Author Topic: False-Positive report thread  (Read 32854 times)

Offline PRO ISP

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #225 on: November 13, 2017, 09:36:29 PM »
1. False-Positive RuleId

214530

2. Web application + version NA

3. Request headers or at least debug log/modsec_audit.log
 ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\\\\x2260\\\\x22 width=\\\\x221 found within RESPONSE_BODY: <!DOCTYPE html>\\\\x0d\\\\x0a<html lang=\\\\x22en\\\\x22>\\\\x0d\\\\x0a<head>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<link rel=\\\\x22shortcut icon\\\\x22 href=\\\\x22assets/images/minibilde.png\\\\x22/>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<title>Ben og Chris | Official Website</title>\\\\x0d\\\\x0a<meta name=\\\\x22description\\\\x22 content=\\\\x22Ben og Chris | Musikkgruppe fra Oppland som prod [hostname "xxxx.com"] [uri "/index.php"] [unique_id "WgpH16wVE[at]xlQLsYbs99TwAAAJg"]
Host: xxxx.com

Message: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\s+(?!src=\\x22//www\\.googletagmanager\\.com)[^>]{1,}?\\b(?:height|width)\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\x22']{0,1}[^\\x22'123456789]{0,}?(?:[0123](?:\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\x2260\x22 width=\x221 found within RESPONSE_BODY: <!DOCTYPE html>\x0d\x0a<html lang=\x22en\x22>\x0d\x0a<head>\x0d\x0a\x0d\x0a<link rel=\x22shortcut icon\x22 href=\x22assets/images/minibilde.png\x22/>\x0d\x0a\x0d\x0a<title>Ben og Chris | Official Website</title>\x0d\x0a<meta name=\x22description\x22 content=\x22Ben og Chris | Musikkgruppe fra Oppland som prod

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\\\\\\\s+(?!src=\\\\\\\\x22//www\\\\\\\\.googletagmanager\\\\\\\\.com)[^>]{1,}?\\\\\\\\b(?:height|width)\\\\\\\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\\\\\\\x22']{0,1}[^\\\\\\\\x22'123456789]{0,}?(?:[0123](?:\\\\\\\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\\\\\\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe
turned off rule

Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 189
Re: False-Positive report thread
« Reply #226 on: November 15, 2017, 06:02:17 AM »
1. False-Positive RuleId

214530

2. Web application + version NA

3. Request headers or at least debug log/modsec_audit.log
 ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\\\\x2260\\\\x22 width=\\\\x221 found within RESPONSE_BODY: <!DOCTYPE html>\\\\x0d\\\\x0a<html lang=\\\\x22en\\\\x22>\\\\x0d\\\\x0a<head>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<link rel=\\\\x22shortcut icon\\\\x22 href=\\\\x22assets/images/minibilde.png\\\\x22/>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<title>Ben og Chris | Official Website</title>\\\\x0d\\\\x0a<meta name=\\\\x22description\\\\x22 content=\\\\x22Ben og Chris | Musikkgruppe fra Oppland som prod [hostname "xxxx.com"] [uri "/index.php"] [unique_id "WgpH16wVE[at]xlQLsYbs99TwAAAJg"]
Host: xxxx.com

Message: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\s+(?!src=\\x22//www\\.googletagmanager\\.com)[^>]{1,}?\\b(?:height|width)\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\x22']{0,1}[^\\x22'123456789]{0,}?(?:[0123](?:\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\x2260\x22 width=\x221 found within RESPONSE_BODY: <!DOCTYPE html>\x0d\x0a<html lang=\x22en\x22>\x0d\x0a<head>\x0d\x0a\x0d\x0a<link rel=\x22shortcut icon\x22 href=\x22assets/images/minibilde.png\x22/>\x0d\x0a\x0d\x0a<title>Ben og Chris | Official Website</title>\x0d\x0a<meta name=\x22description\x22 content=\x22Ben og Chris | Musikkgruppe fra Oppland som prod

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\\\\\\\s+(?!src=\\\\\\\\x22//www\\\\\\\\.googletagmanager\\\\\\\\.com)[^>]{1,}?\\\\\\\\b(?:height|width)\\\\\\\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\\\\\\\x22']{0,1}[^\\\\\\\\x22'123456789]{0,}?(?:[0123](?:\\\\\\\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\\\\\\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe
turned off rule

If you have some complications with setup of CWAF, you can create account on https://support.comodo.com/ and create ticket related to WAF Support.

Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 156
Re: False-Positive report thread
« Reply #227 on: November 15, 2017, 07:47:22 AM »
If you have some complications with setup of CWAF, you can create account on https://support.comodo.com/ and create ticket related to WAF Support.

Titans just reported a FS for your rules. Why did you respond with that answer?

Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 189

Offline lord alibaski

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #229 on: November 26, 2017, 02:15:53 PM »
Hi would like to thank all help with this 1st time had trouble with this. My hosting sent me here because I have had to disable the Mod Security inside whm reason it's giving me a false positive from my smf forum which is causing major issue when posting a topic.

WHM
Original Id - 217280


SecRule ARGS_NAMES|ARGS|XML:/*|!ARGS:/content/ "[at]pm get post head options connect put delete trace propfind propatch mkcol copy move lock unlock" \
   "id:217280,chain,msg:'COMODO WAF: HTTP Request Smuggling Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule MATCHED_VAR "[at]rx (?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \
   "setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"


Request:   POST /index.php?action=post2;start=0;msg=50310;eb6c3d7af24=89ab22e1f6b8290ed75a236b24396dee;board=4
Action Description:   Access denied with code 403 (phase 2).
Justification:   Pattern match "(?:\\n|\\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+" at MATCHED_VAR.


Request:   GET /
Action Description:   Access denied with code 403 (phase 2).
Justification:   Match of "rx ^(?:\\w+\\/[\\w\\-\\.]+)(?:;(?:charset=[\\w\\-]{1,18}|boundary=[\\w\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required

Hope this is what I needed to post.

Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 189
Re: False-Positive report thread
« Reply #230 on: November 29, 2017, 10:01:49 AM »
Hi lord alibaski, you don't need to post rule, the id will be enought.
Please check if  your mod_security.conf has such settings

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial

for obtaining modsec_audit.log which contains data:

Code: [Select]
[10/Nov/2017:15:39:27 +0000] WgXIL38AAAEAAEb7NVoAAAAA 10.0.2.2 50094 10.0.2.15 5080
--815f575b-B--
POST /mahara-17.04.1/htdocs/artefact/internal/index.php HTTP/1.1
Host: 10.8.4.2:5080
User-Agent: curl/7.56.1
Accept: */*
Cookie: mahara=bd7b6f93437c30c83fe9291c95d47a5dc64dd313a8efb0a915299b14e9ce2783
Content-Length: 493
Content-Type: application/x-www-form-urlencoded

--815f575b-C--
firstname=Admin%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=User%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&studentid=&preferredname=%3Cscript%3Ealert%283%29%3B%3C%2Fscript%3E&introduction=&email_selected=ansa%40localhost&email_valid%5B%5D=ansa%40localhost&officialwebsite=&personalwebsite=&blogaddress=&address=&town=&city=&country=&homenumber=&businessnumber=&mobilenumber=&faxnumber=&occupation=&industry=&submit=Processing+...&fs=aboutme&sesskey=I1xz5Fo4bs72pfu3&pieform_profileform=
--815f575b-F--
HTTP/1.1 403 Forbidden
Content-Length: 251
Connection: close
Content-Type: text/html; charset=iso-8859-1

--815f575b-E--

--815f575b-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i)([<\xef\xbc\x9c]script[^>\xef\xbc\x9e]*[>\xef\xbc\x9e][\\s\\S]*?)" at ARGS:firstname. [file "/usr/local/cwaf/rules/08_XSS_XSS.conf"] [line "14"] [id "212000"] [rev "3"] [msg "COMODO WAF: XSS Filter - Category 1: Script Tag Vector||10.8.4.2:5080|F|2"] [data "Matched Data: <script> found within ARGS:firstname: Admin<script>alert(1);</script>"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1510328367568352 42562 (- - -)
Stopwatch2: 1510328367568352 42562; combined=37219, p1=12867, p2=23752, p3=0, p4=0, p5=492, sr=926, sw=108, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.4.4 (Unix)
Engine-Mode: "ENABLED"
You can hide sensitive data like
Code: [Select]
Host: 10.8.4.2:5080
your log
Code: [Select]
Request:   GET /
Action Description:   Access denied with code 403 (phase 2).
Justification:   Match of "rx ^(?:\\w+\\/[\\w\\-\\.]+)(?:;(?:charset=[\\w\\-]{1,18}|boundary=[\\w\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required
refers to ruleid 243930 but this rule leave message
Code: [Select]
COMODO WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)
Are you sure that you use CWAF ruleset?

POST request without request body to proteced host
Code: [Select]
/index.php?action=post2;start=0;msg=50310;eb6c3d7af24=89ab22e1f6b8290ed75a236b24396dee;board=4
doesn't cause 403.
If you use whm + Comodo WAF plugin then you able to disable single rule.

Offline Amar218

  • Newbie
  • *
  • Posts: 8
Re: False-Positive report thread
« Reply #231 on: May 28, 2018, 04:35:31 PM »
1) Rule ID:  211820  (Triggers from administrative interface in phpbb, v. 3.2.2)

2) CWAF Plugin Version 2.22, Rules Version 1.666

3) 
Code: [Select]
Request: GET /adm/images/alert_close.png
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=31
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=acp_groups&icat=12&mode=manage
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=acp_prune&mode=users
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: POST /adm/index.php?i=acp_users&sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&icat=13&mode=overview
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /memberlist.php?mode=viewprofile&u=567
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.


Offline LBJ

  • Newbie
  • *
  • Posts: 12
Re: False-Positive report thread
« Reply #232 on: June 04, 2018, 09:51:04 PM »
1. Rule ID: 21850 - Way too general in its regex

2. CWAF 1.166 / 2.22 in multiple applications

3.
Code: [Select]
[Tue Jun 05 10:48:23.222182 2018] [:error] [pid 1773425:tid 139707396007680] [client 118.209.129.254:50144] [client 118.209.129.254] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\\\.\\\\.sysdatabases|ysql\\\\.db)\\\\b|s(?:ys(?:\\\\.database_name|aux)\\\\b|chema(?:\\\\W*\\\\(|_name\\\\b)|qlite(_temp)?_master\\\\b) ..." at ARGS:acf[field_575cce092e3f1]. [file "/var/cpanel/cwaf/rules/24_SQL_SQLi.conf"] [line "74"] [id "218530"] [rev "3"] [msg "COMODO WAF: SQL Injection Attack: Common DB Names Detected||xxxx.org.au|F|2"] [data "Matched Data: database ( found within ARGS:acf[field_575cce092e3f1]: To re-survey sites from the original BirdLife Australia Birds on Farms project (1995 \\xe2\\x80\\x93 1997), we will contact land owners using our database and networks. We will determine whether land owners are interested in surveying birds on their properties or if they are happy for someone else to carry out surveys. We will also put out a call through our networks (as well as through project partners and community groups s [hostname "xxxx.org.au"] [uri "/wp-admin/post.php"] [unique_id "WxXd1FJDG1kA5zgXCaotOgAAAAU"], referer: https://xxxx.org.au/wp-admin/post.php?post=7689&action=edit

Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 189
Re: False-Positive report thread
« Reply #233 on: June 12, 2018, 12:23:17 PM »
1. Rule ID: 21850 - Way too general in its regex

2. CWAF 1.166 / 2.22 in multiple applications

3.
Code: [Select]
[Tue Jun 05 10:48:23.222182 2018] [:error] [pid 1773425:tid 139707396007680] [client 118.209.129.254:50144] [client 118.209.129.254] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\\\.\\\\.sysdatabases|ysql\\\\.db)\\\\b|s(?:ys(?:\\\\.database_name|aux)\\\\b|chema(?:\\\\W*\\\\(|_name\\\\b)|qlite(_temp)?_master\\\\b) ..." at ARGS:acf[field_575cce092e3f1]. [file "/var/cpanel/cwaf/rules/24_SQL_SQLi.conf"] [line "74"] [id "218530"] [rev "3"] [msg "COMODO WAF: SQL Injection Attack: Common DB Names Detected||xxxx.org.au|F|2"] [data "Matched Data: database ( found within ARGS:acf[field_575cce092e3f1]: To re-survey sites from the original BirdLife Australia Birds on Farms project (1995 \\xe2\\x80\\x93 1997), we will contact land owners using our database and networks. We will determine whether land owners are interested in surveying birds on their properties or if they are happy for someone else to carry out surveys. We will also put out a call through our networks (as well as through project partners and community groups s [hostname "xxxx.org.au"] [uri "/wp-admin/post.php"] [unique_id "WxXd1FJDG1kA5zgXCaotOgAAAAU"], referer: https://xxxx.org.au/wp-admin/post.php?post=7689&action=edit
1) Rule ID:  211820  (Triggers from administrative interface in phpbb, v. 3.2.2)

2) CWAF Plugin Version 2.22, Rules Version 1.666

3) 
Code: [Select]
Request: GET /adm/images/alert_close.png
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=31
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=acp_groups&icat=12&mode=manage
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=acp_prune&mode=users
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: POST /adm/index.php?i=acp_users&sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&icat=13&mode=overview
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /memberlist.php?mode=viewprofile&u=567
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.


