[False Positive ID 19901] WordPress Admin

Free Modsecurity rules - Comodo Web Application Fi
1

Hello,

Upon visiting my WordPress blog’s /wp-admin page I’m receiving a couple of Rule ID 19901 alerts in my audit log. Up until now, the Atomicorp Realtime rules never reported anything similar.

Here’s a sample (cookie data & IPs scrabbled for security):

Pattern match "^wordpress_([0-9a-fA-f]{32})$" at REQUEST_COOKIES_NAMES:wordpress_7b7a3xxxxxxxxxxxxxxxxx710e1. [file "/var/cpanel/cwaf/rules/cwaf_05.conf"] [line "18"] [id "19901"] [msg "COMODO WAF: see rule description"]

[02/Jan/2014:19:28:24 +0000] UsW906INnKwAAYeMVfwAAAFL xx.xx.xx.xx 20776 xx.xx.xx.xx 80
--32e1ab4f-B--
GET /wp-admin/ HTTP/1.1
Host: xxx.xxxx.xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxxx.xxx/wp-login.php?redirect_to=http%3A%2F%2Fxxx.xxxx.xxx%2Fwp-admin%2F&reauth=1
Cookie: wordpress_7b7a3xxxxxxxxxxxxxxxxx710e1=xxxxxx%7C13xxxxxxxxx9%7C8xxxxxxxxxxxx5c790c25c64993; __cfduid=d26dxxxxxxxxxxxxx469; __utma=236xxxxxx4.1xxxxxxxx2.1xxxxx71.138xxxxxx37.1xxxx51327.105; __utmz=23xxx34.13xxxxxx3.65.2.utmcsr=xxxxx|utmccn=(referral)|utmcmd=referral|utmcct=/; __qca=P0-23xxxxxx0-13xxxxxxx8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_7bxxxxxxxxx0e1=xxxxxxxx%7C138xxxxxx99%7C88xxxxxxxx8b2ed3c
Connection: keep-alive

--32e1ab4f-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.23
X-CF-Powered-By: WP 1.3.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie: wp-settings-1=editor%3Dhtml%26imgsize%3Dfull%26urlbutton%3Dnone%26align%3Dcenter%26wplink%3D1; expires=Fri, 02-Jan-2015 19:28:23 GMT; path=/
Set-Cookie: wp-settings-time-1=1388690903; expires=Fri, 02-Jan-2015 19:28:23 GMT; path=/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

--32e1ab4f-H--
Message: Warning. Pattern match "^wordpress_([0-9a-fA-f]{32})$" at REQUEST_COOKIES_NAMES:wordpress_7b7a3xxxxxxxxxxxxxxxxx710e1. [file "/var/cpanel/cwaf/rules/cwaf_05.conf"] [line "18"] [id "19901"] [msg "COMODO WAF: see rule description"]
Stopwatch: 1388690899380761 4652698 (- - -)
Stopwatch2: 1388690899380761 4652698; combined=6373, p1=81, p2=6051, p3=27, p4=185, p5=28, sr=44, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/).
Server: Apache
WebApp-Info: "default" "7b7a3xxxxxxxxxxxxxxxxx710e1" "-"
Engine-Mode: "ENABLED"

The same alert comes up for the following requests:

GET /wp-content/plugins/akismet/akismet.css?ver=x.x.x HTTP/1.1
GET /wp-content/plugins/jetpack/modules/contact-form/css/menu-alter.css?ver=x.x HTTP/1.1
GET /wp-admin/css/colors.min.css?ver=x.x HTTP/1.1
GET /wp-content/plugins/jetpack/_inc/jetpack-icons/jetpack-icons.css?ver=x.x HTTP/1.1
GET /wp-content/plugins/akismet/akismet.js?ver=x.x.x HTTP/1.1
GET /wp-admin/load-styles.php?c=0&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=x.x HTTP/1.1
GET /wp-admin/load-styles.php?c=0&dir=ltr&load=wp-jquery-ui-dialog&ver=x.x HTTP/1.1
GET /wp-admin/load-scripts.php?c=0&load%5B%5D=jquery-core,jquery-migrate,utils,json2&ver=x.x HTTP/1.1
GET /wp-content/plugins/wordpress-seo/js/wp-seo-admin-global.js?ver=x.x.x HTTP/1.1
GET /wp-content/plugins/jetpack/modules/wpgroho.js?ver=x.x HTTP/1.1
GET /wp-content/plugins/jetpack/modules/contact-form//images/grunion-menu.png HTTP/1.1
GET /wp-content/plugins/jetpack/_inc/jquery.spin.js?ver=x.x HTTP/1.1
GET /wp-content/plugins/jetpack/_inc/spin.js?ver=x.x HTTP/1.1
GET /wp-content/plugins/jetpack/_inc/jetpack-icons/font/jetpack.ttf HTTP/1.1
GET /wp-content/plugins/wordpress-seo/images/yoast-icon.png HTTP/1.1

Additionally I’ve been getting a “Operator EQ matched 1 at SESSION:wrench” alert as well:

Message: Warning. Pattern match "^wordpress_([0-9a-fA-f]{32})$" at REQUEST_COOKIES_NAMES:wordpress_7b7a3xxxxxxxxxxxxxxxxx710e1. [file "/var/cpanel/cwaf/rules/cwaf_05.conf"] [line "18"] [id "19901"] [msg "COMODO WAF: see rule description"]
Message: Warning. Operator EQ matched 1 at SESSION:cart66. [file "/var/cpanel/cwaf/rules/cwaf_05.conf"] [line "510"] [id "20291"]
Message: Warning. Operator EQ matched 1 at SESSION:wrench. [file "/var/cpanel/cwaf/rules/cwaf_05.conf"] [line "578"] [id "20321"]
Stopwatch: 1388690908687852 5701744 (- - -)
Stopwatch2: 1388690908687852 5701744; combined=9161, p1=89, p2=8277, p3=27, p4=404, p5=198, sr=14, sw=166, l=0, gc=0
Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/).
Server: Apache
WebApp-Info: "default" "7b7a3xxxxxxxxxxxxxxxxx710e1" "-"
Engine-Mode: "ENABLED"

wordpress_* formatted cookie data are perfectly normal, check out here: Cookies – WordPress.org Documentation

2

Hello George.

Thank you very much for reporting.

We will check this issue and fix it with next rules update.

3

Please, check rules v.032