Please, specify these following fields when you submit False-Positive.
You can mask some private data, but it is highly recommended that you specify ALL three fields.
Thank you.
1.210710
2. owncloud-6.0.3-6.1
3. Sun Jun 08 15:05:32 2014] [error] [client xxxxx] ModSecurity: Access denied with code 403 (phase 1). Match of “rx ^%{tx.allowed_request_content_type}$” against “TX:0” required. [file “/opt/comodo/cwaf/rules/cwaf_01.conf”] [line “427”] [id “210710”] [msg “COMODO WAF: Request content type is not allowed by policy”] [data “application/octet-stream”] [severity “CRITICAL”] [hostname"] [uri “/remote.php/webdav/aaa.zip”] [unique_id “U5RfnDJ1B6wAAE1zL1AAAAAD”]
I have tried to exclude it with /opt/comodo/cwaf/etc/httpd/global/zzz_exclude_global.conf
<LocationMatch .*>
SecRuleRemoveById 210710
<DirectoryMatch ‘^/remote.php/webdav/’>
SecRuleEngine Off
Doesnt work
Will be fixed with next update.
Message: Access denied with code 403 (phase 2). Pattern match “(?i:\b(?i:x{0,1}or)\b[\t\n\r ]{1,}(‘[^=]{1,10}’|[0-9]{1,10})[\t\n\r ]{0,}?[<=>]|\bor\b {0,1}(?:["‘][^=]{1,10}["’]|[0-9]{1,10}) {0,1}[<=>]{1,}|\b(?i:x{0,1}or)\b[\t\n\r ]{1,}(‘[^=]{1,10}’|[0-9]{1,10})|(?i:'[\t\n\r ]{1,}x{0,1}or[\t\n …” at ARGS:description. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “301”] [id “211570”] [msg “COMODO WAF: SQL Injection Attack”] [data “Matched Data: or 56 found within ARGS:description:
It offers al…”] [severity “CRITICAL”]
Action: Intercepted (phase 2)
Stopwatch:
Stopwatch2:
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: “ENABLED”
we ran into this false positive several times:
[Wed Jun 18 16:07:02 2014] [error] [client XX.XX.XX.XX] ModSecurity: Access denied with code 503 (phase 2). Match of "rx ^\\\\d+px$" against "ARGS:width" required. [file "/path/to/cwaf-rules/cwaf_05.conf"] [line "1171"] [id "220620"] [msg "COMODO WAF: found CVE-2013-5963"] [hostname "domain.com"] [uri "/home/wp-admin/admin-ajax.php"]
False Positive for WHMCS 5.3.7
1.) 213070
2.) WHMCS 5.3.7
3.)
Specifically on saving the https://domain.com/whmcs/configgeneral.php file
–0ccd566b-F–
HTTP/1.1 403 Forbidden
Content-Length: 344
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
–0ccd566b-H–
Message: Access denied with code 403 (phase 2). Pattern match “(?i:["'][ ]{0,}(([^a-z0-9 ':_~])|(in)).{0,}?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))|((o|(\\u006F))(n|( …” at ARGS:emailglobalheader. [file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1093”] [id “213070”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”] [data “Matched Data: \x22{$company_domain}\x22 target=\x22_blank\x22><img src=\x22{$company_logo_url}\x22 alt=\x22{$company_name}\x22 border= found within ARGS:emailglobalheader:
The easiest way to avoid false-positive errors is excluding the rules:
Plugins - Comodo WAF - Userdata - Custom Rules
SecRuleRemoveById 211570 211750 211790 etc
save and restart apache.
If you don’t use Cpanel, just write
SecRuleRemoveById 211570 211750 211790 etc
in /<path_to_cwaf>/cwaf/etc/httpd/custom_user.conf
save and restart apache.
What a useless response. We know how to disable rules, the entire purpose of this thread is to REPORT the ones that are false positives.
Are you acknowledging these reports and planning to fix them or not?
–3038b690-F–
HTTP/1.1 403 Forbidden
–3038b690-H–
Message: Access denied with code 403, [Rule: ‘REQUEST_HEADERS:User-Agent’ ‘@pmFromFile bl_scanners’] [id “210800”] [msg “COMODO WAF: Request Indicates a Security Scanner Scanned the Site”] [severity “CRITICAL”] [MatchedString “maparoscopy-bmnefits-150i150.jmg5os9xc6d=5157or/admgn/edit.php/bacfronds/1.p”]
I have two reports below. I apologize for the lack of info, but I just wanted to get something on record.