Hi. Please provide full logs for these FP. Setup your modsecurity modules as shown below:
Hi lord alibaski, you don't need to post rule, the id will be enought.
Please check if  your mod_security.conf has such settings

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial

for obtaining modsec_audit.log which contains data:

Code: [Select]
[10/Nov/2017:15:39:27 +0000] WgXIL38AAAEAAEb7NVoAAAAA 10.0.2.2 50094 10.0.2.15 5080
--815f575b-B--
POST /mahara-17.04.1/htdocs/artefact/internal/index.php HTTP/1.1
Host: 10.8.4.2:5080
User-Agent: curl/7.56.1
Accept: */*
Cookie: mahara=bd7b6f93437c30c83fe9291c95d47a5dc64dd313a8efb0a915299b14e9ce2783
Content-Length: 493
Content-Type: application/x-www-form-urlencoded

--815f575b-C--
firstname=Admin%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=User%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&studentid=&preferredname=%3Cscript%3Ealert%283%29%3B%3C%2Fscript%3E&introduction=&email_selected=ansa%40localhost&email_valid%5B%5D=ansa%40localhost&officialwebsite=&personalwebsite=&blogaddress=&address=&town=&city=&country=&homenumber=&businessnumber=&mobilenumber=&faxnumber=&occupation=&industry=&submit=Processing+...&fs=aboutme&sesskey=I1xz5Fo4bs72pfu3&pieform_profileform=
--815f575b-F--
HTTP/1.1 403 Forbidden
Content-Length: 251
Connection: close
Content-Type: text/html; charset=iso-8859-1

--815f575b-E--

--815f575b-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i)([<\xef\xbc\x9c]script[^>\xef\xbc\x9e]*[>\xef\xbc\x9e][\\s\\S]*?)" at ARGS:firstname. [file "/usr/local/cwaf/rules/08_XSS_XSS.conf"] [line "14"] [id "212000"] [rev "3"] [msg "COMODO WAF: XSS Filter - Category 1: Script Tag Vector||10.8.4.2:5080|F|2"] [data "Matched Data: <script> found within ARGS:firstname: Admin<script>alert(1);</script>"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1510328367568352 42562 (- - -)
Stopwatch2: 1510328367568352 42562; combined=37219, p1=12867, p2=23752, p3=0, p4=0, p5=492, sr=926, sw=108, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.4.4 (Unix)
Engine-Mode: "ENABLED"
You can hide sensitive data like
Code: [Select]
Host: 10.8.4.2:5080
your log
Code: [Select]
Request:   GET /
Action Description:   Access denied with code 403 (phase 2).
Justification:   Match of "rx ^(?:\\w+\\/[\\w\\-\\.]+)(?:;(?:charset=[\\w\\-]{1,18}|boundary=[\\w\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required
refers to ruleid 243930 but this rule leave message
Code: [Select]
COMODO WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)
Are you sure that you use CWAF ruleset?

POST request without request body to proteced host
Code: [Select]
/index.php?action=post2;start=0;msg=50310;eb6c3d7af24=89ab22e1f6b8290ed75a236b24396dee;board=4
doesn't cause 403.
If you use whm + Comodo WAF plugin then you able to disable single rule.

Offline k2host

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #234 on: October 05, 2018, 03:22:55 PM »
1. Rule ID: 218500

2. Versions:
Current rules version   1.182 (Latest version)
CWAF plugin version   2.23 (Latest version)

3.:
Code: [Select]
--fe303a54-A--
[05/Oct/2018:16:05:11 --0300] W7e15wV9wjRjBTIdq0sp5QAAAEU 191.34.249.62 46611 98.142.105.99 443
--fe303a54-B--
POST /lp/admin/_ajax/SiteInfo.ajax.php HTTP/1.1
Host: www.lamusickids.com.br
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Language: pt-br
Accept-Encoding: br, gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryq7BFVbGTpLMBiCB5
Origin: https://www.lamusickids.com.br
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15
Connection: keep-alive
Referer: https://www.lamusickids.com.br/lp/admin/dashboard.php?wc=site-info/home&id=2
Content-Length: 8647
Cookie: userView=escola-de-musica-l-a; workcontrol=lp%40lamusickids.com.br; PHPSESSID=aoe62e9pk6gijsmmn5ju4c7pd7

