ; | & `

Rule ID: 932115

Therefore, some remaining commands have been split off to a separate rule. For explanation of this rule, see rule 932110.

Rule ID: 932120

Detect some common PowerShell commands, cmdlets and options. These commands should be relatively uncommon in normal text, but potentially useful for code injection. If you are not running Windows, it is safe to disable this rule. https://technet.microsoft.com/en-us/magazine/ff714569.aspx https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help

Rule ID: 932130

Detects the following patterns which are common in Unix shell scripts and oneliners: $(foo) Command substitution ${foo} Parameter expansion <(foo) Process substitution >(foo) Process substitution $((foo)) Arithmetic expansion

Rule ID: 932140

This rule detects Windows command shell FOR and IF commands. If you are not running Windows, it is safe to disable this rule. Examples: FOR %a IN (set) DO FOR /D %a IN (dirs) DO FOR /F "options" %a IN (text|"text") DO FOR /L %a IN (start,step,end) DO FOR /R C:\dir %A IN (set) DO IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n IF [/I] [NOT] item1 [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2 IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2) http://ss64.com/nt/if.html http://ss64.com/nt/for.html

Rule ID: 932150

Detects Unix commands at the start of a parameter (direct RCE). Example: foo=wget%20www.example.com This case is different from command injection (rule 932100), where a command string is appended (injected) to a regular parameter, and then passed to a shell unescaped.

Rule ID: 932160

Detect some common sequences found in shell commands and scripts. Some commands which were restricted in earlier rules due to FP, have been added here with their full path, in order to catch some cases where the full path is sent.

Rule ID: 932170

Detect exploitation of "Shellshock" GNU Bash RCE vulnerability. Based on ModSecurity rules created by Red Hat.

Rule ID: 932171

Remote Command Execution: Shellshock (CVE-2014-6271)

PHP General Attacks

Rule ID: 933100

PHP Open Tag Found Detects PHP open tags "<?" and "<?php".

Rule ID: 933110

PHP Script Uploads Blocks file uploads with PHP extensions (.php, .php5, .phtml etc).

Rule ID: 933111

PHP Script Uploads: Superfluous extension Blocks file uploads with PHP extensions (.php, .php5, .phtml etc) anywhere in the name, followed by a dot.

Rule ID: 933120

PHP Configuration Directives Detects potential attacks related to PHP configuration directives.

Rule ID: 933130

PHP Variables Detects potential attacks related to PHP variables.

Rule ID: 933131

PHP Variables: Common Variable Indexes Detects potential attacks related to common variable indexes in PHP.

Rule ID: 933140

PHP I/O Streams Detects potential attacks related to PHP I/O streams.

Rule ID: 933150

PHP Functions: High-Risk PHP Function Names Blocks high-risk PHP function names that are indicative of a PHP injection attack.

Rule ID: 933151

PHP Functions: Medium-Risk PHP Function Names Blocks medium-risk PHP function names that may indicate a PHP injection attack.

Cross Site Scripting

Rule ID: 941100

Libinjection - XSS Detection Detects XSS attacks using libinjection.

Rule ID: 941101

This is a stricter sibling of rule 941100.

Rule ID: 941110

XSS Filters - Category 1 Script tag based XSS vectors, e.g., <script> alert(1)</script>

Rule ID: 941120

XSS Filters - Category 2 XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)">

Rule ID: 941140

XSS Filters - Category 4 XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))">

Rule ID: 941150

XSS Filters - Category 5 HTML attributes - src, style and href

Rule ID: 941160

NoScript XSS Filters [NoScript InjectionChecker] HTML injection

Rule ID: 941170

[NoScript InjectionChecker] Attributes injection

Rule ID: 941180

[Blacklist Keywords from Node-Validator] Blacklist keywords from Node.js validator.js

Rule ID: 941190

XSS Filters from IE IE XSS filters based on rules

Rule ID: 941310

XSS Filter Evasion Cheat Sheet US-ASCII encoding bypass listed on XSS filter evasion

Rule ID: 941350

UTF-7 encoding XSS filter evasion for IE. Reported by Vladimir Ivanov

SQL Injection

Rule ID: 942100

LibInjection Check

Rule ID: 942110

String Termination/Statement Ending Injection Testing

Rule ID: 942120

SQL Operators

Rule ID: 942130

SQL Tautologies

Rule ID: 942140

Detect DB Names

Rule ID: 942150

SQL Function Names

Rule ID: 942160

PHPIDS - Converted SQLI Filters

Rule ID: 942170

Detects SQL benchmark and sleep injection attempts including conditional queries

Rule ID: 942180

Detects basic SQL authentication bypass attempts 1/3

Rule ID: 942190

Detects MSSQL code execution and information gathering attempts

Rule ID: 942200

Detects MySQL comment-/space-obfuscated injections and backtick termination

Rule ID: 942210

Detects chained SQL injection attempts 1/2

Rule ID: 942220

Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash

Rule ID: 942230

Detects conditional SQL injection attempts

Rule ID: 942240

Detects MySQL charset switch and MSSQL DoS attempts

Rule ID: 942250

Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections

Rule ID: 942251

SQL HAVING queries

Rule ID: 942260

Detects basic SQL authentication bypass attempts 2/3

Rule ID: 942270

Looking for basic sql injection. Common attack string for mysql, oracle and others.

Rule ID: 942280

Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts

Rule ID: 942290

Finds basic MongoDB SQL injection attempts

Rule ID: 942300

Detects MySQL comments, conditions and ch(a)r injections

Rule ID: 942310

Detects chained SQL injection attempts 2/2

Rule ID: 942320

Detects MySQL and PostgreSQL stored procedure/function injections

Rule ID: 942330

Detects classic SQL injection probings 1/2

Rule ID: 942340

Detects basic SQL authentication bypass attempts 3/3

Rule ID: 942350

Detects MySQL UDF injection and other data/structure manipulation attempts

Rule ID: 942360

Detects concatenated basic SQL injection and SQLLFI attempts

Rule ID: 942370

Detects classic SQL injection probings 2/2

Rule ID: 942380

SQL Injection Attack

Rule ID: 942390

SQL Injection Attack

Rule ID: 942400

SQL Injection Attack

Rule ID: 942410

SQL Injection Attack

Rule ID: 942420