Updated Rules to 1.09 But Still Error

Hello,

I have updated rules but still having false positive error

Access denied with code 403 (phase 2). Pattern match “(?i:["'].{0,}?\)[ ]{0,}(([^a-z0-9 ':_~])|(in)).{1,}?\()” at ARGS:content. [file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1115”] [id “213040”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”] [data “Matched Data: \x22background-color: black; color: white;\x22> College Address Geeta Verma Institute of Technology(GVIT) Circular Road Near SBI Main Branch Chhindwara Govt. Rajmata Sindhia Girls College Near Fawarra Chowk Main Market Chhindwara Government Autonomous PG College Near Dharamtekdi Chhindwara Soni Computer Education Collectorate Road Gulabra Chhindwara <tr…”]

Thank you for your feedback. Will be fixed with next update.

another false positie.

Access denied with code 403 (phase 2). String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/var/cpanel/cwaf/rules/cwaf_01.conf"] [line "236"] [id "210310"] [msg "COMODO WAF: Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"]

/wp-content/uploads/2014/04/avariya-nissan-qashqai-neudacha-640x360.jpg HTTP/1.1

club-video.net

Also will be fixed with next 1.10 update

Hello,

There are N number of erros which needs to be fixed. Most effected is wordpress. Hope next update will fix everything

is this false positive?

Access denied with code 403 (phase 2). Match of “eq 0” against “REQBODY_ERROR” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “153”] [id “210230”] [msg “COMODO WAF: Failed to parse request body.”] [data “XML parser error: XML: Failed parsing document.”] [severity “CRITICAL”]

/xmlrpc.php HTTP/1.1

It depends of impact. I’ll pay attention to this rule.

comment spam protection, contact us spam protection and all is also not working. Please help a look into it.

Ok, we will check it.

Few more false positives

  1. Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “450”] [id “210730”] [msg “COMODO WAF: URL file extension is restricted by policy”] [data “.com”] [severity “CRITICAL”]

/demo/eatwith_clone/uploads/user_offering_image/google.com HTTP/1.1

  1. Rule 290eb58 [id “213020”][file “/var/cpanel/cwaf/rules/cwaf_03.conf”][line “1083”] - Execution error - PCRE limits exceeded (-8): (null).

/wp-comments-post.php HTTP/1.0

  1. Access denied with code 403 (phase 2). Operator GE matched 3 at TX:sqli_select_statement_count. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “422”] [id “211530”] [msg “COMODO WAF: SQL SELECT Statement Anomaly Detection Alert”] [data “Matched Data: X-Forwarded-For found within TX:sqli_select_statement_count: 3”]

/sendMail.php HTTP/1.0

  1. Origin: http://testing.empexus.com
    Referer: http://testing.empexus.com/isc/wp-admin/post.php?post=35&action=edit
    Apache-Error: [file “core.c”] [line 3154] [level 3] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’ to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace., referer: http://testing.empexus.com/isc/wp-admin/post.php?post=35&action=edit\

  2. Message: Access denied with code 403 (phase 2). Pattern match “\bbackground-image:” at ARGS:newcontent. [file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “759”] [id “212660”] [msg “COMODO WAF: Cross-site Scripting (XSS) Attack”] [data “Matched Data: background-image: found within ARGS:newcontent: /* theme name: iso theme uri: http://empexus.com/ author: empexus author uri: http://empexus.com/ description: the 2013 theme for wordpress takes us back to the blog, featuring a full range of post formats, each displayed beautifully in their own unique way. design details abound, starting with a vibrant color scheme and matching header images, beautiful typography and icons, and a flexible layout that looks great on any device, big or small. …”] [severity “CRITICAL”]

wordpress is most effected i see

false positive

Access denied with code 403 (phase 2). Pattern match “(?i:(?:[\t\n\r ()]case[\t\n\r ]{0,}?\()|(?:\)[\t\n\r ]{0,}?like[\t\n\r ]{0,}?\()|(?:having[\t\n\r ]{0,}?[^\t\n\r ]{1,}[\t\n\r ]{0,}?[^a-zA-Z0-9\t\n\r ])|(?:if[\t\n\r ]{0,1}\([a-zA-Z0-9][\t\n\r ]{0,}?[<=>~]))” at ARGS:data[wp_autosave][content]. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “368”] [id “211700”] [msg “COMODO WAF: Detects conditional SQL injection attempts”] [data “Matched Data: having one) found within ARGS:data[wp_autosave][content]: [title]Making Android application development pocket friendly[/title]\x0a\x0a[text]Today everyone is talking about android. If you own a smart phone yourself (that we are sure you must be having one) then\xc2\xa0you must be aware that every application you wish to download demands Android platform. Therefore, if you also want to get a mobile application developed for your trade name, then Android can be the best bet …”] [severity “CRITICAL”]

Access denied with code 403 (phase 2). Pattern match “(?i:["'][ ]{0,}(([^a-z0-9 ':_~])|(in)).{0,}?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))|((o|(\\u006F))(n|( …” at ARGS:data[wp_autosave][content]. [file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1093”] [id “213070”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”] [data “Matched Data: \x22] Android application development[/list_item] [list_item]IOS Application Development[/list_item] [list_item]Windows Application development[/list_item] [list_item]iPhone Application Development [/list_item] [title]We have proved our expertise in all the platforms and have experience of developing applications like:[/title] [list class=\x22check\x22] [list_item]Gaming Apps[/list_item] [list_item]Business & sales application[/list_item] [list_item]Mobile shopping Apps[/…”]

false positive

Access denied with code 403 (phase 2). Pattern match “(?:\bhttp/(?:0\.9|1\.[01])|<(?:html|meta)\b)” at ARGS:data[wp_autosave][content]. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “111”] [id “211090”] [msg “COMODO WAF: HTTP Response Splitting Attack”] [data “Matched Data: <meta found within ARGS:data[wp_autosave][content]: do you know that can allow or disallow crawler to access particular page or not? yes, definitely we can.\x0a\x0a\xa0\x0a\x0aif our website has content that we do not want search engines to access, then we can use a robots.txt file to specify how search engines should crawl your site’s content.\x0a\x0a\xa0\x0a\x0aif few pages have out of date content and is appearing on google search result, then use removal url tool from google webmaster t…”] [severity “CRITICAL”]

another false positive

Access denied with code 403 (phase 2). Pattern match “(?i:[\r "'+/`]style[\r +/]{0,}?=.{0,}([:=]|(&#x{0,1}0{0,}((58)|(3A)|(61)|(3D));{0,1})).{0,}?([(\\]|(&#x{0,1}0{0,}((40)|(28)|(92)|(5C));{0,1})))” at ARGS:content. [file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1117”] [id “213100”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”] [data “Matched Data: style=\x22text-align: Justify;\x22><img class=\x22alignleft wp-image-505\x22 alt=\x22spice_park-chhindwara-mp28\x22 src=\x22http://www.mp28.org/wp-content/uploads/2013/07/spice_park-chhindwara-mp28.jpg\x22 width=\x22288\x22 height=\x22180\x22 />Spices Board of India planned to open Spices Park in all over India. The project was started to boost the spice export from India. First among the 7 pl…”]