--fe303a54-C--
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="callback"

SiteInfo
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="callback_action"

manage
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_info_id"

2
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_title_principal"

Escola de Música para Crianças
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_subtitle_principal"

Musicalização Infantil e aulas de instrumentos: violão, contra-baixo, canto, teclado, bateria e guitarra.
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_video_principal"

pJxdm2Q8dX0
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_titulo_form"

Preencha o formulário e marque sua aula grátis
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_tradicao"

Fundado em 70 o LA Kids é referência nacional no ensino da música.
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_conforto"

Área de convivência e salas de aula amplas, iluminadas e bem arejadas.
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_experiencia"

Professores experientes, capacitados e aptos a trabalhar com crianças de todas as idades.
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_reconhecimento"

LA Kids é reconhecido nacionalmente como um instituto de excelência no ensino da música.
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_titulo_depoimentos"

Assista ao vídeo e descubra porque a LA Kids é a escola perfeita para seu filho aprender música.
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_video_depoimentos"

pJxdm2Q8dX0
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_babyclass1"

<p>Aulas em grupo com acompanhamento de um responsável. Através da vivência sonora, recursos usados em sala de aula, instrumentos musicais e projetivos, <br /> os bebês poderão experimentar diversos sons e perceberão o mundo à sua volta.<br /><br />Cancões de roda, Ciranda, Música Clásica, Canções de Socialização, Canções que trabalham mãos e pés, Manuseio de instrumentos, Percepção de Sons, <br /> Estímulos a fala irão desenvolver no bebê, a pulsação, o ritmo, a percepção auditiva, lateralidade e expressão corporal.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_babyclass2"

<p>Aulas em grupo com acompanhamento de um responsável, tendo:<br /><br />- Canções de entrada,<br />- Canções de roda,<br />- Canções de Socialização,<br />- Parlendas e danças.<br /><br />O bebê irá desenvolver:<br />- A pulsação,<br />- O Ritmo,<br />- A Percepção,<br />- Estímulo ao Canto e a Fala,<br />- Sociabilidade,<br />- Expressão corporal e Psicomotricidade.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_kids1"

<p>AULAS EM GRUPO SEM ACOMPANHANTE, PARA MAIOR INTERAÇÃO COM OUTRAS CRIANÇAS. ATRAVÉS DAS VIVÊNCIAS MUSICAIS NO MUNDO SONORO A CRIANÇA IRÁ PERCEBER DE FORMA LÚDICA E MUSICAL OS: <br /><br /> - SONS DA NATUREZA,<br /> - SONS DOS ANIMAIS,<br /> - SONS DO CORPO,<br /> - SONS DA CASA,<br /> - SONS DA RUA,<br /> - SONS DOS INSTRUMENTOS MUSICAIS,<br /> - SOM X SILÊNCIO,<br /> - DURAÇÃO DOS SONS,<br /> - SONS FRACOS E FORTES (INTENSIDADE),<br /> - SONS GRAVES E AGUDOS (ALTURA),<br /> - NOTAS MUSICAIS,<br /> - SONS DA BANDINHA RÍTMICA E TIMBRE</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_kids2"

<p>AULAS EM GRUPO SEM ACOMPANHANTE PARA O DESENVOLVIMENTO DA SOCIALIZAÇÃO COM OUTRAS CRIANÇAS. <br /><br /> INICIAÇÃO À NOTAÇÃO MUSICAL E CONHECIMENTO DE DIVERSOS INSTRUMENTOS MUSICAIS E SUAS FAMÍLIAS. NO KIDS 2 A CRIANÇA IRÁ APRENDER E DESENVOLVER A PERCEPÇÃO DAS NOTAS MUSICAIS DA ESCALA MAIOR, O RITMO COM AS FIGURAS E VALORES, PENTAGRAMA E INICIAÇÃO A NOTAÇÃO MUSICAL, ESTÍMULO A COMPOSIÇÃO E IMPROVISAÇÃO TORNANDO A CRIANÇA MAIS CRIATIVA. NESTE MOMENTO A CRIANÇA ESTARÁ SENDO PREPARADA PARA INICIAR AO INSTRUMENTO DE SUA ESCOLHA.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_kids3"

<p>AULAS EM GRUPO, INICIAÇÃO AO INSTRUMENTO COM ATIVIDADES DE MUSICALIZAÇÃO. <br /><br /> DE FORMA LÚDICA, COM DIVERSAS ATIVIDADES E BRINCADEIRAS MUSICAIS A CRIANÇA DARÁ INICIO AO APRENDIZADO DO INSTRUMENTO MUSICAL DE SUA ESCOLHA OU AO CANTO.<br /> COM UM REPERTÓRIO PRÓPRIO E ESTIMULANTE PARA A FAIXA ETÁRIA A CRIANÇA IRÁ DESENVOLVER O PRAZER DE TOCAR, CANTAR E PERCEBER OS SONS MUSICAIS DO SEU INSTRUMENTO E DA SUA VOZ.<br /> - LEITURA DE PAUTA,<br /> - PERCEPÇÃO RÍTMICA,<br /> - IMPROVISAÇÃO,<br /> - COMPOSIÇÃO,<br /> - PRÁTICA DE BANDAS E MUITO MAIS O ALUNO IRÁ APRENDER NO KIDS 3.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_kids4"

<p>AULAS EM GRUPO, INICIAÇÃO AO INSTRUMENTO. <br /> COM O DESENVOLVIMENTO DO REPERTÓRIO POPULAR E CLÁSSICO NO INSTRUMENTO OU CANTO, A CRIANÇA TERÁ UM CONTATO AINDA MAIOR COM OS ELEMENTOS DA ESCRITA E PERCEPÇÃO MUSICAL, DESENVOLVENDO AINDA MAIS A LEITURA E O OUVIDO. NO KIDS IV O ALUNO ESTARÁ SE PREPARANDO PARA INGRESSAR NA ESCOLA DOS ADULTOS, ESCOLA DE MÚSICA L.A.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_oouvidomusical"

<p>Para aprender a tocar é necessário ouvir.<br />Nas aulas da LA MUSIC KIDS, a criança ouve e desperta a sensibilidade apurada.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_ocanto"

<p>As aulas têm um repertório recheado de canções que estimulam a criança a soltar a voz.<br />À medida que vão aprendendo as lições no instrumento, aprendem a cantar e tocar ao mesmo tempo o nome das notas ou a letra da canção.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_beneficios"

<p>As aulas em grupo desenvolvem a socialização através das práticas musicais em conjunto proporcionando uma maior interação entre os alunos. <br />Estimula a cooperação, o respeito mútuo, a concentração e a criatividade. Há também um incentivo para o crescimento e aprendizado musical. Melhora a comunicação das crianças que são tímidas ampliando seu mundo de relações criando um ambiente de segurança emocional e confiança. Sem falar de como é divertido fazer música em conjunto.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_expressao"

<p>O corpo, a voz, o som e o ritmo são instrumentos pelos quais expressamos nossas emoções.<br />Com as crianças não é diferente. Por isso que a LA MUSIC KIDS direciona o aprendizado musical à expressão corporal.<br />Elas podem experimentar e sentir no seu corpo todos os conceitos aprendidos em aula.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_coordenacao"

<p>Os jogos e brincadeiras são formas essenciais para o desenvolvimento de atividades de qualidade com as crianças, tornando as aulas prazerosas e divertidas. Utilizamos o lúdico como propulsor do desenvolvimento motor.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="site_sobrela"

<p>A LA MUSIC KIDS é a primeira escola de música do RJ especializada em aulas para Bebês a partir dos 6 meses de idade até crianças de 11 anos.<br />Uma escola inovadora onde proporciona um ensino musical diferenciado, com aulas criativas e divertidas para a criançada.<br />Através de atividades lúdicas, elementos musicais e movimentos sonoros elas serão capazes de despertar a percepção auditiva, visual, tátil, motora, pictória e musical. O som, o ritmo e a música são elementos essenciais para a formação global da criança. A experiência musical favorece o desenvolvimento da sensibilidade, criatividade, imaginação, memória, concentração, atenção, socialização, respeito, prazer de ouvir música, facilitando o processo de aprendizado da fala e despertando suas habilidades.</p>
------WebKitFormBoundaryq7BFVbGTpLMBiCB5
Content-Disposition: form-data; name="callback_action"

manage
------WebKitFormBoundaryq7BFVbGTpLMBiCB5--

--fe303a54-F--
HTTP/1.1 403 Forbidden
Content-Length: 241
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--fe303a54-E--