===========================================
Unknown
Miva Merchant 5.5
Production Release 8 Update 12
Miva Merchant Engine v5.20
http://mivamerchant.com
Unknown
The logs/modsec_audit.log is rotated daily, so I missed the log entries of the false positives. But I know they existed because I was getting reports of issues on these applications and when I disabled WAF on the domains running these applications the errors stopped immediately.
============================
Unknown
ExpressionEngine
ExpressionEngine — The Best Open Source CMS
Unknown
Same issues with the logs having rotated before I could gather the data, unfortunately.
Some Simple Forum members are getting blocked from logging in by this:
ModSecurity: [file “/etc/httpd/modsecurity.d/cwaf_02.conf”] [line “176”] [id “211170”] [msg “COMODO WAF: Session Fixation”] [data “Matched Data: http://www.domainName.com/ found within TX:1: www.domainName.com”] [severity “CRITICAL”] Access denied with code 403 (phase 2). Match of “beginsWith %{request_headers.host}” against “TX:1” required. [hostname “domainName.com”] [uri “/forum/index.php”] [unique_id “VBDqUkE8MfIAAFWH5QEAAAAH”]
Please advise.
Here’s a couple more.
ModSecurity: [file “/etc/httpd/modsecurity.d/cwaf_04.conf”] [line “325”] [id “214540”] [msg “COMODO WAF: Possibly malicious iframe tag in output”] [data “Matched Data: <iframe id=\x22google_externalSite\x22 class=\x22google_externalSite\x22 name=\x22google_externalSite\x22 src=\x22\x22 style=\x22display:none found within RESPONSE_BODY: \x0a\x0a\x0a <meta http-equiv=\x22content-type\x22 content=\x22text/html; cha…”] [severity “ERROR”] Access denied with code 403 (phase 4). Pattern match “<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\”']{0,1}[^a-zA-Z0-9_]{0,}?\\bdisplay\\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\\bnone\\b" at RESPONSE_BODY. [hostname “www.domainName.com”] [uri “/administrator/index.php”] [unique_id “VBwzEriaLzIAADep51sAAAAB”]
ModSecurity: [file “/etc/httpd/modsecurity.d/cwaf_04.conf”] [line “581”] [id “214940”] [msg “COMODO WAF: Outbound Points Exceeded (points 4)”] Warning. Operator GE matched 4 at TX:outgoing_points. [hostname “www.domainName.com”] [uri “/administrator/index.php”] [unique_id “VBwzEriaLzIAADep51sAAAAB”]
Vaultpress for Wordpress:
–44f5c96f-A–
[19/Aug/2014:01:11:48 +0000] - 207.198.112.23 52575 xxx.xxx.xxx.xxx:80 80
–44f5c96f-B–
POST /wp-load.php?vaultpress=true&action=ZXhlYw&doing_wp_cron=&wp-admin=&vector=1408410708.3984&ge=1 HTTP/1.1
User-Agent: Automattic/VaultPress/0.1
Host: www.hidden.tld
Accept: /
Accept-Encoding: gzip
Content-Length: 899
Content-Type: multipart/form-data; boundary=------------------------5798377f1bdb8670
–44f5c96f-F–
HTTP/1.1 403 Forbidden
–44f5c96f-H–
Message: Blocked , [Rule: ‘ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:html_message’ ‘(alert|eval|fromcharcode)[\t\n\r ]{0,}(’] [id “212790”] [msg “COMODO WAF: XSS Attack Detected”] [severity “WARNING”] [MatchedString “$b=“bas”; $b.=“e64_d”; $b.=“ecode”; return @eval( $b( “cmv0dxjuicr3cgrilt5nzxrfcmvzdwx0cyggilnftevdvcbkyxrlkcbgy29tbwvudf9kyxrlycapieftigbjb21tzw50x2rhdgvgicwgag91ciggygnvbw1lbnrfzgf0zwagksbbuybgy29tbwvudf9ob3vyycasigbjb21tzw50x2fwchjvdmvkycasignvdw50kcbgy29tbwvudf9jrgagksbbuybgy291bnrgiezst00gjhdwzgitpmnvbw1lbnrzifdirvjfigbjb21tzw50x2fwchjvdmvkycahpsanc3bhbscgqu5eignvbw1lbnrfzgf0zsa+icbeqvrfx1nvqihub3cokswgsu5urvjwquwgnjugrefzksbhuk9vucbcwsbkyxrlkcbgy29tbwvudf9kyxrlycapicwgag91ciggygnvbw1lbnrfzgf0zwagksasigbjb21tzw50x2fwchjvdmvkycbmsu1jvcaxmdawie9grlnfvcaxmdawiiapow==” ) );”]
