xanubi
February 26, 2015, 4:41pm
21
#2
211230: COMODO WAF: PHP Injection Attack
Request: GET /justapri/oficinas_externas/index.php?fopen=1&nfo=15020037
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" at ARGS_NAMES:fopen.
xanubi
February 27, 2015, 9:51am
22
#3 www.seportal.org )
211540: COMODO WAF: Blind SQL Injection Attack
Request: POST /login.php
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:\\b(?:t(?:able_name\\b|extpos[^a-zA-Z0-9_]{1,}\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:user_password.
xanubi
February 27, 2015, 9:54am
23
#4
ModSecurity: Access denied with code 403 (phase 3). String match "/images/" at REQUEST_FILENAME. [file "/var/cpanel/cwaf/rules/cwaf_07.conf"]
[line "72"] [id "240031"] [msg "COMODO WAF: Blocking execution of an uloaded shell in Joomla!"]
[hostname "www.SITE.COM"] [uri "/index.php/images/loading.gif"]
TDmitry
February 27, 2015, 10:40am
24
Thank you for your reports, but pay attention to false positive report requirements:
Please, specify these following fields when you submit False-Positive.
False-Positive RuleId
Web application + version3. Request headers or at least debug log
You can mask some private data, but it is highly recommended that you specify ALL three fields.
Thank you.
Often we haven’t enough information without request headers or debug log to fix false positive.
xanubi
February 27, 2015, 5:58pm
25
I’m sorry Dmitry, but the logs don’t save the Request Headers.
In that case, i cannot report the false positives and the only solution is to turn off the rules on that domains that are false positives.
I’m sorry Dmitry, but the logs don’t save the Request Headers.
In that case, i cannot report the false positives and the only solution is to turn off the rules on that domains that are false positives.
You can configure modsecurity to save audit.log or debug.log
Client upload image file in wordpress admin panel. The image file name contains a single quote.
[Tue Mar 03 11:04:44 2015] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Pattern match “[\”';=]" at FILES:async-upload. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “153”] [id “210220”] [msg “COMODO WAF: Attempted multipart/form-data bypass”] [data “We’re all drivers 2.jpg”] [severity “CRITICAL”] [hostname “domain name”] [uri “/wp-admin/async-upload.php”] [unique_id “VPYFv0WhnQEAADCq2VYAAAAT”]
Hi,
maybe this is a false positive (probably)
1 - Rule 214920
[Wed Mar 04 16:11:05.888770 2015] [:error] [pid 18017] [client myip] ModSecurity: Warning. Operator LT matched 5 at TX:incoming_points. [file “/usr/local/cwaf/rules/cwaf_04.conf”] [line “562”] [id “214920”] [msg “COMODO WAF: Inbound Points (Total Incoming Points: 3)”] [hostname “dav.myserver”] [uri “/index.php”] [unique_id “VPcgiV0-ojwAAEZhzRkAAAAC”]
Also i’ve noticed that i cant sync my android phone with dav anymore, i think is agent related, but no sure, no evidence in logs except for apache access log:
MYIP - - [04/Mar/2015:16:18:09 +0100] “OPTIONS /calendars/MYUSERACCOUNT/personal/ HTTP/1.1” 401 3868 “-” “CalDAV-Sync (Android) (like iOS/5.0.1 (9A405) dataaccessd/1.0) gzip”
Hope those help you.
Regard
xanubi
March 12, 2015, 1:59am
29
False Positive:
[Thu Mar 12 00:44:20.715316 2015] [:error] [pid 633443:tid 139707937650432] [client 188.37.110.159] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:merge.*?using\\\\s*?\\\\()|(execute\\\\s*?immediate\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:\\\\W+\\\\d*?\\\\s*?having\\\\s*?[^\\\\s\\\\-])|(?:match\\\\s*?[\\\\w(),+-]+\\\\s*?against\\\\s*?\\\\())" at ARGS:about_background. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "400"] [id "211720"] [msg "COMODO WAF: Detects MATCH AGAINST"] [data "Matched Data: having t found within ARGS:about_background: <p>Back in 2000 I co-founded front.end, a digital agency in Portugal. Its small structure challenged me to solve many problems that required learning things outside of my comfort zone. I learned flash having to deliver a collection of games, web standards and accessibility landing projects for the portuguese government, and just about everything else in do-or-die scenarios.</p>\\x0d\\x0a\\x0d\\x0a<p>In this experience I've acquired knowledge in just..."] [severity "CRITICAL"] [hostname "site.com"] [uri "/wip3/processwire/page/edit/"] [unique_id "VQDhZMMIOpsACapjwSEAAAEV"]
--3dc1b82c-A--
[12/Mar/2015:00:44:20 +0000] VQDhZMMIOpsACapjwSEAAAEV 188.37.110.159 42781 195.8.58.158 6081
--3dc1b82c-B--
POST /wip3/processwire/page/edit/?id=1001 HTTP/1.1
Referer: http://heldercervantes.com/wip3/processwire/page/edit/?id=1001
Host: heldercervantes.com
Cookie: WireTabs=ProcessPageEditContent; cpsession=helderce%3aK4SQoVsktzNWArhkLc1Xck7yvYz159wLoAqSWY3Iz1X9PyY9AyL5BXv8SmWDgp1c%2c858a091fba04683c471e3d40d9e62f114276275c8161de8b2c582a2fcf7df1d1; langedit=; lang=; cprelogin=no; _ga=GA1.2.332721632.1424949039; wire=cjpmfa3oefec4loq595evt5ko4; wire_challenge=oogjXP0QiWUxMRXVyqh8ltUBFLDjtLGP1
X-Real-IP: 188.37.110.159
X-Forwarded-Host: heldercervantes.com
X-Forwarded-Server: heldercervantes.com
X-Forwarded-For: 188.37.110.159
Connection: close
Content-Length: 10530
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://site.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLu2pyuaB5eHG7Ar8
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6,es;q=0.4,fr;q=0.2,it;q=0.2,pt;q=0.2,pt-PT;q=0.2
False positive in cpanel mailman admin access and users app, rule 210730
—f686ff71-A–mail.domainnamehere.com / ;q=0.8
–f686ff71-F–
–f686ff71-H–http://www.modsecurity.org/ ); COMODO WAF: rules for Apache 2.4.