--fe303a54-H--
Message: Access denied with code 403 (phase 2). Pattern match "[\\[\\]\\x22',()\\.]{10}$|(?:union\\s+all\\s+select\\s+(?:(?:null|\\d+),?)+|order\\s+by\\s+\\d{1,4}|(?:and|or)\\s+\\d{4}=\\d{4}|waitfor\\s+delay\\s+'\\d+:\\d+:\\d+'|(?:select|and|or)\\s+(?:(?:pg_)?sleep\\(\\d+\\)|\\d+\\s*=\\s*(?:dbms_pipe\\.receive_mes ..." at ARGS:site_coordenacao. [file "/var/cpanel/cwaf/rules/24_SQL_SQLi.conf"] [line "67"] [id "218500"] [rev "8"] [msg "COMODO WAF: SQLmap attack detected||www.lamusickids.com.br|F|2"] [data "Matched Data: or.</p> found within ARGS:site_coordenacao: <p>os jogos e brincadeiras s\xc3\xa3o formas essenciais para o desenvolvimento de atividades de qualidade com as crian\xc3\xa7as, tornando as aulas prazerosas e divertidas. utilizamos o l\xc3\xbadico como propulsor do desenvolvimento motor.</p>"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 191.34.249.62] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\\\\\[\\\\\\\\]\\\\\\\\x22',()\\\\\\\\.]{10}$|(?:union\\\\\\\\s+all\\\\\\\\s+select\\\\\\\\s+(?:(?:null|\\\\\\\\d+),?)+|order\\\\\\\\s+by\\\\\\\\s+\\\\\\\\d{1,4}|(?:and|or)\\\\\\\\s+\\\\\\\\d{4}=\\\\\\\\d{4}|waitfor\\\\\\\\s+delay\\\\\\\\s+'\\\\\\\\d+:\\\\\\\\d+:\\\\\\\\d+'|(?:select|and|or)\\\\\\\\s+(?:(?:pg_)?sleep\\\\\\\\(\\\\\\\\d+\\\\\\\\)|\\\\\\\\d+\\\\\\\\s*=\\\\\\\\s*(?:dbms_pipe\\\\\\\\.receive_mes ..." at ARGS:site_coordenacao. [file "/var/cpanel/cwaf/rules/24_SQL_SQLi.conf"] [line "67"] [id "218500"] [rev "8"] [msg "COMODO WAF: SQLmap attack detected||www.lamusickids.com.br|F|2"] [data "Matched Data: or.</p> found within ARGS:site_coordenacao: <p>os jogos e brincadeiras s\\\\xc3\\\\xa3o formas essenciais para o desenvolvimento de atividades de qualidade com as crian\\\\xc3\\\\xa7as, tornando as aulas prazerosas e divertidas. utilizamos o l\\\\xc3\\\\xbadico como propulsor do desenvolvimento motor.</p>"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "www.lamusickids.com.br"] [uri "/lp/admin/_ajax/SiteInfo.ajax.php"] [unique_id "W7e15wV9wjRjBTIdq0sp5QAAAEU"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-lsphp
Stopwatch: 1538766311055950 125494 (- - -)
Stopwatch2: 1538766311055950 125494; combined=2228, p1=317, p2=1672, p3=0, p4=0, p5=187, sr=91, sw=52, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
WebApp-Info: "default" "aoe62e9pk6gijsmmn5ju4c7pd7" "-"
Engine-Mode: "ENABLED"

--fe303a54-Z--

Offline derifgig

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #235 on: October 06, 2018, 06:16:53 PM »
Hello.
After update Rules to Version 1.182

Rule ID: 211310

Code: [Select]

Message: Access denied with code 403 (phase 2). Pattern match "<[a-z0-9]{6}>" at ARGS:<?xml version. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/02_Global_Generic.conf"] [line "303"] [id "211310"] [rev "1"] [msg "COMODO WAF: XSS vulnerability||sbrealestate.com.au|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 125.27.112.180] ModSecurity: Access denied with code 403 (phase 2). Pattern match "<[a-z0-9]{6}>" at ARGS:<?xml version. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/02_Global_Generic.conf"] [line "303"] [id "211310"] [rev "1"] [msg "COMODO WAF: XSS vulnerability||sbrealestate.com.au|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "sbrealestate.com.au"] [uri "/index.php"] [unique_id "W7bpysW1dmvcQk8[at]blFopQAAAEE"]
Action: Intercepted (phase 2)
Stopwatch: 1538714058655842 21302 (- - -)
Stopwatch2: 1538714058655842 21302; combined=26523, p1=988, p2=586, p3=0, p4=0, p5=12567, sr=276, sw=12382, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.4.34 (cPanel) OpenSSL/1.0.2p
WebApp-Info: "default" "2fl6j90v0per2bi6v0gem45o23" "-"
Engine-Mode: "ENABLED"

--72fb4173-Z--

--d47d7210-A--
[05/Oct/2018:12:34:18 +0800] W7bpytwpOlzzwHiT1UOvdQAAAIQ 125.27.112.180 51602 27.54.86.177 8081
--d47d7210-B--
POST /index.php HTTP/1.0
Host: sbrealestate.com.au
X-Real-IP: 125.27.112.180
Connection: close
Content-Length: 304
Cookie: PHPSESSID=2fl6j90v0per2bi6v0gem45o23
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 YaBrowser/18.3.1.1232 Yowser/2.5 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
X-AjaxPro-Method: ServerSideSavePost
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://sbrealestate.com.au/
Origin: http://sbrealestate.com.au
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded

--d47d7210-C--
<?xml version="1.0" encoding="utf-8" ?>
<methodCall>
<params>
<_filter><![CDATA[widget_login]]></_filter>
<user_id><![CDATA[---skipped----]]></user_id>
<password><![CDATA[---skipped---]]></password>
<module><![CDATA[member]]></module>
<act><![CDATA[procMemberLogin]]></act>
</params>
</methodCall>
--d47d7210-F--
HTTP/1.1 403 Forbidden
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

--d47d7210-E--

--d47d7210-H--
Message: Access denied with code 403 (phase 2). Pattern match "<[a-z0-9]{6}>" at ARGS:<?xml version. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/02_Global_Generic.conf"] [line "303"] [id "211310"] [rev "1"] [msg "COMODO WAF: XSS vulnerability||sbrealestate.com.au|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 125.27.112.180] ModSecurity: Access denied with code 403 (phase 2). Pattern match "<[a-z0-9]{6}>" at ARGS:<?xml version. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/02_Global_Generic.conf"] [line "303"] [id "211310"] [rev "1"] [msg "COMODO WAF: XSS vulnerability||sbrealestate.com.au|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "sbrealestate.com.au"] [uri "/index.php"] [unique_id "W7bpytwpOlzzwHiT1UOvdQAAAIQ"]
Action: Intercepted (phase 2)
Stopwatch: 1538714058824563 20545 (- - -)
Stopwatch2: 1538714058824563 20545; combined=6058, p1=3218, p2=2335, p3=0, p4=0, p5=364, sr=2906, sw=141, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.4.34 (cPanel) OpenSSL/1.0.2p
WebApp-Info: "default" "2fl6j90v0per2bi6v0gem45o23" "-"
Engine-Mode: "ENABLED"

--d47d7210-Z--


Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 156
Re: False-Positive report thread
« Reply #236 on: October 22, 2018, 05:05:10 AM »
225170: WAF: Sensitive Information Disclosure Vulnerability in WordPress 4.7 (CVE-2017-5487)

Request:   GET /folder/wp-json/wp/v2/users/?who=authors&per_page=-1
Action Description:   Access denied with code 403 (phase 2).
Justification:   Test '&REQUEST_COOKIES_NAMES:/^wordpress_([0-9a-fA-f]{32})$/' against '![at]ge 1' is true.

This rule does happen on all WP installations with Gutenberg editor that will become default soon.

Offline Ansari_WAF

  • Newbie
  • *
  • Posts: 2
Re: False-Positive report thread
« Reply #237 on: October 22, 2018, 06:16:09 AM »
Hi Hedloff,
  "225170: WAF: Sensitive Information Disclosure Vulnerability in WordPress 4.7 (CVE-2017-5487)"

   Can you please send mod-security full Audit logs?
« Last Edit: October 22, 2018, 06:19:14 AM by Ansari_WAF »

Offline andypatnz

  • Newbie
  • *
  • Posts: 3
Re: False-Positive report thread
« Reply #238 on: October 22, 2018, 07:40:47 PM »
Rule 217280

WordPress 4.9.8
Plugin: Contact Form 7

Unable to save form in back-end if text on form includes keywords such as "head".

Log is attached

Further information not provided by hosting service.

Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 189
Re: False-Positive report thread
« Reply #239 on: October 25, 2018, 05:55:20 AM »
Hi andypatnz, provide logs from rules v1.185 please.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek