False-Positive report thread

Hi

Seems you have CWAF rules installed as cPanel Vendor.
Unfortunately, this install type not supported convenient exclude management.

Following entries are disabled by default during install as Plugin:
CATEGORY-Bruteforce - because broken implementation of persistent storage in current version of mod_security
CATEGORY-Outgoing - because of great amount of False Positives related with these rules
GROUP-Incoming - because it use OSVDB and Comodo is not responsible for this source of vulnerabilities
GROUP-HTTPDoS - because a lot of False Positives

This affect following entries in cPanel Vendor install and they recommended for disabling:
05_Global_Incoming.conf
09_Bruteforce_Bruteforce.conf
11_HTTP_HTTPDoS.conf
14_Outgoing_FilterGen.conf
15_Outgoing_FilterASP.conf
16_Outgoing_FilterPHP.conf
17_Outgoing_FilterIIS.conf
18_Outgoing_FilterSQL.conf
19_Outgoing_FilterOther.conf
20_Outgoing_FilterInFrame.conf
21_Outgoing_FiltersEnd.conf

Best regards, Oleg

RuleId: 214540
Magento. 1.9.1.0
Login Magento Admin panel , go to Catalog > Manage Categories

[:error] [pid 17156] [client 41.46.83.3]
ModSecurity: Access denied with code 403 (phase 4). Pattern match “<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\”']{0,1}[^a-zA-Z0-9_]{0,}?\bdisplay\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\bnone\b" at RESPONSE_BODY. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/20_Outgoing_FilterInFrame.conf”] [line “17”] [id “214540”] [msg “COMODO WAF: Possibly malicious iframe tag in output”]
[data "Matched Data: <iframe name=“iframeSave” style="display:none
found within RESPONSE_BODY: {\x22content\x22:\x22

There is a rule 211210 which blocks when you try to edit database row in phpmyadmin.

Will be fixed by next update

210831: COMODO WAF: Rogue web site crawler

Request: HEAD /pictures/alex_avatar.jpg
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match “(?i:(?:^(?:microsoft url|user-Agent|www\.domain\.com|(?:jakart|vi)a|(google|i{0,1}explorer{0,1}\.exe|(ms){0,1}ie( [0-9.]{1,}){0,1} {0,1}(compatible( browser){0,1}){0,1})$)|\bdatacha0s\b|; widows|\\r|a(?: href=|d(?:sarobot|vanced email extractor …” at REQUEST_HEADERS:User-Agent.

modsec_audit.log:

--a70e7e2c-A--
[11/Aug/2015:07:25:58 +0200] VcmHZtWi8FgADsZN16MAAAAp 78.91.*.* 49209 213.*.*.* 80
--a70e7e2c-B--
HEAD /pictures/alex_avatar.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible ; MSIE 9.11.9600.17914 ; Microsoft Windows 7 Professional Service Pack 1 ; Placeware RPC 1.0)
Host: domain.tld
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

--a70e7e2c-C--

--a70e7e2c-F--
HTTP/1.1 403 Forbidden
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--a70e7e2c-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:^(?:microsoft url|user-Agent|www\\.domain\\.com|(?:jakart|vi)a|(google|i{0,1}explorer{0,1}\\.exe|(ms){0,1}ie( [0-9.]{1,}){0,1} {0,1}(compatible( browser){0,1}){0,1})$)|\\bdatacha0s\\b|; widows|\\\\r|a(?: href=|$
Action: Intercepted (phase 2)
Stopwatch: 1439270758022815 2284 (- - -)
Stopwatch2: 1439270758022815 2284; combined=582, p1=419, p2=158, p3=0, p4=0, p5=5, sr=64, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--a70e7e2c-Z--

Mozilla/4.0 ([u][b]compatible ; MSIE[/b][/u] 9.11.9600.17914 ; Microsoft Windows 7 Professional Service Pack 1 ; Placeware RPC 1.0)

As you can see you have additional space symbol between "compatible" word and semicolon. It is unusual behavior for IE, check if you have any plugin which can modify user agent string and try to disable it. You can find correct IE user agents here: http://www.useragentstring.com/pages/Internet%20Explorer/

TDmitry!

Please take a check on this rule!
We’re getting a storm of support because of pictures not loading and customers getting blocked in our csf firewall.

And because of that I wanted to disable this rule on all servers…But Comodo WAF cannot find the rule ID 210831.
It does however find rule ID 210830, but we have that turned off already. But customers are getting blocked because of rule 210831 that does not exist!

Please help us on this asap!

Ok, we will check this issue

Hedloff, as a temporary solution you can add “compatible ;” into userdata_wl_agents. Requests with such User-Agent will skip 210830 and 210831 rules.

Hi Hedloff

Rule 210831 is ‘child’ rule of 210830, so it have to be automatically turned off with turning rule 210830 off.
If it not turned off automatically please try to turn on and then off its ‘parent’ rule 210830
This can be done in plugin ‘Catalog’ tab:

• ‘Catalog’ tab
• Search By Rule ID: 210830
• Turn ON then OFF
• Implement

or with CWAF CLI tool:

# /var/cpanel/cwaf/scripts/cwaf-cli.pl -xa 210830

Please let us know if it helps.

Best regards, Oleg

1. 210801
2. Custom PHP Application
3. Message: Access denied with code 403, [Rule: ‘REQUEST_HEADERS:User-Agent’ ‘@pmFromFile bl_scanners’] [id “210801”] [msg “COMODO WAF: Request Indicates a Security Scanner Scanned the Site”] [severity “CRITICAL”] [MatchedString “mbower_componmnts/metisminu/dimt/mosixmenu.min.cas^@0mwg9k/yszw2ztxr/khtmltmnfcvlgzehjtjco43yemy||2^@aa6^@▒%z▒bshttpz▒▒^^@w▒▒”]

Hi

This message means User-Agent of client trying to access your server found in list of blocked agents. Usually this is security scanners like Nikto, OpenVAS, Net Stalker etc.
If you want to allow this client to connect to you server please add its useragent string to file userdata_wl_agents
This can be also be done with help of plugin: ‘Userdata’ tab, ‘Whitelisted Agents’ text field

Regards, Oleg

Client use a plugin called “vaultpress” to do backup and restore for their wordpress site. The backup was blocked by the mod_sec rule “211190”. This problem seems new, for me, it looks like legitimate. However, I am not willing to whitelist this rule since I do see it also blocked other hack attempts.

The vaultpress was built by Automattic which is the company operates wordpress.com, so I do trust them. Can you adjust the rule to avoid blocking vaultpress?

[Tue Sep 22 15:16:10.754418 2015] [:error] [pid 205325] [client 192.0.100.211] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?:(?<!\\w)(?:\\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\\.ini|global\\.asa|httpd\\.conf)\\b|/etc/)” at ARGS:code. [file “/var/cpanel/cwaf/rules/01_Global_Generic.conf”] [line “50”] [id “211190”] [msg “COMODO WAF: Remote File Access Attempt”] [data "Matched Data: .htaccess found within ARGS:code: $fs = new vaultpress_filesystem() $fs->want( root ) return $fs->ls(/.htaccess ) "] [severity “CRITICAL”] [hostname “domain.com”] [uri “/wp-load.php”] [unique_id “VgHTKmw8FR8AAyINqGAAAAAq”]

Please contact me to resolve this issue. I have send you my skype id, check your PM.

Please check the rule ID “211700”. I’ve seen several false positives related to Paypal, likely related to IPN. The IP 173.0.81.1 is from Paypal.

