[Mod-security-rules] False positive results after update

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

We have experienced issues with the latest update of rules.

Our clients reported that they could not sign into their wp-admin, 
Joomla admin pages, webmail, or fill out any kind of form really.

One rule seemed to be the most destructive: 211290

The rule's description:

SecRule 
REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword|!ARGS_POST:wpEditToken 
"@rx (?:'\xbf?\x22|\x22\xbf?'|^\\+?$)" \
         "id:211290,msg:'COMODO WAF: XSS and SQLi 
vulnerability||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,rev:3,severity:2,tag:'CWAF',tag:'Generic'"

And a sample for an error.log:

[Sun Jun 23 16:04:50.957689 2019] [:error] [pid /PID/] [client /IP 
address/] [client /IP address/] ModSecurity: Access denied with code 403 
(phase 2). Pattern match 
"(?:'\\\\xbf?\\\\x22|\\\\x22\\\\xbf?'|^\\\\+?$)" at ARGS_POST:content. 
[file "/opt/cwaf/rules/02_Global_Generic.conf"] [line "199"] [id 
"211290"] [rev "3"] [msg "COMODO WAF: XSS and SQLi 
vulnerability||/domain.com/|F|2"] [severity "CRITICAL"] [tag "CWAF"] 
[tag "Generic"] [hostname "/domain.com/"] [uri "/wp-admin/post.php"] 
[unique_id "/unique id/"], referer: 
https:///domain.com//wp-admin/post.php?post=69&action=edit

We have turned off the rule on the server because it have blocked almost 
every form on our servers.

Did anyone else experienced similar problems?

-- 

Best regards,
Csaba Bartfai