Author Topic: Seznam.cz, "SessionID Parameter Name with No Referer", phpsessid found within..  (Read 190 times)

Offline postcd

  • Comodo Member
  • **
  • Posts: 28
Hello, in Czech republic, Seznam.cz is the biggest search engine beside Google.
I see it was blocked by the Comodo Mod Security rule with severity "CRITICAL". As a noob, i do not see any critical danger out of this robot visit. And also see no problem with SessionID being visited directly. Some CMS is "wrongly" programmed to show session ID and when someone copy the address bar URL with session ID and publish it somewhere, then innocent visitors will be blocked?

Quote
--fbfe0225-A--
[07/Sep/2017:09:58:52 +0000] WbEYXJteQx0AAGjlsIkAAAAW 77.75.77.95 28206 1.2.3.4 80
--fbfe0225-B--
GET /forum/index.php?PHPSESSID=02d4b5571c0423ad0cd907aaebe712b0&action=help;area=board_index HTTP/1.1
Host: www.mydomainhere.com
Accept: */*
Accept-Language: cs
User-Agent: Mozilla/5.0 (compatible; SeznamBot/3.2; +http://napoveda.seznam.cz/en/seznambot-intro/)
Accept-Encoding: gzip, deflate
If-Modified-Since: Sat, 19 Aug 2017 05:48:33 GMT
Connection: keep-alive

--fbfe0225-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 119
Keep-Alive: timeout=8, max=170
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--fbfe0225-E--

--fbfe0225-H--
Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/02_Global_Generic.conf"] [line "47"] [id "211180"] [rev "2"] [msg "COMODO WAF: Session Fixation: SessionID Parameter Name with No Referer||www.mydomainhere.com|F|2"] [data "Matched Data: phpsessid found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php5
Stopwatch: 1504778332555468 35457 (- - -)
Stopwatch2: 1504778332555468 35457; combined=983, p1=650, p2=177, p3=0, p4=0, p5=117, sr=75, sw=39, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--fbfe0225-Z-- :P0l
Thank You for a Comodo ModSecurity & CIS. Nice SW.

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Hello,
please, exclude rule 211180.
I need to know if you use some kind of web-host management system. I mean cPanel, Plesk, DirectAdmin. Or if use standalone installation.
Thanks.

Offline postcd

  • Comodo Member
  • **
  • Posts: 28
please, exclude rule 211180.
I need to know if you use some kind of web-host management system
Thx, i am using cPanel. If you mean to disable this rule, i just disabled it. But i am looking to have it enabled to get rid of bad bots. Might be good if the rule can be tweaked not to cause this possible false positive so i can enable it again. thx
Thank You for a Comodo ModSecurity & CIS. Nice SW.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek