CWAF - Rules 1.11 False Positives (update 2 June 2014)

Free Modsecurity rules - Comodo Web Application Fi
1

False Positive #1 (WORDPRESS Site)

ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:[\\r \”'+/`]style[\\r +/]{0,}?=.{0,}([:=]|(&#x{0,1}0{0,}((58)|(3A)|(61)|(3D));{0,1})).{0,}?([(\\\\]|(&#x{0,1}0{0,}((40)|(28)|(92)|(5C));{0,1})))" at ARGS:data[wp_autosave][content].

[file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1117”]

[id “213100”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”]

[data “Matched Data: style=\x22color: #222222;\x22>Os n\xc3\xbameros agora avan\xc3\xa7ados pela Comiss\xc3\xa3o Europeia mostram que 40% ou mais da popula\xc3\xa7\xc3\xa3o em pa\xc3\xadses como It\xc3\xa1lia, Gr\xc3\xa9cia, Bulg\xc3\xa1ria e Rom\xc3\xa9nia n\xc3\xa3o tem capacidade para interagir com o mundo online. A percentagem aumenta para mais do dobro em alguns Estados-membros da UE quando se fala em falta de literacia digital no total da popula\xc3\xa7\xc3\xa3o ( found within ARGS:data[wp_autosave][cont…”]

[uri “/wp-admin/admin-ajax.php”]

2

Thank you for your feedback. We will check this case.

3

False Positive #2

ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|‘[^=]{1,10}’)\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|‘[^=]{1,10}’)\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\”][^=]{1,10}[\\‘\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|’[^=]{1,10}')" at ARGS:texto_ing.

[file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “313”]

[id “211580”] [msg “COMODO WAF: SQL Injection Attack”]

[data “Matched Data: and 20 found within ARGS:texto_ing:

The Dental Clinic Artilharia 1 was established in the municipality of Lisbon in June 2007. Activity focuses on dentistry, having, in addition to dentistry, all specialties related thereto, including implantology, orthodontics, fixed and removable dental prosthesis, pediatric dentistry, periodontics, endodontics and bone regeneration.

\x0d\x0a

We have at our service only Dentists Doctors enrolled in the respective order, always attentive …”]

[severity “CRITICAL”] [uri “/admin2253/facilidades_mod.php”]

4

False Positive #3
==================================3

ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:(?:merge.?using\\s?\\()|(execute\\s*?immediate\\s*?[\”'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:\\W+\\d*?\\s*?having\\s*?[^\\s\\-])|(?:match\\s*?[\\w(),±]+\\s*?against\\s*?\\())" at ARGS:texto_ing.

[file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “390”]

[id “211720”] [msg “COMODO WAF: Detects MATCH AGAINST”]

[data “Matched Data: , having, found within ARGS:texto_ing:

The Dental Clinic Artilharia 1 was established in the municipality of Lisbon in June 2007. Activity focuses on dentistry, having, in addition to dentistry, all specialties related thereto, including implantology, orthodontics, fixed and removable dental prosthesis, pediatric dentistry, periodontics, endodontics and bone regeneration.

\x0d\x0a

We have at our service only Dentists Doctors enrolled in the respective order, always attenti…”]

[severity “CRITICAL”] [uri “/admin2253/facilidades_mod.php”]

5

False Positive #4 (JOOMLA SITE)
==================================3

ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i)([\\s\”'`;\\/0-9\\=]+on\\w+\\s*=)" at ARGS:info.

[file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “35”]

[id “212010”] [msg “COMODO WAF: XSS Filter - Category 2: Event Handler Vector”]

[data “Matched Data: 5OntzOjQ6Im1lbnUiO3M6MzoiY2FtIjtzOjM6Im1pZCI7YTozOntpOjA7czoxOiIxIjtpOjE7czozOiIyNzQiO2k6MjtzOjM6IjM2MSI7fXM6MzoiY2lkIjtzOjM6IjM2MSI7czoxMzoidmVyc2FvX3RhYmVsYSI7czo2OiJvbmxpbmUiO3M6OToidGlwb19tZW51IjtzOjE6IjYiO3M6MTM6ImdtX2lkX2NhdF9yZWwiO3M6MjoiNzQiO3M6OToiZ21faWRfY2F0IjtzOjI6Ijc0IjtzOjU6ImFjY2FvIjtzOjIzOiJnYWxlcmlhX211bHRpbWVkaWFfdmlldyI7czo1OiJnbV9pZCI7czozOiI1NjQiO30= found within ARGS:info: YTo5OntzOjQ6Im1lbnUiO3M6MzoiY2FtIjtzOjM6Im1pZCI7YTozOntpOjA7czoxOiIxIjtpOjE7czozOiIyNzQiO2k6MjtzO…”]

[severity “CRITICAL”] [uri “/index.php”]

6

False Positive #5 (MOODLE SCRIPT)
==================================3

ModSecurity: Access denied with code 403 (phase 1). Match of “within %{tx.allowed_methods}” against “REQUEST_METHOD” required.

[file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “408”]

[id “210700”] [msg “COMODO WAF: Method is not allowed by policy”]

[data “PROPFIND”]

[severity “CRITICAL”] [uri “/file.php/496/CP2”]

7

False Positive #6

ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:[\”'][ ]{0,}(([^a-z0-9 ':_~])|(in)).{0,}?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|( …" at ARGS:intro.

[file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1093”]

[id “213070”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”]

[data “Matched Data: \x22> <P class=MsoNormal style=\x22TEXT-ALIGN: center; MARGIN: 0cm 0cm 0pt\x22 align=center><SPAN style=\x22FONT-SIZE: 7.5pt; FONT-FAMILY: ‘Arial’,‘sans-serif’; COLOR: #333399\x22>

<P class=MsoNormal style=\x22TEXT-ALIGN: center; MARGIN: 0cm 0cm 0pt\x22 align=center><SPAN style=\x22FONT-SIZE: 7.5pt; FONT-FAMILY: ‘Arial’,‘sans-serif’; COLOR: #333399\x22>

<P class=MsoNormal style=\x22TEXT-ALIGN: center; MARGI…”]

[uri “/admin/index.php”]

8

False Positive #7

ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:[\\r \”'+/`]style[\\r +/]{0,}?=.{0,}([:=]|(&#x{0,1}0{0,}((58)|(3A)|(61)|(3D));{0,1})).{0,}?([(\\\\]|(&#x{0,1}0{0,}((40)|(28)|(92)|(5C));{0,1})))" at ARGS:intro.

[file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1117”]

[id “213100”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”]

[data “Matched Data: style=\x22FONT-SIZE: 10pt; FONT-FAMILY: ‘Arial’,‘sans-serif’; COLOR: rgb(0,0,102)\x22><SPAN style=\x22FONT-SIZE: 10pt; FONT-FAMILY: ‘Arial’,‘sans-serif’; COLOR: rgb(0,0,102)\x22> <P class=MsoNormal style=\x22MARGIN: 0cm 0cm 0pt\x22><SPAN style=\x22FONT-FAMILY: ‘Arial’,‘sans-serif’; COLOR: #000066\x22><?xml:namespace prefix = \x22o\x22 /><o:p> </o:p>

<P style=\x22MARGIN: 0cm 0cm 0pt\x22><SPAN style=\x22FONT-SIZE: 10pt; FONT-FAMILY: ‘Verdana’,'…”]

[uri “/admin/index.php”]

ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:[\\r \”'+/`]style[\\r +/]{0,}?=.{0,}([:=]|(&#x{0,1}0{0,}((58)|(3A)|(61)|(3D));{0,1})).{0,}?([(\\\\]|(&#x{0,1}0{0,}((40)|(28)|(92)|(5C));{0,1})))" at ARGS:intro.

[file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1117”]

[id “213100”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”]

[data “Matched Data: style=\x22FONT-SIZE: 10pt; FONT-FAMILY: ‘Arial’,‘sans-serif’; COLOR: rgb(0,0,102)\x22> <P class=MsoNormal style=\x22MARGIN: 0cm 0cm 0pt\x22> <P class=MsoNormal style=\x22MARGIN: 0cm 0cm 0pt\x22><B style=\x22mso-bidi-font-weight: normal\x22><?xml:namespace prefix = \x22o\x22 /><o:p></o:p>

<o:p>

<P class=MsoNormal style=\x22MARGIN: 0cm 0cm 0pt\x22 align=justify>Carneiro, 21 de Mar\xe7o a 20 de Abril
Planeta Regente: Marte \x96 Modo: Card…”]

[uri “/admin/index.php”]
9

If you are using more than these methods:
GET, HEAD, POST, OPTIONS
then you should disable this rule for your location or disable it at all.

10

False Positive #8 (wordpress site)

ModSecurity: Access denied with code 403 (phase 2). Match of “contains google_ad” against “MATCHED_VAR” required.

[file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “23”]

[id “212000”] [msg “COMODO WAF: XSS Filter - Category 1: Script Tag Vector”]

[data “Matched Data: found w…”]

[severity “CRITICAL”] [uri “/Arrendaptm/wp-admin/admin-ajax.php”]

11

False Positive #9 (wordpress site)

ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:[\\r \”'+/`]style[\\r +/]{0,}?=.{0,}([:=]|(&#x{0,1}0{0,}((58)|(3A)|(61)|(3D));{0,1})).{0,}?([(\\\\]|(&#x{0,1}0{0,}((40)|(28)|(92)|(5C));{0,1})))" at ARGS:content.

[file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1117”]

[id “213100”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”]

[data “Matched Data: style=\x22color: #ff0000;\x22>Tribunal Constitucional chumba cortes salariais A FESAP congratula\xe2\x80\x90se com a decis\xc3\xa3o do Tribunal Constitucional ( found within ARGS:content:

Trabalhadores da AP v\xc3\xaaem reposta a justi\xc3\xa7a

<span style=\x22color: #ff0000;\x22>Tribunal Constitucional chumba cortes salariais

A FESAP congratula\xe2\x80\x90se com a decis\xc3\xa3o do Tribu…”]

[uri “/2/wp-admin/admin-ajax.php”]

12

All reported false positives at this moment will be fixed with rules v1.12

13

ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:(?:merge.?using\\s?\\()|(execute\\s*?immediate\\s*?[\”'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:\\W+\\d*?\\s*?having\\s*?[^\\s\\-])|(?:match\\s*?[\\w(),±]+\\s*?against\\s*?\\())" at ARGS:answer[0]. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “400”] [id “211720”] [msg “COMODO WAF: Detects MATCH AGAINST”] [data “Matched Data: . having a found within ARGS:answer[0]: I think that one aspect they could improve on is availability or someone on hand to speak to quickly when you have an issue. For instance, recently I had a problem with a piece of artwork they were taking really long on. I tried to call them about it… Andrea was on maternity leave, and I spoke to a male instead… can’t remember who… anyway they never got back to me and I had to keep on calling and that was frustrating. But I have to say that over…”] [severity “CRITICAL”] [uri “/index.php”] [unique_id “VmhJUCm5CDQADx@VB1YAAAAk”]

14

Where did you find this ruleset? It’s too old. Please, update it and re-check.
Thanks.