Author Topic: Wish you do not deny all sites with "Warning:" by default  (Read 58 times)

Offline postcd

  • Newbie
  • *
  • Posts: 19
Wish you do not deny all sites with "Warning:" by default
« on: September 06, 2017, 10:21:34 AM »
Hello,

i am using Comodo ModSecurity rules and my site got 403 forbidden error because the PHP script demand function that was disabled for security reasons. This rule was triggered:

Quote
SecRule RESPONSE_BODY "Warning.{0,100}?:.{0,1000}?\bon line\b" \
   "id:1,msg:'COMODO WAF: PHP Information Leakage||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterPHP'"

log entry:
Quote
[Wed Sep 06 14:02:02 2017] [error] [client *.*.*.*] ModSecurity: Access denied with code 403 (phase 4). Pattern match "Warning.{0,100}?:.{0,1000}?\\\\bon line\\\\b" at RESPONSE_BODY. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/17_Outgoing_FilterPHP.conf"] [line "14"] [id "214420"] [rev "1"] [msg "COMODO WAF: PHP Information Leakage||*.*.info|F|3"] [data "Matched Data: Warning:  curl_exec() has been disabled for security reasons in /home/*/public_html/_sub/*.info/wp-content/plugins/samsarin-php-widget/samsarin-php-widget.php(97) : eval()'d code on line found within RESPONSE_BODY: \\xef\\xbb\\xbf<!DOCTYPE html PUBLIC \\x22-//W3C//DTD XHTML 1.0 Transitional//EN\\x22\\x0d\\x0a\\x22http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\x22>\\x0d\\x0a\\x0d\\x0a<html xmlns=\\x22http://www.w3.org/1999/xhtml\\x22 dir=\\x22ltr\\x22 lang=\\x22cs-CZ\\x22>\\x0d\\..."] [severity "ERROR"] [tag "CWAF"] [tag "FilterPHP"] [hostname "*.*.info"] [uri "/index.php"] [unique_id "Wa--2ZteQx0AAB5H28AAAAAX"]
[Wed Sep 06 14:02:02 2017] [error] [client 188.213.49.53] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/22_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|*.*.info|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "*.*.info"] [uri "/index.php"] [unique_id "Wa--2ZteQx0AAB5H28AAAAAX"]

I do not think this ModSecurity rule should be enabled by default as i think many newbie website admins want to discover errors on their sites and being 403 forbidden seems confusing. I do not think it is such a big security issue when potential hacker knows the site has certain function disabled and knows the full path to the script.

Or maybe if there is a custom error shown by default, like "Your script requested function that is disabled for security reasons. Please check error_log file."

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: Wish you do not deny all sites with "Warning:" by default
« Reply #1 on: September 06, 2017, 10:50:16 AM »
I do not think it is such a big security issue when potential hacker knows the site has certain function disabled and knows the full path to the script.

Rule is correct. This issue belongs to OWASP Top 10 vulnerabilities, what it can cause you can find at https://www.owasp.org/index.php/Top_10_2017-A5-Security_Misconfiguration . Users install WAF in order to minimize risks. We do as much as possible from our side, weakening of protection it's a personal deal of users. If you think that particular rule should be disabled you can do that for your website.
« Last Edit: September 06, 2017, 10:54:32 AM by TDmitry »

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek