I use the free version of Comodo WAF 1.233 on Plesk, and found that the message contained in a number of Wordpress-related rules is confusing: “COMODO WAF: Sensitive Information Disclosure Vulnerability in WordPress 4.7 (CVE-2017-5487).” This message is repeated many times in the Wordpress ruleset, but it’s not specifically relevant to any of the rules.
For example, the following rule denies unauthenticated requests to a specific endpoint:
SecRule REQUEST_URI "[at]contains /wp-json/wp/v2/users" \
"id:225170,chain,msg:'COMODO WAF: Sensitive Information Disclosure Vulnerability in WordPress 4.7 (CVE-2017-5487)||%{tx.domain}|%{tx.
mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'WordPress'"
SecRule &REQUEST_COOKIES_NAMES:/^wordpress_logged_in_[0-9a-fA-F]{32}$/ "[at]eq 0" \
"chain,t:none"
SecRule &REQUEST_COOKIES_NAMES:/^wordpress_[0-9a-fA-F]{32}$/ "[at]eq 0" \
"t:none"
The rule works as intended. However, when reviewing logs, the message related to “WordPress 4.7” is misleading and irrelevant. I would like to understand the inclusion of this phrase. Is this simply a legacy artifact that has been copied to multiple rules? Or is there a specific reason to call out the CVE instead of the condition defined in the ruleset? Are there plans to update?
Many thanks!