Author Topic: False-Positive report thread  (Read 23640 times)

Offline garconcn

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #30 on: March 24, 2015, 11:51:57 AM »
False positive when creating a new page in Wordpress Admin Dashboard.

[Mon Mar 23 10:51:52.757070 2015] [:error] [pid 847048] [client IP] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)\\\\b(?i:and)\\\\b\\\\s+(\\\\d{1,10}|'[^=]{1,10}')\\\\s*?[=]|\\\\b(?i:and)\\\\b\\\\s+(\\\\d{1,10}|'[^=]{1,10}')\\\\s*?[<>]|\\\\band\\\\b ?(?:\\\\d{1,10}|[\\\\'\\"][^=]{1,10}[\\\\'\\"]) ?[=<>]+|\\\\b(?i:and)\\\\b\\\\s+(\\\\d{1,10}|'[^=]{1,10}')" at ARGS:input_30. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "323"] [id "211580"] [msg "COMODO WAF: SQL Injection Attack"] [data "Matched Data: and 2 found within ARGS:input_30: SCREENS: 12, 50\\x0d\\x0aHANES 5170 STONE WASH GREEN: 18-S, 48-M, 24-L, 18-XL, 12-XXL\\x0d\\x0aHANES 5186 STONE WASH GREEN: 6-S, 48-M, 12-L, 36-XL, 12-XXL\\x0d\\x0aHANES P160 DEEP FOREST GREEN: 6-S, 18-XL, 6-XXL\\x0d\\x0aTHE ABOVE ITEMS ARE GETTING FULL FRONT AND FULL BACK WHITE AND DALLAS GREEN\\x0d\\x0a\\x0d\\x0aPOWERTEK 70125 OXFORD GREY: 9-M, 20-XL, 5-XXL\\x0d\\x0aOXFORD GREY HOODIES ARE GETTING ONE COLOR LEFT CHEST AND FULL BACK  FOREST GREEN INK\\x0d\\x0a\\x0d\\x0aGOOD..."] [severity "CRITICAL"] [hostname "domain.com"] [uri "/create-new-job/"] [unique_id "VRBSuGw8FSkADOzIHQ4AAABL"]

Offline garconcn

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #31 on: March 24, 2015, 12:44:52 PM »
False positive when creating a new post in Wordpress Admin Dashboard.

===False positive===
[Sun Mar 22 19:17:22 2015] [error] [client1 IP] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(media|post|post_new)\\\\.php" at Request_URI. [file "/var/cpanel/cwaf/rules/cwaf_05.conf"] [line "1783"] [id "220830"] [msg "COMODO WAF: Blocking XSS attack"] [hostname "domain2.com"] [uri "/wp-admin/post.php"] [unique_id "VQ93sWw8AwEAAFzHWdMAAAAA"]

[Sun Mar 22 12:26:30 2015] [error] [client2 IP] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(media|post|post_new)\\\\.php" at Request_URI. [file "/var/cpanel/cwaf/rules/cwaf_05.conf"] [line "1783"] [id "220830"] [msg "COMODO WAF: Blocking XSS attack"] [hostname "domain2.com"] [uri "/eddie/wp-admin/post.php"] [unique_id "VQ8XZkWhmQEAADU4LsUAAAAG"]

===True attack===
[Tue Mar 24 10:24:44.311438 2015] [:error] [pid 73528] [client 46.161.41.199] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(media|post|post_new)\\\\.php" at Request_URI. [file "/var/cpanel/cwaf/rules/cwaf_05.conf"] [line "1783"] [id "220830"] [msg "COMODO WAF: Blocking XSS attack"] [hostname "domain3.com"] [uri "/wp-comments-post.php"] [unique_id "VRGd3Gw8FQsAAR84U4oAAAAM"]

Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 149
Re: False-Positive report thread
« Reply #32 on: April 10, 2015, 01:40:27 AM »
False positive when inserting content into mysql database trough CMS Builder.
CMS Builder said to customer: doesn't allow forms to be submitted that look like they contain PHP tags or MySQL select statements.
Problem is on these urls:
http://www.example.com/cmsAdmin/admin.php

Rule ID:
211220: COMODO WAF: PHP Injection Attack

From logs:
Request:   POST /cmsAdmin/admin?
Action Description:   Access denied with code 403 (phase 2).
Justification:   Pattern match "<\\?(?!xml)" at ARGS:optionsQuery.

modsec_audit.log:
Code: [Select]
--3abd0030-A--
[09/Apr/2015:22:03:32 +0200] VSbbFNWi9k0ACbl[at]CskAAAAm 109.247.xx.xx 59899 2x.1xx.xx.xx 80
--3abd0030-B--
POST /cmsAdmin/admin? HTTP/1.1
Host: www.example.com
Connection: keep-alive
Content-Length: 1960
Accept: */*
Origin: http://www.example.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,no;q=0.6
Cookie: 4d10f34a1987a__PHPSESSID=adfd58cc4674375f6527ab20de6bbeb3

-
--3abd0030-C--
menu=database&_defaultAction=editTable&tableName=aotp&fieldname=date&order=7&editField=1&save=1&saveAndCopy=0&save=Save&label=Publisert&newFieldname=date&type=date&defaultValue=&defaultContent=&checkedByDefault=0&fieldPrefix=&description=&checkedValue=Yes&uncheckedValue=No&fieldHei
ght=&fieldWidth=&allowUploads=0&allowUploads=1&defaultDate=&defaultDateString=2010-01-01+00%3A00%3A00&showTime=0&showSeconds=0&use24HourFormat=0&yearRangeStart=1995&yearRangeEnd=2018&listType=pulldown&optionsType=text&optionsText=option+one%0Aoption+two%0Aoption+three&optionsTablen
ame=&optionsValueField=&optionsLabelField=&optionsQuery=SELECT+fieldname1%2C+fieldname2%0A++FROM+%60%3C%3Fphp+echo+%24TABLE_PREFIX+%3F%3EtableName%60&filterField=&separatorType=blank+line&separatorHeader=&separatorHTML=%3Ctr%3E%0A+%3Ctd+colspan%3D'2'%3E%0A+%3C%2Ftd%3E%0A%3C%2Ftr%3E
&relatedTable=&relatedLimit=25&relatedWhere=foreignFieldNum%3D'%3C%3Fphp+echo+mysql_escape(%40%24RECORD%5B'num'%5D)+%3F%3E'&relatedMoreLink=foreignFieldNum_match%3D%3C%3Fphp+echo+htmlspecialchars(%40%24RECORD%5B'num'%5D)+%3F%3E&isRequired=0&isUnique=0&minLength=&maxLength=&charsetR
ule=&charset=&allowedExtensions=gif%2Cjpg%2Cpng%2Cwmv%2Cmov%2Cswf%2Cpdf&checkMaxUploads=0&checkMaxUploads=1&maxUploads=25&checkMaxUploadSize=0&checkMaxUploadSize=1&maxUploadSizeKB=5120&resizeOversizedImages=0&resizeOversizedImages=1&maxImageWidth=600&maxImageHeight=800&createThumbn
ails=0&createThumbnails=1&maxThumbnailWidth=150&maxThumbnailHeight=150&createThumbnails2=0&maxThumbnailWidth2=150&maxThumbnailHeight2=150&createThumbnails3=0&maxThumbnailWidth3=150&maxThumbnailHeight3=150&createThumbnails4=0&maxThumbnailWidth4=150&maxThumbnailHeight4=150&isSystemFi
eld=0&adminOnly=0&isPasswordField=0&autoFormat=1&myAccountField=0&infoField1=Title&infoField2=Caption&infoField3=&infoField4=&infoField5=&useCustomUploadDir=0&customUploadDir=%2Fhome%2Fexamplecomeay%2Fpublic_html%2Fuploads%2F&customUploadUrl=%2Fuploads%2F&customColumnType=
--3abd0030-F--
HTTP/1.1 403 Forbidden
Content-Length: 335
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-

--3abd0030-E--

--3abd0030-H--
Message: Access denied with code 403 (phase 2). Pattern match "<\\?(?!xml)" at ARGS:optionsQuery. [file "/var/cpanel/cwaf/rules/01_Global_Generic.conf"] [line "59"] [id "211220"] [msg "COMODO WAF: PHP Injection Attack"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1428609820477305 5423 (- - -)
Stopwatch2: 1428609820477305 5423; combined=2507, p1=295, p2=2192, p3=0, p4=0, p5=20, sr=53, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"
« Last Edit: April 10, 2015, 02:19:31 AM by Hedloff »

Offline LBJ

  • Newbie
  • *
  • Posts: 11
Re: False-Positive report thread
« Reply #33 on: April 15, 2015, 12:06:54 AM »
Rules version 1.28 and earlier.

Rule 211580 SQL Injecton

This rule is way too general and creates many false positives. Any submission with "and 2" or "and 3" etc. will flag a false positive due to the portion of the regex...

(?i:and)\b\s+\d{1,10}

http://www.anydomain.com/valid-file.php?data=and%202

Offline Amar218

  • Newbie
  • *
  • Posts: 5
Re: False-Positive report thread
« Reply #34 on: June 08, 2015, 07:22:00 PM »
Rules version 1.35 -- false positive on rule 211580 on two sites.   One site has a search  form for a CGI/perl database; the other site has a PHP based shopping cart- with rule triggered on certain links or searches.   
« Last Edit: June 08, 2015, 07:24:01 PM by Amar218 »

Offline GrandAdmiral

  • Newbie
  • *
  • Posts: 5
Re: False-Positive report thread
« Reply #35 on: June 17, 2015, 04:29:24 AM »
Rule ID 220382
Wordpress 4.2.2
[Wed Jun 17 17:52:49.933030 2015] [:error] [pid 13254] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 0 at ARGS_POST. [file "/var/cpanel/cwaf/rules/27_Apps_WordPress.conf"] [line "23"] [id "220382"] [msg "COMODO WAF: found CVE-2013-7233 attack"] [hostname "XXXXX.com"] [uri "/wp/wp-admin/options.php"] [unique_id "VYEuWWUAUCIAADPGTQAAAAAI"]

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: False-Positive report thread
« Reply #36 on: June 17, 2015, 06:30:56 AM »
False positive when inserting content into mysql database trough CMS Builder.
...

optionQuery argument whitelisted in Rule ID 211220

...
Rule 211580 SQL Injecton
This rule is way too general and creates many false positives. Any submission with "and 2" or "and 3" etc. will flag a false positive due to the portion of the regex...
...
Rules version 1.35 -- false positive on rule 211580 on two sites.   One site has a search  form for a CGI/perl database; the other site has a PHP based shopping cart- with rule triggered on certain links or searches.   
False positive when creating a new page in Wordpress Admin Dashboard.
...

Rule ID 211580 disabled by default

Rule ID 220382
...

Rule ID 220382 removed permanently

All changes will take place in next release.

Offline oetaz

  • Newbie
  • *
  • Posts: 12
Re: False-Positive report thread
« Reply #37 on: June 17, 2015, 09:08:12 PM »
Many False positives this morning for Rule 214540

Basically any legitimate use of iframe, seems to trigger the block. (iframe in page template in wordpress)

e.g

[Thu Jun 18 10:35:19 2015] [error] [client 59.167.231.7] ModSecurity: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\\\\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\"']{0,1}[^a-zA-Z0-9_]{0,}?\\\\bdisplay\\\\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\\\\bnone\\\\b" at RESPONSE_BODY. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/20_Outgoing_FilterInFrame.conf"] [line "17"] [id "214540"] [msg "COMODO WAF: Possibly malicious iframe tag in output"] [data "Matched Data: <iframe style='display:none found within RESPONSE_BODY: <!DOCTYPE html PUBLIC \\x22-//W3C//DTD XHTML 1.0 Strict//EN\\x22 \\x22http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\\x22>\\x0a<html lang=\\x22en-US\\x22 prefix=\\x22og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#\\x22>\\x0a<head>\\x09<title>Best Self Products | Self Tan</title>\\x0a\\x09<meta charset=\\x22UTF-8\\x22 />\\x0a\\x09<meta http-equiv=\\x22imagetoolbar\\x22 content=\\x22no\\x22 />\\x0a\\x09<meta name=\\x22robots\\x22 content=\\x22..."] [severity "ERROR"] [hostname "www.xxxxxx.com.au"] [uri "/index.php"] [unique_id "VYISRmUAYAIADscANE0AAABF"]

« Last Edit: June 17, 2015, 09:11:04 PM by oetaz »

Offline oleg.tsygany

  • Comodo's Hero
  • *****
  • Posts: 274
Re: False-Positive report thread
« Reply #38 on: June 18, 2015, 06:40:15 AM »
Hi

It's recommended to turn whole "Outgoing" category off.
To do so please open CWAF plugin, go to Catalog tab, and press 'OFF' in row containing 'Outgoing' category.

Best regards, Oleg

Offline oetaz

  • Newbie
  • *
  • Posts: 12
Re: False-Positive report thread
« Reply #39 on: June 18, 2015, 08:20:29 AM »
which outgoing category should i disable there is 8 of them, or should i disable them all? what is the point of including them if its recommended you disable? Also which other ones are recommended to be disabled?

14_Outgoing_FilterGen.conf
15_Outgoing_FilterASP.conf
16_Outgoing_FilterPHP.conf
17_Outgoing_FilterIIS.conf
18_Outgoing_FilterSQL.conf
19_Outgoing_FilterOther.conf
20_Outgoing_FilterInFrame.conf
21_Outgoing_FiltersEnd.conf

Offline oleg.tsygany

  • Comodo's Hero
  • *****
  • Posts: 274
Re: False-Positive report thread
« Reply #40 on: June 18, 2015, 11:06:14 AM »
Hi

Seems you have CWAF rules installed as cPanel Vendor.
Unfortunately, this install type not supported convenient exclude management.

Following entries are disabled by default during install as Plugin:
CATEGORY-Bruteforce - because broken implementation of persistent storage in current version of mod_security
CATEGORY-Outgoing - because of great amount of False Positives related with these rules
GROUP-Incoming - because it use OSVDB and Comodo is not responsible for this source of vulnerabilities
GROUP-HTTPDoS - because a lot of False Positives

This affect following entries in cPanel Vendor install and they recommended for disabling:
05_Global_Incoming.conf
09_Bruteforce_Bruteforce.conf
11_HTTP_HTTPDoS.conf
14_Outgoing_FilterGen.conf
15_Outgoing_FilterASP.conf
16_Outgoing_FilterPHP.conf
17_Outgoing_FilterIIS.conf
18_Outgoing_FilterSQL.conf
19_Outgoing_FilterOther.conf
20_Outgoing_FilterInFrame.conf
21_Outgoing_FiltersEnd.conf

Best regards, Oleg

Offline Ramy

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #41 on: July 02, 2015, 08:29:09 AM »
RuleId: 214540
Magento. 1.9.1.0
Login Magento Admin panel , go to Catalog > Manage Categories

[:error] [pid 17156] [client 41.46.83.3]
ModSecurity: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\"']{0,1}[^a-zA-Z0-9_]{0,}?\\bdisplay\\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\\bnone\\b" at RESPONSE_BODY. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/20_Outgoing_FilterInFrame.conf"] [line "17"] [id "214540"] [msg "COMODO WAF: Possibly malicious iframe tag in output"]
[data "Matched Data: <iframe name="iframeSave" style="display:none
found within RESPONSE_BODY: {\\x22content\\x22:\\x22 <div class="content-header">  <h3 class="icon-head head-categories">New Root Category<\\x5c/h3>  <p class="content-buttons form-buttons">  <button id="id_c7b3049b0174d2656a42779034769c13" title="Reset" type="button" class="scalable " oncl..."]
[severity "ERROR"]
[hostname "jaadaonline.com"]
[uri "/index.php/admin/catalog_category/edit/key/8e3b3e58ff62a7e3554181ab6a2caee2/"] [unique_id "VZUGHz[at]PKCIAAEME04cAAAAa"]

Offline gshost

  • Newbie
  • *
  • Posts: 6
Re: False-Positive report thread
« Reply #42 on: July 24, 2015, 03:19:00 AM »
There is a rule 211210 which blocks when you try to edit database row in phpmyadmin.


Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: False-Positive report thread
« Reply #43 on: July 24, 2015, 06:21:32 AM »
There is a rule 211210 which blocks when you try to edit database row in phpmyadmin.
Will be fixed by next update

Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 149
Re: False-Positive report thread
« Reply #44 on: August 11, 2015, 04:59:01 AM »
210831: COMODO WAF: Rogue web site crawler

Request:   HEAD /pictures/alex_avatar.jpg
Action Description:   Access denied with code 403 (phase 2).
Justification:   Pattern match "(?i:(?:^(?:microsoft url|user-Agent|www\\.domain\\.com|(?:jakart|vi)a|(google|i{0,1}explorer{0,1}\\.exe|(ms){0,1}ie( [0-9.]{1,}){0,1} {0,1}(compatible( browser){0,1}){0,1})$)|\\bdatacha0s\\b|; widows|\\\\r|a(?: href=|d(?:sarobot|vanced email extractor ..." at REQUEST_HEADERS:User-Agent.

modsec_audit.log:

Code: [Select]
--a70e7e2c-A--
[11/Aug/2015:07:25:58 +0200] VcmHZtWi8FgADsZN16MAAAAp 78.91.*.* 49209 213.*.*.* 80
--a70e7e2c-B--
HEAD /pictures/alex_avatar.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible ; MSIE 9.11.9600.17914 ; Microsoft Windows 7 Professional Service Pack 1 ; Placeware RPC 1.0)
Host: domain.tld
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

--a70e7e2c-C--

--a70e7e2c-F--
HTTP/1.1 403 Forbidden
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--a70e7e2c-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:^(?:microsoft url|user-Agent|www\\.domain\\.com|(?:jakart|vi)a|(google|i{0,1}explorer{0,1}\\.exe|(ms){0,1}ie( [0-9.]{1,}){0,1} {0,1}(compatible( browser){0,1}){0,1})$)|\\bdatacha0s\\b|; widows|\\\\r|a(?: href=|$
Action: Intercepted (phase 2)
Stopwatch: 1439270758022815 2284 (- - -)
Stopwatch2: 1439270758022815 2284; combined=582, p1=419, p2=158, p3=0, p4=0, p5=5, sr=64, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--a70e7e2c-Z--

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek