#######################################
## PHP Security ids: 40000000        ##
#######################################

# Php Functions
MainRule id:40000000 "s:$UWA:8" "str:gzinflate(" "mz:URL|BODY|ARGS" "msg:gzinflate in URI";
MainRule id:40000001 "s:$UWA:8" "str:system(" "mz:URL|BODY|ARGS" "msg:php system called";
MainRule id:40000002 "s:$UWA:8" "str:base64_decode(" "mz:URL|BODY|ARGS" "msg:php base64_decode called";
MainRule id:40000003 "s:$UWA:8" "str:@eval" "mz:URL|BODY|ARGS" "msg:php eval called";
MainRule id:40000004 "s:$UWA:8" "rx:eval\((\s+)?\$_" "mz:URL|BODY|ARGS" "msg:php eval called";

# PhpMyAdmin
MainRule id:40000005 "s:$UWA:8" "str:/db-admin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000006 "s:$UWA:8" "str:/dbadmin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000007 "s:$UWA:8" "str:/myadmin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000008 "s:$UWA:8" "str:/mysqldumper " "mz:URL" "msg:MysqlDumper";
MainRule id:40000009 "s:$UWA:8" "str:/mysqlmanager" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000010 "s:$UWA:8" "str:/p/m/a/" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000011 "s:$UWA:8" "str:/php-my-admin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000012 "s:$UWA:8" "str:/php-myadmin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000013 "s:$UWA:8" "str:/phpmanager" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000014 "s:$UWA:8" "str:/phpmy" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000015 "s:$UWA:8" "str:/phpmy-admin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000016 "s:$UWA:8" "str:/phpmyadmin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000017 "s:$UWA:8" "str:/phppgadmin " "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000018 "s:$UWA:8" "str:/pma" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000019 "s:$UWA:8" "str:/sql-admin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000020 "s:$UWA:8" "str:/sqladmin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000021 "s:$UWA:8" "str:/sqlweb" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000022 "s:$UWA:8" "str:/sysadmin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000023 "s:$UWA:8" "str:/webadmin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000024 "s:$UWA:8" "str:/webdb" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000025 "s:$UWA:8" "str:/websql" "mz:URL" "msg:SQL Admin Interface";

# Block PHPUnit eval-stdin.php CVE-2017-9841
MainRule id:40000026 "s:$UWA:8" "str:eval-stdin.php" "mz:URL" "msg:CVE-2017-9841";

# Block PHP easter egg which normally can be disabled via expose_php = off
MainRule id:40000027 "s:$UWA:8" "rx:PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" "mz:URL|BODY|ARGS" "msg:PHP easter egg credits";

# Block PHP Xdebug
MainRule id:40000028 "s:$UWA:8" "str:XDEBUG_SESSION" "mz:ANY" "msg:Block PHP Xdebug";

# Block PHPinfo access
MainRule id:40000029 "s:$UWA:8" "str:phpinfo" "mz:URL|BODY|ARGS" "msg:PHPinfo access";

# Block known php installer exploit
MainRule id:40000030 "s:$UWA:8" "str:install.php" "mz:URL" "msg:Access to php install";

# Block more sql admin interface
MainRule id:40000031 "s:$UWA:8" "str:/mysql-admin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000032 "s:$UWA:8" "str:/mysqladmin" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000033 "s:$UWA:8" "str:/sqlmanager" "mz:URL" "msg:SQL Admin Interface";
MainRule id:40000034 "s:$UWA:8" "str:/mysql/" "mz:URL" "msg:SQL Admin Interface";

# Block access to Lavarel telescope since it allows to read logs and SQL queries
MainRule id:40000035 "s:$UWA:8" "str:/telescope/" "mz:URL" "msg:Access to Lavarel telescope";

# Block access to adminer/phpMinAdmin sql admin interface
MainRule id:40000036 "s:$UWA:8" "str:adminer" "mz:URL" "msg:SQL Admin Interface";

# Block access to Symfony Web Framework dev mode.
MainRule id:40000037 "s:$UWA:8" "str:app_dev" "mz:URL" "msg:Symfony Web Framework dev mode";

# phpstorm in request
MainRule id:40000038 "s:$UWA:8" "str:phpstorm" "mz:URL|ARGS|HEADERS" "msg:phpstorm in request";