Author Topic: rule 214620, "PHP source leakage"  (Read 120 times)

Offline postcd

  • Comodo Member
  • **
  • Posts: 25
rule 214620, "PHP source leakage"
« on: September 06, 2017, 04:05:05 PM »
Hello, i got a rule hit:

Request: GET /wp-admin/
Action Description: Access denied with code 403 (phase 4).
Justification: Pattern match "(?:\\b(?:call_user_func|f(?:get(?:c|s{0,1}s)|open|read|scanf|tp_(?:nb_){0,1}f{0,1}(?:ge|pu)t|write)|gz(?:compress|open|read|(?:encod|writ)e)|move_uploaded_file|read(?:dir|(?:gz){0,1}file)|s(?:candir|ession_start)|(?:bz|proc_)open)|\\$_(?:session|(?:ge| ..." at RESPONSE_BODY.

Responsible rule: 214620 ("PHP source leakage")

I think the only text that could cause it is:
Use force_feed() if you are certain this URL is a real feed.
Nepodařilo se otevřít připojení pomocí fopen() k http://...

But i do not see it as a good enough reason for  403, maybe it should not trigger it if there is no "Warning:" text on page?
Thank You for a Comodo ModSecurity & CIS. Nice SW.

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 365
Re: rule 214620, "PHP source leakage"
« Reply #1 on: September 07, 2017, 09:26:26 AM »
Rule 214620 doesn't expect that some Warning will appear on the page during execution. It expects that PHP/Webserver isn't properly configured and source code of PHP file contains in the response. In your case it looks like FP, you can disable this rule in your configuration.

Offline postcd

  • Comodo Member
  • **
  • Posts: 25
Re: rule 214620, "PHP source leakage"
« Reply #2 on: September 10, 2017, 08:50:27 AM »
The reasons i am posting here is to prevent me and other people in future being wrongly denied by your rules. If it is FP, please narrow the rule so you do not block valid access like this one.
Thank You for a Comodo ModSecurity & CIS. Nice SW.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek