[False Positive 11528] Joomla Admin Plus Exclusion Editor Not Retaining Info

Free Modsecurity rules - Comodo Web Application Fi
1

Rule 11528 causing 403’s when in Joomla admin and saving things like configuration file or loading on certain components & modules.

I’ve also noticed with the latest version 0.33 when I add the SecRuleRemoveById 11528 to the exclusion editor that it doesn’t exclude the rule ?

/var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf shows the following:

Created by CWAF management application

Note! This file may be modified and any manual changes may be lost!

Date: 16/01/14 22:42:08 UTC

SecRuleRemoveById 11528

Permission on the conf is 644

Work around while I was working in Joomla was to comment out CWAF in modsec2.conf do the component install or save global config then reactivate CWAF

2

Possible it is a remote file inclusion, please provide blocked request information (URL, ARGs and Joomla module)

3

Hi Yah TDmitry,

If I remember correctly it was simple changes to Joomla’s global configuration i.e time zone etc etc then when clicking on save it bombed out.

Components/modules : I think we were testing the following and all failed to load until we disabled CSWAF

The sites now live so not going to mess around with it in case customer spots anything

4

Have just updated to the latest version this morning after my reply above…

Yet again the exclusion text area was blank on installing the new rules, it still didn’t remember what was there prior :frowning:
I see that rules have had their numbers changed…
20042 & 20020 are now 220042 & 220020

Unfortunately still getting the PCRE errors
Rule 7f98858 [id “220042”][file “/var/cpanel/cwaf/rules/cwaf_05.conf”][line “86”] - Execution error - PCRE limits exceeded (-8): (null).
Rule 7f8b438 [id “220020”][file “/var/cpanel/cwaf/rules/cwaf_05.conf”][line “55”] - Execution error - PCRE limits exceeded (-8): (null).

5

Exclusion manager not remembering or reading the exclusion numbers added so I’m back to having problems with the old “11528” rule which has now been renamed to “211528”. This was on a different customers web site with Joomla 3.2, using a slide show module, it would upload the image, save it etc etc as expected but as soon as you “save” the module then we get the 403 error. That’s three different web sites using different modules, one using Joomla 2.5 and the others Joomla 3.2, all being blocked as soon as the save or save & close module is clicked.

6

Next update should fix this False positive.