False positive pattern match issue


I am using mod security however i’m having a false positive issue when a user post’s their email address that contains “fread”.

The posted address is name.fread@domain.com, as soon as they try and login the 403 error appears.

here’s the rule causing the issue:
[Wed Mar 23 17:20:56.880014 2022] [:error] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b” at ARGS:ulogin. [file “/usr/local/apache/modsecurity-cwaf/rules/02_Global_Generic.conf”] [line “73”] [id “211230”] [rev “1”] [msg “COMODO WAF: PHP Injection Attack||domain.com|F|2”] [data “Matched Data: fread found within ARGS:ulogin: name.fread@domain.com”] [severity “CRITICAL”] [tag “CWAF”] [tag “Generic”] [hostname “domain.com”] [uri “/login”] [unique_id “YjtW-PpcRPx7xEXn662i0QAAAIM”], referer:

Is there somewhere I can whitelist the user email or tell mod security not to check a certain posted variable (“ulogin”) as an example?

if so, can you advise where I need to put this please? because i do not want to have to disable the rule.

many thanks

Hi millzee,

Thank you for reporting, we will check with the related team and update you.