[Mod-security-rules] False positive results after update
Brought to you by:
victorhora,
zimmerletw
From: Bártfai C. <bar...@ra...> - 2019-06-24 13:23:49
|
Hello, We have experienced issues with the latest update of rules. Our clients reported that they could not sign into their wp-admin, Joomla admin pages, webmail, or fill out any kind of form really. One rule seemed to be the most destructive: 211290 The rule's description: SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword|!ARGS_POST:wpEditToken "@rx (?:'\xbf?\x22|\x22\xbf?'|^\\+?$)" \ "id:211290,msg:'COMODO WAF: XSS and SQLi vulnerability||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,rev:3,severity:2,tag:'CWAF',tag:'Generic'" And a sample for an error.log: [Sun Jun 23 16:04:50.957689 2019] [:error] [pid /PID/] [client /IP address/] [client /IP address/] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:'\\\\xbf?\\\\x22|\\\\x22\\\\xbf?'|^\\\\+?$)" at ARGS_POST:content. [file "/opt/cwaf/rules/02_Global_Generic.conf"] [line "199"] [id "211290"] [rev "3"] [msg "COMODO WAF: XSS and SQLi vulnerability||/domain.com/|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "/domain.com/"] [uri "/wp-admin/post.php"] [unique_id "/unique id/"], referer: https:///domain.com//wp-admin/post.php?post=69&action=edit We have turned off the rule on the server because it have blocked almost every form on our servers. Did anyone else experienced similar problems? -- Best regards, Csaba Bartfai |