False positive when creating a new page in Wordpress Admin Dashboard.
[Mon Mar 23 10:51:52.757070 2015] [:error] [pid 847048] [client IP] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|‘[^=]{1,10}’)\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|‘[^=]{1,10}’)\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\”][^=]{1,10}[\\‘\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|’[^=]{1,10}')" at ARGS:input_30. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “323”] [id “211580”] [msg “COMODO WAF: SQL Injection Attack”] [data “Matched Data: and 2 found within ARGS:input_30: SCREENS: 12, 50\x0d\x0aHANES 5170 STONE WASH GREEN: 18-S, 48-M, 24-L, 18-XL, 12-XXL\x0d\x0aHANES 5186 STONE WASH GREEN: 6-S, 48-M, 12-L, 36-XL, 12-XXL\x0d\x0aHANES P160 DEEP FOREST GREEN: 6-S, 18-XL, 6-XXL\x0d\x0aTHE ABOVE ITEMS ARE GETTING FULL FRONT AND FULL BACK WHITE AND DALLAS GREEN\x0d\x0a\x0d\x0aPOWERTEK 70125 OXFORD GREY: 9-M, 20-XL, 5-XXL\x0d\x0aOXFORD GREY HOODIES ARE GETTING ONE COLOR LEFT CHEST AND FULL BACK FOREST GREEN INK\x0d\x0a\x0d\x0aGOOD…”] [severity “CRITICAL”] [hostname “domain.com ”] [uri “/create-new-job/”] [unique_id “VRBSuGw8FSkADOzIHQ4AAABL”]
False positive when creating a new post in Wordpress Admin Dashboard.
===False positive===domain2.com ”] [uri “/wp-admin/post.php”] [unique_id “VQ93sWw8AwEAAFzHWdMAAAAA”]
[Sun Mar 22 12:26:30 2015] [error] [client2 IP] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(media|post|post_new)\\.php” at Request_URI. [file “/var/cpanel/cwaf/rules/cwaf_05.conf”] [line “1783”] [id “220830”] [msg “COMODO WAF: Blocking XSS attack”] [hostname “domain2.com ”] [uri “/eddie/wp-admin/post.php”] [unique_id “VQ8XZkWhmQEAADU4LsUAAAAG”]
===True attack===domain3.com ”] [uri “/wp-comments-post.php”] [unique_id “VRGd3Gw8FQsAAR84U4oAAAAM”]
False positive when inserting content into mysql database trough CMS Builder.http://www.example.com/cmsAdmin/admin.php
Rule ID:
From logs:
modsec_audit.log:
--3abd0030-A--
[09/Apr/2015:22:03:32 +0200] VSbbFNWi9k0ACbl[at]CskAAAAm 109.247.xx.xx 59899 2x.1xx.xx.xx 80
--3abd0030-B--
POST /cmsAdmin/admin? HTTP/1.1
Host: www.example.com
Connection: keep-alive
Content-Length: 1960
Accept: */*
Origin: http://www.example.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,no;q=0.6
Cookie: 4d10f34a1987a__PHPSESSID=adfd58cc4674375f6527ab20de6bbeb3
-
--3abd0030-C--
menu=database&_defaultAction=editTable&tableName=aotp&fieldname=date&order=7&editField=1&save=1&saveAndCopy=0&save=Save&label=Publisert&newFieldname=date&type=date&defaultValue=&defaultContent=&checkedByDefault=0&fieldPrefix=&description=&checkedValue=Yes&uncheckedValue=No&fieldHei
ght=&fieldWidth=&allowUploads=0&allowUploads=1&defaultDate=&defaultDateString=2010-01-01+00%3A00%3A00&showTime=0&showSeconds=0&use24HourFormat=0&yearRangeStart=1995&yearRangeEnd=2018&listType=pulldown&optionsType=text&optionsText=option+one%0Aoption+two%0Aoption+three&optionsTablen
ame=&optionsValueField=&optionsLabelField=&optionsQuery=SELECT+fieldname1%2C+fieldname2%0A++FROM+%60%3C%3Fphp+echo+%24TABLE_PREFIX+%3F%3EtableName%60&filterField=&separatorType=blank+line&separatorHeader=&separatorHTML=%3Ctr%3E%0A+%3Ctd+colspan%3D'2'%3E%0A+%3C%2Ftd%3E%0A%3C%2Ftr%3E
&relatedTable=&relatedLimit=25&relatedWhere=foreignFieldNum%3D'%3C%3Fphp+echo+mysql_escape(%40%24RECORD%5B'num'%5D)+%3F%3E'&relatedMoreLink=foreignFieldNum_match%3D%3C%3Fphp+echo+htmlspecialchars(%40%24RECORD%5B'num'%5D)+%3F%3E&isRequired=0&isUnique=0&minLength=&maxLength=&charsetR
ule=&charset=&allowedExtensions=gif%2Cjpg%2Cpng%2Cwmv%2Cmov%2Cswf%2Cpdf&checkMaxUploads=0&checkMaxUploads=1&maxUploads=25&checkMaxUploadSize=0&checkMaxUploadSize=1&maxUploadSizeKB=5120&resizeOversizedImages=0&resizeOversizedImages=1&maxImageWidth=600&maxImageHeight=800&createThumbn
ails=0&createThumbnails=1&maxThumbnailWidth=150&maxThumbnailHeight=150&createThumbnails2=0&maxThumbnailWidth2=150&maxThumbnailHeight2=150&createThumbnails3=0&maxThumbnailWidth3=150&maxThumbnailHeight3=150&createThumbnails4=0&maxThumbnailWidth4=150&maxThumbnailHeight4=150&isSystemFi
eld=0&adminOnly=0&isPasswordField=0&autoFormat=1&myAccountField=0&infoField1=Title&infoField2=Caption&infoField3=&infoField4=&infoField5=&useCustomUploadDir=0&customUploadDir=%2Fhome%2Fexamplecomeay%2Fpublic_html%2Fuploads%2F&customUploadUrl=%2Fuploads%2F&customColumnType=
--3abd0030-F--
HTTP/1.1 403 Forbidden
Content-Length: 335
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
--3abd0030-E--
--3abd0030-H--
Message: Access denied with code 403 (phase 2). Pattern match "<\\?(?!xml)" at ARGS:optionsQuery. [file "/var/cpanel/cwaf/rules/01_Global_Generic.conf"] [line "59"] [id "211220"] [msg "COMODO WAF: PHP Injection Attack"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1428609820477305 5423 (- - -)
Stopwatch2: 1428609820477305 5423; combined=2507, p1=295, p2=2192, p3=0, p4=0, p5=20, sr=53, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"
LBJ
April 15, 2015, 4:06am
34
Rules version 1.28 and earlier.
Rule 211580 SQL Injecton
This rule is way too general and creates many false positives. Any submission with “and 2” or “and 3” etc. will flag a false positive due to the portion of the regex…
(?i:and)\b\s+\d{1,10}
http://www.anydomain.com/valid-file.php?data=and%202
Rules version 1.35 – false positive on rule 211580 on two sites. One site has a search form for a CGI/perl database; the other site has a PHP based shopping cart- with rule triggered on certain links or searches.
Rule ID 220382XXXXX.com ”] [uri “/wp/wp-admin/options.php”] [unique_id “VYEuWWUAUCIAADPGTQAAAAAI”]
optionQuery argument whitelisted in Rule ID 211220
Rule ID 211580 disabled by default
Rule ID 220382 removed permanently
All changes will take place in next release.
oetaz
June 18, 2015, 1:08am
38
Many False positives this morning for Rule 214540
Basically any legitimate use of iframe, seems to trigger the block. (iframe in page template in wordpress)
e.g
[Thu Jun 18 10:35:19 2015] [error] [client 59.167.231.7] ModSecurity: Access denied with code 403 (phase 4). Pattern match “<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\”']{0,1}[^a-zA-Z0-9_]{0,}?\\bdisplay\\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\\bnone\\b" at RESPONSE_BODY. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/20_Outgoing_FilterInFrame.conf”] [line “17”] [id “214540”] [msg “COMODO WAF: Possibly malicious iframe tag in output”] [data “Matched Data: <iframe style='display:none found within RESPONSE_BODY: \x0a<html lang=\x22en-US\x22 prefix=\x22og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#\\x22 >\x0a\x09Best Self Products | Self Tan\x0a\x09\x0a\x09\x0a\x09<meta name=\x22robots\x22 content=\x22…”] [severity “ERROR”] [hostname “www.xxxxxx.com.au”] [uri “/index.php”] [unique_id “VYISRmUAYAIADscANE0AAABF”]
Hi
It’s recommended to turn whole “Outgoing” category off.
Best regards, Oleg
oetaz
June 18, 2015, 12:20pm
40
which outgoing category should i disable there is 8 of them, or should i disable them all? what is the point of including them if its recommended you disable? Also which other ones are recommended to be disabled?
14_Outgoing_FilterGen.conf