[Wed Sep 23 19:14:07.587562 2015] [:error] [pid 369039] [client 173.0.81.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:(?:[\\t\\n\\r ()]case[\\t\\n\\r ]{0,}?\\()|(?:\\)[\\t\\n\\r ]{0,}?like[\\t\\n\\r ]{0,}?\\()|(?:having[\\t\\n\\r ]{0,}?[^\\t\\n\\r ]{1,}[\\t\\n\\r ]{0,}?[^a-zA-Z0-9\\t\\n\\r ])|(?:if[\\t\\n\\r ]{0,1}\\([a-zA-Z0-9][\\t\\n\\r ]{0,}?[<=>~]))” at ARGS:item_name1. [file “/var/cpanel/cwaf/rules/23_SQL_SQLi.conf”] [line “39”] [id “211700”] [msg “COMODO WAF: Detects conditional SQL injection attempts”] [data “Matched Data: Case ( found within ARGS:item_name1: Carry Case (Traditional)”] [severity “CRITICAL”] [hostname “domain1.com”] [uri “/wc-api/WC_Gateway_Paypal/”] [unique_id “VgNcb2w8FRUABaGPKkEAAAAJ”]

[Wed Sep 23 17:46:05 2015] [error] [client 173.0.81.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|‘[^=]{1,10}’)\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|‘[^=]{1,10}’)\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\”][^=]{1,10}[\\‘\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|’[^=]{1,10}')" at ARGS:item_name1. [file “/var/cpanel/cwaf/rules/23_SQL_SQLi.conf”] [line “24”] [id “211580”] [msg “COMODO WAF: SQL Injection Attack”] [data “Matched Data: and 6 found within ARGS:item_name1: Downloads: BOTH SIZES (nb-5t and 6-14)”] [severity “CRITICAL”] [hostname “domain2.com”] [uri “/catalog/ipn_main_handler.php”] [unique_id “VgNHzUWhlAEAAHHmJnUAAAAW”]

Hello,

False positive on Quform for wordpress, please fix

-c4c29e02-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" at ARGS:iphorm_3_64. [file "/usr/local/cwaf/rules/23_SQL_SQLi.conf"] [line "24"] [id "211580"] [msg "COMODO WAF: SQL Injection Attack"] [data "Matched Data: and 65 found within ARGS:iphorm_3_64: We are both senior citizens, 70 and 65 years of age. We do not use any aids but try to avoid steep climbs. We are fully mobile."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1445457313422510 36569 (- - -)
Stopwatch2: 1445457313422510 36569; combined=23537, p1=765, p2=22709, p3=0, p4=0, p5=61, sr=106, sw=2, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.2.15
Engine-Mode: "ENABLED"

I have a form with several fields and I think the text inserted in message area resulted in a false posite for a sql injection. I guess it was the number “65” inserted in the form text area that triggered the block. I had to disable rule ID 211580.

It seems it doesn´t accept any numbers in quform text area

Thanks.

The rule 211580 will be replaced by new set of rules. So this should help to resolve FP issue.

Hi TDmitry,

We have the same issue with the Typo3 7.5.0 while saving configuration of installtool.
We’re using the rules version 1.50 (we haven’t yet updated to the 1.51).
Here’s the logs

Access-Log: 
XX.XX.XX.XX - - [03/Nov/2015:10:54:55 +0100] "POST /typo-test/typo3/sysext/install/Start/Install.php?install[action]=allConfiguration&install[context]=standalone&install[controller]=tool HTTP/1.1" 403 325 "http://DOMAIN.TLD/typo-test/typo3/sysext/install/Start/Install.php?install[action]=allConfiguration&install[context]=standalone&install[controller]=tool" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" DOMAIN.TLD

Error-Log: 
[Tue Nov 03 10:54:55 2015] [error] [client XX.XX.XX.XX] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:(?<!\\\\w)(?:\\\\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\\\\.ini|global\\\\.asa|httpd\\\\.conf)\\\\b|/etc/)" at ARGS:install[values][BE][fileDenyPattern]. [file "/etc/apache2/mod_security2/cwaf-rules/01_Global_Generic.conf"] [line "52"] [id "211190"] [msg "COMODO WAF: Remote File Access Attempt"] [data "Matched Data: .htaccess found within ARGS:install[values][BE][fileDenyPattern]: .(php[3-6]?|phpsh|phtml)(..*)?$|.htaccess$"] [severity "CRITICAL"] [hostname "DOMAIN.TLD"] [uri "/typo-test/typo3/sysext/install/Start/Install.php"] [unique_id "VjiEb38AAAIAAFqdVJUAAAAD"]

Thanks in advance for your help.

Up

Should be fixed by next update.