–44f5c96f-Z–
Rule 212740 is producing a false positive after the rules update to 1.2.1. We can no longer use the Joomla article preview option from the backend for our client websites. The plugin triggering this is Regular Labs - Extensions for Joomla! - Regular Labs
2014-11-17 10:07:01 spectrat.webjiveclient.com 104.177.44.44 403 POST /index.php?option=com_content&view=article&id=27&yeepreview=1
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com”] [uri “/images/jpgs/araero.jpg”] [unique_id “VGodK63BEzIAAHFGXGYAAAAA”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com”] [uri “/images/jpgs/araero.jpg”] [unique_id “VGodK63BEzIAAHFGXGYAAAAA”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com”] [uri “/plugins/system/jcemediabox/themes/standard/popup.html”] [unique_id “VGodK63BEzIAAGdM5MkAAAAQ”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com”] [uri “/plugins/system/jcemediabox/themes/standard/popup.html”] [unique_id “VGodK63BEzIAAGdM5MkAAAAQ”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com”] [uri “/plugins/system/jcemediabox/themes/standard/tooltip.html”] [unique_id “VGodK63BEzIAAHBsUJMAAAAT”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com”] [uri “/plugins/system/jcemediabox/themes/standard/tooltip.html”] [unique_id “VGodK63BEzIAAHBsUJMAAAAT”]
Possibly you have to define “SecDataDir …” at you modsecurity config files.
LiteSpeed environment.
The below is the kickstart.php file used for the Joomla Akeeba backup service.
2015-02-02 17:50:27.010 [NOTICE] [192.168.5.71:16550-0#APVH_domain.org] mod_security rule triggered!
[Mon Feb 2 17:50:27 2015] [error] [client 192.168.5.71] ModSecurity: Access denied with code 403, [Rule: ‘ARGS|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!ARGS:info’ ‘(?i)([\s"’`;/0-9=]+on\w+\s*=)'] [id “212010”] [msg “COMODO WAF: XSS Filter - Category 2: Event Handler Vector”]
2015-02-02 17:50:27.010 [NOTICE] [192.168.5.71:16550-0#APVH_domain.org] Content len: 4907, Request line: ‘POST /kickstart.php HTTP/1.1’
2015-02-02 17:50:27.010 [INFO] [192.168.5.71:16550-0#APVH_domain.org] Cookie len: 65, 58bf0dd96a6bfc0a451f0be607c88ba5=e78fc17bdc12fb5a55cb351442a34e78
2015-02-02 17:50:27.010 [INFO] [192.168.5.71:16550-0#APVH_domain.org] File not found [/home/account/public_html/403.shtml]
We got issues on the bruteforce rule on wordpress on all litespeed servers. Even if we disable the rule, it still causes issues:
230000: COMODO WAF: Brute Force Attack Identified from %{tx.real_ip} (%{tx.brute_force_block_counter} hits since last alert)
It gives a Warning (403) error for all users.
Anyone else with same problem?
We’re using latest Litespeed/cPanel: 4.2.21 Enterprise / WHM 11.48.0 (build 9).
This shows in modsecurity tools log in whm.
Rule iD 212000 , 212620 , 212870 , 212890 give false positive for adsense code when added via a post form .
#1
FALSE POSITIVE on a Drupal Script:
221970: COMODO WAF: Reflected XSS attack (CVE-2014-5022)
Request: POST /?q=node/add/noticias
Action Description: Access denied with code 403 (phase 2).
Justification: String match "<" at ARGS_POST:body[und][0][value].