Author Topic: False positive pattern match issue  (Read 538 times)

Offline millzee

  • Newbie
  • *
  • Posts: 1
False positive pattern match issue
« on: March 23, 2022, 12:38:51 PM »
Hi,

I am using mod security however i'm having a false positive issue when a user post's their email address that contains "fread".

The posted address is name.fread[at]domain.com,  as soon as they try and login the 403 error appears.

here's the rule causing the issue:
[Wed Mar 23 17:20:56.880014 2022] [:error] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)(?:\\\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\\\$_(?:(?:pos|ge)t|session))\\\\b" at ARGS:ulogin. [file "/usr/local/apache/modsecurity-cwaf/rules/02_Global_Generic.conf"] [line "73"] [id "211230"] [rev "1"] [msg "COMODO WAF: PHP Injection Attack||domain.com|F|2"] [data "Matched Data: fread found within ARGS:ulogin: name.fread[at]domain.com"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "domain.com"] [uri "/login"] [unique_id "YjtW-PpcRPx7xEXn662i0QAAAIM"], referer:

Is there somewhere I can whitelist the user email or tell mod security not to check a certain posted variable ("ulogin") as an example?

if so, can you advise where I need to put this please?  because i do not want to have to disable the rule.

many thanks

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 1006
Re: False positive pattern match issue
« Reply #1 on: March 26, 2022, 04:03:21 AM »
Hi millzee,

Thank you for reporting, we will check with the related team and update you.

Thanks
C.O.M.O.D.O RT
« Last Edit: March 26, 2022, 04:06:34 AM by C.O.M.O.D.O RT »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek