Author Topic: False-Positive report thread  (Read 23686 times)

Offline limithat

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #195 on: June 28, 2017, 09:29:28 AM »
Hello Titans ,

We are working on this issue and will get back to you soon . Please, give us the full audit log.
You can mask some private data, but it is highly recommended to give the full audit log.

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline Titans

  • Newbie
  • *
  • Posts: 8
False-Positive report thread
« Reply #196 on: June 30, 2017, 06:17:41 AM »
1. RuleId 226472

2. wordpress wp_version = '4.8'


3. [id "226472"] [rev "3"] [msg "COMODO WAF: CSRF vulnerability in the MailPoet Newsletters WordPress plugin before 2.6.11 (CVE-2014-3907)||xxxxxxx.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "WPPlugin"]
Message: Access denied with code 403 (phase 2). Match of "eq 1" against "&SESSION:wysija" required. [file "/var/cpanel/cwaf/rules/29_Apps_WPPlugin.conf"] [line "1196"]

Offline lucasrolff

  • Newbie
  • *
  • Posts: 2
Re: False-Positive report thread
« Reply #197 on: July 05, 2017, 03:12:37 AM »
Since yesterday rule 214920 has been freaking out:

zcat error_log-07-2017.gz | grep "214920" | grep "Operator LT matched 5 at TX:incoming_points." | wc -l
566323

[Wed Jul 05 09:11:37.889024 2017] [:error] [pid 27659:tid 140430878852864] [client 5.xxx.xxx.xxx] ModSecurity: Warning. Operator LT matched 5 at TX:incoming_points. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo-apache/22_Outgoing_FiltersEnd.conf"] [line "31"] [id "214920"] [rev "1"] [msg "COMODO WAF: Inbound Points|Total Incoming Points: 3|domain.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "domain.com"] [uri "/wmrx4.php"] [unique_id "WVyRKaexClPhOKW0UXMCbwAAAkA"]

It happens for all domains on all servers.

Offline sdzzds

  • Newbie
  • *
  • Posts: 6
Re: False-Positive report thread
« Reply #198 on: July 05, 2017, 05:44:30 AM »
Hello,

Last rules update for LiteSpeed yesterday (07.04) (I don't know if Apache is affected also) there is a problem with lines 20 and 21 of the file "11_HTTP_HTTP.conf":

Code: [Select]
SecRule TX:0 "![at]pmFromFile userdata_wl_content_type" \
"setvar:'tx.points=+%{tx.points_limit4}',ctl:forceRequestBodyVariable=On,t:none"

This causes a false positive, in Joomla for example simply browsing in frontpage with logged in the admin, cause a ip ban of the user. If manually disable these lines the problem is fixed.

Please fix this issue in future updates.

Thanks

Offline crownhost

  • Newbie
  • *
  • Posts: 11
Re: False-Positive report thread
« Reply #199 on: July 07, 2017, 03:06:51 AM »
Same problem with "Since yesterdayrule 214920 has been freaking out."
 Had to disable rule.

Offline limithat

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #200 on: July 10, 2017, 09:30:12 AM »
I had to disable this rule. Is affecting several users in several servers.

Does anyone know what is doing this rule?

1. False-Positive RuleId
218520

2. Web application + version
Wordpress 4.7.4
Wordpress 4.7.1

3. Request headers or at least debug log

--33acbf0f-A--
 [05/May/2017:08:14:19 +0200] WQwYOvt65TuuM5rjo8gaGwAAAAk XXXXXXXXXXXXXX 41926 37.59.226.88 82
 --33acbf0f-B--
 GET /wp-admin/ HTTP/1.1
 Host: XXXXXXXXXXXXXXXXXXXXXXXXXXX
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Encoding: gzip, deflate, sdch
 Accept-Language: es-ES,es;q=0.8,en;q=0.6
 Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 X-Forwarded-For: XXXXXXXXXXXXXXXXXX
 X-Cachewall-Remote-IP: XXXXXXXXXXXXXXXXX
 X-Cachewall-Object-Type: dynamic
 X-Cachewall-Server: XXXXXXXXXXXXXXXXXX
 X-Cachewall-Proto: http
 X-Cachewall-Identity: XXXXXXXXXXXXXXXXXXXXXX
 X-Cachewall-Match: pass=DEF22
 X-Varnish: XXXXXXXXXXXXXXXXXXXXXX

