False-Positive report thread

[TDmitry]

Please, specify these following fields when you submit False-Positive.

1. False-Positive RuleId
2. Web application + version
3. Request headers or at least debug log

You can mask some private data, but it is highly recommended that you specify ALL three fields.

Thank you.

[FugaziHimself]

1.210710
2. owncloud-6.0.3-6.1
3. Sun Jun 08 15:05:32 2014] [error] [client xxxxx] ModSecurity: Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/opt/comodo/cwaf/rules/cwaf_01.conf"] [line "427"] [id "210710"] [msg "COMODO WAF: Request content type is not allowed by policy"] [data "application/octet-stream"] [severity "CRITICAL"] [hostname"] [uri "/remote.php/webdav/aaa.zip"] [unique_id "U5RfnDJ1B6wAAE1zL1AAAAAD"]

I have tried to exclude it with /opt/comodo/cwaf/etc/httpd/global/zzz_exclude_global.conf
<LocationMatch .*>
SecRuleRemoveById 210710
</LocationMatch>
<DirectoryMatch '^/remote.php/webdav/'>
   SecRuleEngine Off
</DirectoryMatch>

Doesnt work

[TDmitry]

1.210710
2. owncloud-6.0.3-6.1
3. Sun Jun 08 15:05:32 2014] [error] [client xxxxx] ModSecurity: Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/opt/comodo/cwaf/rules/cwaf_01.conf"] [line "427"] [id "210710"] [msg "COMODO WAF: Request content type is not allowed by policy"] [data "application/octet-stream"] [severity "CRITICAL"] [hostname"] [uri "/remote.php/webdav/aaa.zip"] [unique_id "U5RfnDJ1B6wAAE1zL1AAAAAD"]
...

Will be fixed with next update.

[intellitech]

1. 211570
2. WHMCS Ver. 5.3.7
3. Request headers or at least debug log -
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3932

Message: Access denied with code 403 (phase 2). Pattern match "(?i:\\b(?i:x{0,1}or)\\b[\\t\\n\\r ]{1,}('[^=]{1,10}'|[0-9]{1,10})[\\t\\n\\r ]{0,}?[<=>]|\\bor\\b {0,1}(?:[\"'][^=]{1,10}[\"']|[0-9]{1,10}) {0,1}[<=>]{1,}|\\b(?i:x{0,1}or)\\b[\\t\\n\\r ]{1,}('[^=]{1,10}'|[0-9]{1,10})|(?i:'[\\t\\n\\r ]{1,}x{0,1}or[\\t\\n ..." at ARGS:description. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "301"] [id "211570"] [msg "COMODO WAF: SQL Injection Attack"] [data "Matched Data: or 56 found within ARGS:description: <ul>\x0d\x0a <li>Upto 256-bit encryption</li>\x0d\x0a <li>Highest Browser Recognition in the industry</li>\x0d\x0a <li>Automatic step-up for older browsers</li>\x0d\x0a <li>Stringent Business Verification</li>\x0d\x0a <li>Issued within 2 days</li>\x0d\x0a <li>Thawte Trusted Site Seal</li>\x0d\x0a <li>Unlimited Free Reissues</li>\x0d\x0a <li>Supports IDN</li>\x0d\x0a <li>Supports SGC and step-up Technology</li>\x0d\x0a</ul>\x0d\x0a<p>It offers al..."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch:
Stopwatch2:
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: "ENABLED"

[toenu]

we ran into this false positive several times:

Code: [Select]

[Wed Jun 18 16:07:02 2014] [error] [client XX.XX.XX.XX] ModSecurity: Access denied with code 503 (phase 2). Match of "rx ^\\\\d+px$" against "ARGS:width" required. [file "/path/to/cwaf-rules/cwaf_05.conf"] [line "1171"] [id "220620"] [msg "COMODO WAF: found CVE-2013-5963"] [hostname "domain.com"] [uri "/home/wp-admin/admin-ajax.php"]

[tripflex]

False Positive for WHMCS 5.3.7

1.) 213070
2.) WHMCS 5.3.7
3.)

Specifically on saving the https://domain.com/whmcs/configgeneral.php file

--0ccd566b-F--
HTTP/1.1 403 Forbidden
Content-Length: 344
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--0ccd566b-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:[\"'][ ]{0,}(([^a-z0-9 ':_~])|(in)).{0,}?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|( ..." at ARGS:emailglobalheader. [file "/var/cpanel/cwaf/rules/cwaf_03.conf"] [line "1093"] [id "213070"] [msg "COMODO WAF: IE XSS Filters - Attack Detected."] [data "Matched Data: \x22{$company_domain}\x22 target=\x22_blank\x22><img src=\x22{$company_logo_url}\x22 alt=\x22{$company_name}\x22 border= found within ARGS:emailglobalheader: <p><a href=\x22{$company_domain}\x22 target=\x22_blank\x22><img src=\x22{$company_logo_url}\x22 alt=\x22{$company_name}\x22 border=\x220\x22 />[/url]</p>"]
Action: Intercepted (phase 2)
Stopwatch: 1408063464225154 133149 (- - -)
Stopwatch2: 1408063464225154 133149; combined=84839, p1=300, p2=84445, p3=0, p4=0, p5=57, sr=50, sw=37, l=0, gc=0
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: "ENABLED"

[JulesR]

1. 211720
2. WHMCS 5.3.9.
3. Client couldn't submit a ticket within WHMCS. Log: http://pastebin.com/raw.php?i=YGbLx4dN

[akabakov]

The easiest way to avoid false-positive errors is excluding the rules:

Plugins - Comodo WAF -  Userdata - Custom Rules


SecRuleRemoveById 211570 211750 211790 etc


save and restart apache.

If you don't  use Cpanel, just write 

SecRuleRemoveById 211570 211750 211790 etc


in  /<path_to_cwaf>/cwaf/etc/httpd/custom_user.conf

save and restart apache. 

[JulesR]

What a useless response. We know how to disable rules, the entire purpose of this thread is to REPORT the ones that are false positives.

Are you acknowledging these reports and planning to fix them or not?

[JulesR]

1. 210800
2. Unknown.
3. www.clientdomain   client.ip   210800   [28/Aug/2014:03:46:48 +0000]
Access denied with code 403, [Rule: 'REQUEST_HEADERS:User-Agent' '[at]pmFromFile bl_scanners'] [id "210800"] [msg "COMODO WAF: Request Indicates a Security Scanner Scanned the Site"] [severity "CRITICAL"] [MatchedString "maparoscopy-bmnefits-150i150.jmg5os9xc6d=5157or/admgn/edit.php/bacfronds/1.p"]
[28/Aug/2014:03:46:48 +0000] - client.ip 55758 server.ip:80 80
--3038b690-B--
GET /wp-content/uploads/2014/08/Laparoscopy-Benefits-150x150.jpg HTTP/1.1
Host: www.clientdomain
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.clientdomain/wp-admin/post.php?post=12&action=edit
Cookie: __utma=2625461.1060887636.1370225041.1409186676.1409197476.102; __utmz=2625461.1386038835.21.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-1=hidetb%3D1%26editor%3Dtinymce%26libraryContent%3Dbrowse%26urlbutton%3Dnone%26imgsize%3Dmedium%26wplink%3D1%26ed_size%3D473%26align%3Dnone%26advImgDetails%3Dshow; wp-settings-time-1=1409197572; wp-settings-time-5=1396490878; __utmc=2625461; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_68a9cfa0c6c32b3ba4523393dcde5701=admin%7C1410396318%7C954fc7b0d807f35875ce8b366531e67e; __utmb=2625461.6.10.1409197476
Connection: keep-alive

--3038b690-F--
HTTP/1.1 403 Forbidden

--3038b690-H--
Message: Access denied with code 403, [Rule: 'REQUEST_HEADERS:User-Agent' '[at]pmFromFile bl_scanners'] [id "210800"] [msg "COMODO WAF: Request Indicates a Security Scanner Scanned the Site"] [severity "CRITICAL"] [MatchedString "maparoscopy-bmnefits-150i150.jmg5os9xc6d=5157or/admgn/edit.php/bacfronds/1.p"]

[ionRules]

I have two reports below. I apologize for the lack of info, but I just wanted to get something on record.

===========================================
1. Unknown

2. Miva Merchant 5.5
Production Release 8 Update 12
Miva Merchant Engine v5.20
http://mivamerchant.com

3. Unknown

The logs/modsec_audit.log is rotated daily, so I missed the log entries of the false positives. But I know they existed because I was getting reports of issues on these applications and when I disabled WAF on the domains running these applications the errors stopped immediately.


============================

1. Unknown

2. ExpressionEngine
https://ellislab.com/expressionengine

3. Unknown

Same issues with the logs having rotated before I could gather the data, unfortunately.

[webwzrd]

1. 211170
2. SMF 2.0.8

Some Simple Forum members are getting blocked from logging in by this:

3.
ModSecurity:  [file "/etc/httpd/modsecurity.d/cwaf_02.conf"] [line "176"] [id "211170"] [msg "COMODO WAF: Session Fixation"] [data "Matched Data: http://www.domainName.com/ found within TX:1: www.domainName.com"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required. [hostname "domainName.com"] [uri "/forum/index.php"] [unique_id "VBDqUkE8MfIAAFWH5QEAAAAH"]

Please advise.

[webwzrd]

Here's a couple more.

1. 214540 &214940
2. Joomla 2.5 while trying to access dtregister from admin
3.
ModSecurity:  [file "/etc/httpd/modsecurity.d/cwaf_04.conf"] [line "325"] [id "214540"] [msg "COMODO WAF: Possibly malicious iframe tag in output"] [data "Matched Data: <iframe id=\\x22google_externalSite\\x22 class=\\x22google_externalSite\\x22 name=\\x22google_externalSite\\x22 src=\\x22\\x22 style=\\x22display:none found within RESPONSE_BODY: <!DOCTYPE html PUBLIC \\x22-//W3C//DTD XHTML 1.0 Transitional//EN\\x22 \\x22http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\x22>\\x0a<html xmlns=\\x22http://www.w3.org/1999/xhtml\\x22 xml:lang=\\x22en-gb\\x22 lang=\\x22en-gb\\x22 dir=\\x22ltr\\x22 >\\x0a<head>\\x0a  <meta http-equiv=\\x22content-type\\x22 content=\\x22text/html; cha..."] [severity "ERROR"] Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\\\\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\"']{0,1}[^a-zA-Z0-9_]{0,}?\\\\bdisplay\\\\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\\\\bnone\\\\b" at RESPONSE_BODY. [hostname "www.domainName.com"] [uri "/administrator/index.php"] [unique_id "VBwzEriaLzIAADep51sAAAAB"]

ModSecurity:  [file "/etc/httpd/modsecurity.d/cwaf_04.conf"] [line "581"] [id "214940"] [msg "COMODO WAF: Outbound Points Exceeded (points 4)"] Warning. Operator GE matched 4 at TX:outgoing_points. [hostname "www.domainName.com"] [uri "/administrator/index.php"] [unique_id "VBwzEriaLzIAADep51sAAAAB"]

[JulesR]

Vaultpress for Wordpress:

--44f5c96f-A--
[19/Aug/2014:01:11:48 +0000] - 207.198.112.23 52575 xxx.xxx.xxx.xxx:80 80
--44f5c96f-B--
POST /wp-load.php?vaultpress=true&action=ZXhlYw&doing_wp_cron=&wp-admin=&vector=1408410708.3984&ge=1 HTTP/1.1
User-Agent: Automattic/VaultPress/0.1
Host: www.hidden.tld
Accept: */*
Accept-Encoding: gzip
Content-Length: 899
Content-Type: multipart/form-data; boundary=------------------------5798377f1bdb8670

--44f5c96f-F--
HTTP/1.1 403 Forbidden

--44f5c96f-H--
Message: Blocked , [Rule: 'ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:html_message' '(alert|eval|fromcharcode)[\t\n\r ]{0,}\('] [id "212790"] [msg "COMODO WAF: XSS Attack Detected"] [severity "WARNING"] [MatchedString "$b="bas"; $b.="e64_d"; $b.="ecode"; return [at]eval( $b( "cmv0dxjuicr3cgrilt5nzxrfcmvzdwx0cyggilnftevdvcbkyxrlkcbgy29tbwvudf9kyxrlycapieftigbjb21tzw50x2rhdgvgicwgag91ciggygnvbw1lbnrfzgf0zwagksbbuybgy29tbwvudf9ob3vyycasigbjb21tzw50x2fwchjvdmvkycasignvdw50kcbgy29tbwvudf9jrgagksbbuybgy291bnrgiezst00gjhdwzgitpmnvbw1lbnrzifdirvjfigbjb21tzw50x2fwchjvdmvkycahpsanc3bhbscgqu5eignvbw1lbnrfzgf0zsa+icbeqvrfx1nvqihub3cokswgsu5urvjwquwgnjugrefzksbhuk9vucbcwsbkyxrlkcbgy29tbwvudf9kyxrlycapicwgag91ciggygnvbw1lbnrfzgf0zwagksasigbjb21tzw50x2fwchjvdmvkycbmsu1jvcaxmdawie9grlnfvcaxmdawiiapow==" ) );"]

--44f5c96f-Z--

[webjive]

Rule 212740 is producing a false positive after the rules update to 1.2.1. We can no longer use the Joomla article preview option from the backend for our client websites. The plugin triggering this is http://www.nonumber.nl/extensions/betterpreview

2014-11-17 10:07:01    spectrat.webjiveclient.com    104.177.44.44       403     POST /index.php?option=com_content&view=article&id=27&yeepreview=1

[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/images/jpgs/araero.jpg"] [unique_id "VGodK63BEzIAAHFGXGYAAAAA"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/images/jpgs/araero.jpg"] [unique_id "VGodK63BEzIAAHFGXGYAAAAA"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/popup.html"] [unique_id "VGodK63BEzIAAGdM5MkAAAAQ"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/popup.html"] [unique_id "VGodK63BEzIAAGdM5MkAAAAQ"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/tooltip.html"] [unique_id "VGodK63BEzIAAHBsUJMAAAAT"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/tooltip.html"] [unique_id "VGodK63BEzIAAHBsUJMAAAAT"]