 --33acbf0f-F--
 HTTP/1.1 302 Found
 Expires: Wed, 11 Jan 1984 05:00:00 GMT
 Cache-Control: no-cache, must-revalidate, max-age=0
 Link: <http://XXXXXXXXXXXXXXX/wp-json/>; rel="https://api.w.org/"
 Location: http://XXXXXXXXXXXXXXXXXX.es/wp-admin/
 Content-Length: 0
 Connection: close
 Content-Type: text/html; charset=UTF-8

 --33acbf0f-H--
 Message: Access denied with code 403 (phase 2). Match of "endsWith /sysext/install/start/install.php" against "REQUEST_FILENAME" required.
  [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/24_SQL_SQLi.conf"] [line "77"] [id "218520"] [rev "2"] [msg "COMODO WAF:
  SQL Injection Attack Detected via libinjection||XXXXXXXXXXXXXX|F|2"] [data "Matched Data: n&1 found within
  REQUEST_FILENAME: /wp-admin/"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"]
 Action: Intercepted (phase 2)
 Apache-Handler: application/x-httpd-lsphp
 Stopwatch: 1493964858306883 1274686 (- - -)
 Stopwatch2: 1493964858306883 1274686; combined=2219, p1=443, p2=1531, p3=0, p4=0, p5=166, sr=65, sw=79, l=0, gc=0
 Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
 Server: Apache
 WebApp-Info: "default" "3a00234b7f502ee55c0f938dc3b8205a" "-"
 Engine-Mode: "ENABLED"

 --33acbf0f-Z--


Hello confortable ,

Please do update the ruleset to the latest version (1.130) . The rule ID 218520 has been removed in the latest version.

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline limithat

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #201 on: July 10, 2017, 10:12:00 AM »
Hello,

Last rules update for LiteSpeed yesterday (07.04) (I don't know if Apache is affected also) there is a problem with lines 20 and 21 of the file "11_HTTP_HTTP.conf":

Code: [Select]
SecRule TX:0 "![at]pmFromFile userdata_wl_content_type" \
"setvar:'tx.points=+%{tx.points_limit4}',ctl:forceRequestBodyVariable=On,t:none"

This causes a false positive, in Joomla for example simply browsing in frontpage with logged in the admin, cause a ip ban of the user. If manually disable these lines the problem is fixed.

Please fix this issue in future updates.

Thanks

Hello sdzzds ,

We are working on this issue and will get back to you soon .

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline limithat

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #202 on: July 11, 2017, 05:28:24 AM »
1. RuleId 226472

2. wordpress wp_version = '4.8'


3. [id "226472"] [rev "3"] [msg "COMODO WAF: CSRF vulnerability in the MailPoet Newsletters WordPress plugin before 2.6.11 (CVE-2014-3907)||xxxxxxx.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "WPPlugin"]
Message: Access denied with code 403 (phase 2). Match of "eq 1" against "&SESSION:wysija" required. [file "/var/cpanel/cwaf/rules/29_Apps_WPPlugin.conf"] [line "1196"]


Hello Titans ,

Please do reload the MailPoet Newsletters page .This should possibly resolve the issue.

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline limithat

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #203 on: July 11, 2017, 06:55:10 AM »
Rule 218550  generates false positive on Wordpress admin login -- I am seeing this on multiple sites. Tested and the rule was triggered immediately on my accessing the wp-admin (no other action on my part). (I have disabled the rule).

Sample message:
Code: [Select]
Request: GET /wordpress/wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer,wp-ajax-response,jquery-color,wp-lists,quicktags,jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore,customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install,wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter,heartbeat,wp-auth-check,jquery-ui-dra&load%5B%5D=ggable,jquery-ui-droppable,jquery-effects-core,wplink,jquery-ui-menu,jquery-ui-autocomplete&ver=faa82ed2fa93e9cb72f05cb97b6db6f5
Action Description: Access denied with code 403 (phase 2).

Justification: Pattern match "(?i:(?:[\\d\\W]\\s+as\\s*?[\"'`\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_fi ..." at MATCHED_VAR.

I think it's triggering on Wordpress calls to functions like "updates" and "media-upload."

Hello Amar218 ,

Please do update the ruleset to the latest version (1.130) . The rule ID 218550 has been removed in the latest version.

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline limithat

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #204 on: July 11, 2017, 09:09:14 AM »
Rule 210380

CWAF v. 2.21, Rule set 1.123 

Code: [Select]
Request: POST /index.php?l=check_quickcheckout
Action Description: Access denied with code 403 (phase 2).
Justification: Invalid URL Encoding: Non-hexadecimal digits used at REQUEST_BODY.

From site logs, IP corresponds to logged in customer of shopping cart software;  customer complained that order could not be placed.


Hello Amar218 ,

We are working on this issue and will get back to you soon . Please, give us the full audit log.
You can mask some private data, but it is highly recommended to give the full audit log.

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline limithat

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #205 on: July 11, 2017, 09:56:15 AM »
New rules in past 24 hours generating false positives on lots of WordPress (and similar) scripts - 218520 and 218540

Hello NightOwl ,

Please do update the ruleset to the latest version (1.130) . The rule ID 218520 and 218540 has been removed in the latest version.

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline limithat

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #206 on: July 11, 2017, 10:04:03 AM »
same problem with lots of scripts like as livezilla chat, telegram robots, vbulletin , ...

Hello H0sseiN ,

Please do update the ruleset to the latest version (1.130) . The rule ID 218520 and 218540 has been removed in the latest version.

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline Titans

  • Newbie
  • *
  • Posts: 8
Re: False-Positive report thread
« Reply #207 on: September 07, 2017, 03:34:23 PM »
 False-Positive RuleId : 241783
 Web application + version: Piwigo
Request headers or at least debug
[Thu Sep 07 09:10:34.022549 2017] [:error] [pid 746729] [client x.x.x.x1 ModSecurity: Access denied with code 403 (phase 2). Match of "eq 1" against "&SESSION:pwg" required. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "2610"] [id "241783"] [rev "1"] [msg "COMODO WAF: CSRF vulnerability in Piwigo before 2.6.2 (CVE-2014-4614)||doamin.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.xn--bjrshol-r1a.com"] [uri "/ws.php"] [unique_id "WbDw5sYPQTIAC2TpsBEAAAAw"]

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: False-Positive report thread
« Reply #208 on: September 08, 2017, 05:01:14 AM »
False-Positive RuleId : 241783
 Web application + version: Piwigo
Request headers or at least debug
[Thu Sep 07 09:10:34.022549 2017] [:error] [pid 746729] [client x.x.x.x1 ModSecurity: Access denied with code 403 (phase 2). Match of "eq 1" against "&SESSION:pwg" required. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "2610"] [id "241783"] [rev "1"] [msg "COMODO WAF: CSRF vulnerability in Piwigo before 2.6.2 (CVE-2014-4614)||doamin.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.xn--bjrshol-r1a.com"] [uri "/ws.php"] [unique_id "WbDw5sYPQTIAC2TpsBEAAAAw"]

Please provide full audit log for this event.

Offline Titans

  • Newbie
  • *
  • Posts: 8
Re: False-Positive report thread
« Reply #209 on: September 08, 2017, 05:29:10 AM »

1. RuleId : 241783

2. Web application + version: Piwigo before 2.6.2

3. Request headers or at least debug

Message: Access denied with code 403 (phase 2). Match of "eq 1" against "&SESSION:pwg" required. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "2610"] [id "241783"] [rev "1"] [msg "COMODO WAF: CSRF vulnerability in Piwigo before 2.6.2 (CVE-2014-4614)||domain.tld|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"]

[Thu Sep 07 20:41:53.468820 2017] [:error] [pid 391470] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 1" against "&SESSION:pwg" required. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "2610"]

[id "241783"] [rev "1"] [msg "COMODO WAF: CSRF vulnerability in Piwigo before 2.6.2 (CVE-2014-4614)||domain.tld|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "domain.tld"] [uri "/ws.php"] [unique_id "WbGS8cYPQTIABfku8HcAAAAM"]

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek