False-Positive report thread

FALSE POSITIVE, normal script made by a programmer:

211230: COMODO WAF: PHP Injection Attack
Request:	GET /justapri/oficinas_externas/index.php?fopen=1&nfo=15020037
Action Description:	Access denied with code 403 (phase 2).
Justification:	Pattern match "(?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" at ARGS_NAMES:fopen.

FALSE POSITIVE, script SePortal 2.5 (www.seportal.org)

211540: COMODO WAF: Blind SQL Injection Attack
Request:	POST /login.php
Action Description:	Access denied with code 403 (phase 2).
Justification:	Pattern match "(?i:\\b(?:t(?:able_name\\b|extpos[^a-zA-Z0-9_]{1,}\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:user_password.

FALSE POSITIVE, Joomla script, and i already opened and analysed the files, there is no shell at all:

ModSecurity: Access denied with code 403 (phase 3). String match "/images/" at REQUEST_FILENAME. [file "/var/cpanel/cwaf/rules/cwaf_07.conf"]
[line "72"] [id "240031"] [msg "COMODO WAF: Blocking execution of an uloaded shell in Joomla!"] 
[hostname "www.SITE.COM"] [uri "/index.php/images/loading.gif"]

Thank you for your reports, but pay attention to false positive report requirements:

Often we haven’t enough information without request headers or debug log to fix false positive.

I’m sorry Dmitry, but the logs don’t save the Request Headers.

In that case, i cannot report the false positives and the only solution is to turn off the rules on that domains that are false positives.

You can configure modsecurity to save audit.log or debug.log

Client upload image file in wordpress admin panel. The image file name contains a single quote.

[Tue Mar 03 11:04:44 2015] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Pattern match “[\”';=]" at FILES:async-upload. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “153”] [id “210220”] [msg “COMODO WAF: Attempted multipart/form-data bypass”] [data “We’re all drivers 2.jpg”] [severity “CRITICAL”] [hostname “domain name”] [uri “/wp-admin/async-upload.php”] [unique_id “VPYFv0WhnQEAADCq2VYAAAAT”]


maybe this is a false positive (probably)

1 - Rule 214920
2 - SabreDAV 2.1.2 + Roundcube 1.0.5 and SabreDAV 2.1.2 + Thundebird 31.5.0

[Wed Mar 04 16:11:05.888770 2015] [:error] [pid 18017] [client myip] ModSecurity: Warning. Operator LT matched 5 at TX:incoming_points. [file “/usr/local/cwaf/rules/cwaf_04.conf”] [line “562”] [id “214920”] [msg “COMODO WAF: Inbound Points (Total Incoming Points: 3)”] [hostname “dav.myserver”] [uri “/index.php”] [unique_id “VPcgiV0-ojwAAEZhzRkAAAAC”]

Also i’ve noticed that i cant sync my android phone with dav anymore, i think is agent related, but no sure, no evidence in logs except for apache access log:

MYIP - - [04/Mar/2015:16:18:09 +0100] “OPTIONS /calendars/MYUSERACCOUNT/personal/ HTTP/1.1” 401 3868 “-” “CalDAV-Sync (Android) (like iOS/5.0.1 (9A405) dataaccessd/1.0) gzip”
MYIP - MYUSERACCOUNT [04/Mar/2015:16:18:09 +0100] “OPTIONS /calendars/MYUSERACCOUNT/personal/ HTTP/1.1” 200 277 “-” “CalDAV-Sync (Android) (like iOS/5.0.1 (9A405) dataaccessd/1.0) gzip”
MYIP - - [04/Mar/2015:16:18:09 +0100] “OPTIONS /calendars/MYUSERACCOUNT/personal/ HTTP/1.1” 401 3868 “-” “CalDAV-Sync (Android) (like iOS/5.0.1 (9A405) dataaccessd/1.0) gzip”
MYIP - MYUSERACCOUNT [04/Mar/2015:16:18:09 +0100] “OPTIONS /calendars/MYUSERACCOUNT/personal/ HTTP/1.1” 200 277 “-” “CalDAV-Sync (Android) (like iOS/5.0.1 (9A405) dataaccessd/1.0) gzip”

Hope those help you.


False Positive:

[Thu Mar 12 00:44:20.715316 2015] [:error] [pid 633443:tid 139707937650432] [client] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:merge.*?using\\\\s*?\\\\()|(execute\\\\s*?immediate\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:\\\\W+\\\\d*?\\\\s*?having\\\\s*?[^\\\\s\\\\-])|(?:match\\\\s*?[\\\\w(),+-]+\\\\s*?against\\\\s*?\\\\())" at ARGS:about_background. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "400"] [id "211720"] [msg "COMODO WAF: Detects MATCH AGAINST"] [data "Matched Data:  having t found within ARGS:about_background: <p>Back in 2000 I co-founded front.end, a digital agency in Portugal. Its small structure challenged me to solve many problems that required learning things outside of my comfort zone. I learned flash having to deliver a collection of games, web standards and accessibility landing projects for the portuguese government, and just about everything else in do-or-die scenarios.</p>\\x0d\\x0a\\x0d\\x0a<p>In this experience I've acquired knowledge in just..."] [severity "CRITICAL"] [hostname "site.com"] [uri "/wip3/processwire/page/edit/"] [unique_id "VQDhZMMIOpsACapjwSEAAAEV"]

[12/Mar/2015:00:44:20 +0000] VQDhZMMIOpsACapjwSEAAAEV 42781 6081
POST /wip3/processwire/page/edit/?id=1001 HTTP/1.1
Referer: http://heldercervantes.com/wip3/processwire/page/edit/?id=1001
Host: heldercervantes.com
Cookie: WireTabs=ProcessPageEditContent; cpsession=helderce%3aK4SQoVsktzNWArhkLc1Xck7yvYz159wLoAqSWY3Iz1X9PyY9AyL5BXv8SmWDgp1c%2c858a091fba04683c471e3d40d9e62f114276275c8161de8b2c582a2fcf7df1d1; langedit=; lang=; cprelogin=no; _ga=GA1.2.332721632.1424949039; wire=cjpmfa3oefec4loq595evt5ko4; wire_challenge=oogjXP0QiWUxMRXVyqh8ltUBFLDjtLGP1
X-Forwarded-Host: heldercervantes.com
X-Forwarded-Server: heldercervantes.com
Connection: close
Content-Length: 10530
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://site.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLu2pyuaB5eHG7Ar8
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6,es;q=0.4,fr;q=0.2,it;q=0.2,pt;q=0.2,pt-PT;q=0.2

False positive in cpanel mailman admin access and users app, rule 210730

[13/Mar/2015:15:05:51 +0000] VQL8z0RHh5IABq5Q@UUAAAAA 50769 80
GET /mailman/admindb/congregation_domainnamehere.com HTTP/1.1
Host: mail.domainnamehere.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: es-AR,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0

HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Message: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_01.conf”] [line “455”] [id “210730”] [msg “COMODO WAF: URL file extension is restricted by policy”] [data “.com”] [severity “CRITICAL”]
Action: Intercepted (phase 2)
Apache-Handler: default-handler
Stopwatch: 1426259151407306 5924 (- - -)
Stopwatch2: 1426259151407306 5924; combined=1011, p1=729, p2=183, p3=0, p4=0, p5=98, sr=111, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: “ENABLED”


False positive when creating a new page in Wordpress Admin Dashboard.

[Mon Mar 23 10:51:52.757070 2015] [:error] [pid 847048] [client IP] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|‘[^=]{1,10}’)\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|‘[^=]{1,10}’)\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\”][^=]{1,10}[\\‘\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|’[^=]{1,10}')" at ARGS:input_30. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “323”] [id “211580”] [msg “COMODO WAF: SQL Injection Attack”] [data “Matched Data: and 2 found within ARGS:input_30: SCREENS: 12, 50\x0d\x0aHANES 5170 STONE WASH GREEN: 18-S, 48-M, 24-L, 18-XL, 12-XXL\x0d\x0aHANES 5186 STONE WASH GREEN: 6-S, 48-M, 12-L, 36-XL, 12-XXL\x0d\x0aHANES P160 DEEP FOREST GREEN: 6-S, 18-XL, 6-XXL\x0d\x0aTHE ABOVE ITEMS ARE GETTING FULL FRONT AND FULL BACK WHITE AND DALLAS GREEN\x0d\x0a\x0d\x0aPOWERTEK 70125 OXFORD GREY: 9-M, 20-XL, 5-XXL\x0d\x0aOXFORD GREY HOODIES ARE GETTING ONE COLOR LEFT CHEST AND FULL BACK FOREST GREEN INK\x0d\x0a\x0d\x0aGOOD…”] [severity “CRITICAL”] [hostname “domain.com”] [uri “/create-new-job/”] [unique_id “VRBSuGw8FSkADOzIHQ4AAABL”]

False positive when creating a new post in Wordpress Admin Dashboard.

===False positive===
[Sun Mar 22 19:17:22 2015] [error] [client1 IP] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(media|post|post_new)\\.php” at Request_URI. [file “/var/cpanel/cwaf/rules/cwaf_05.conf”] [line “1783”] [id “220830”] [msg “COMODO WAF: Blocking XSS attack”] [hostname “domain2.com”] [uri “/wp-admin/post.php”] [unique_id “VQ93sWw8AwEAAFzHWdMAAAAA”]

[Sun Mar 22 12:26:30 2015] [error] [client2 IP] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(media|post|post_new)\\.php” at Request_URI. [file “/var/cpanel/cwaf/rules/cwaf_05.conf”] [line “1783”] [id “220830”] [msg “COMODO WAF: Blocking XSS attack”] [hostname “domain2.com”] [uri “/eddie/wp-admin/post.php”] [unique_id “VQ8XZkWhmQEAADU4LsUAAAAG”]

===True attack===
[Tue Mar 24 10:24:44.311438 2015] [:error] [pid 73528] [client] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(media|post|post_new)\\.php” at Request_URI. [file “/var/cpanel/cwaf/rules/cwaf_05.conf”] [line “1783”] [id “220830”] [msg “COMODO WAF: Blocking XSS attack”] [hostname “domain3.com”] [uri “/wp-comments-post.php”] [unique_id “VRGd3Gw8FQsAAR84U4oAAAAM”]

False positive when inserting content into mysql database trough CMS Builder.
CMS Builder said to customer: doesn’t allow forms to be submitted that look like they contain PHP tags or MySQL select statements.
Problem is on these urls:

Rule ID:
211220: COMODO WAF: PHP Injection Attack

From logs:
Request: POST /cmsAdmin/admin?
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match “<\?(?!xml)” at ARGS:optionsQuery.


[09/Apr/2015:22:03:32 +0200] VSbbFNWi9k0ACbl[at]CskAAAAm 109.247.xx.xx 59899 2x.1xx.xx.xx 80
POST /cmsAdmin/admin? HTTP/1.1
Host: www.example.com
Connection: keep-alive
Content-Length: 1960
Accept: */*
Origin: http://www.example.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,no;q=0.6
Cookie: 4d10f34a1987a__PHPSESSID=adfd58cc4674375f6527ab20de6bbeb3

HTTP/1.1 403 Forbidden
Content-Length: 335
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1


Message: Access denied with code 403 (phase 2). Pattern match "<\\?(?!xml)" at ARGS:optionsQuery. [file "/var/cpanel/cwaf/rules/01_Global_Generic.conf"] [line "59"] [id "211220"] [msg "COMODO WAF: PHP Injection Attack"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1428609820477305 5423 (- - -)
Stopwatch2: 1428609820477305 5423; combined=2507, p1=295, p2=2192, p3=0, p4=0, p5=20, sr=53, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

Rules version 1.28 and earlier.

Rule 211580 SQL Injecton

This rule is way too general and creates many false positives. Any submission with “and 2” or “and 3” etc. will flag a false positive due to the portion of the regex…



Rules version 1.35 – false positive on rule 211580 on two sites. One site has a search form for a CGI/perl database; the other site has a PHP based shopping cart- with rule triggered on certain links or searches.

Rule ID 220382
Wordpress 4.2.2
[Wed Jun 17 17:52:49.933030 2015] [:error] [pid 13254] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 0 at ARGS_POST. [file “/var/cpanel/cwaf/rules/27_Apps_WordPress.conf”] [line “23”] [id “220382”] [msg “COMODO WAF: found CVE-2013-7233 attack”] [hostname “XXXXX.com”] [uri “/wp/wp-admin/options.php”] [unique_id “VYEuWWUAUCIAADPGTQAAAAAI”]

optionQuery argument whitelisted in Rule ID 211220

Rule ID 211580 disabled by default

Rule ID 220382 removed permanently

All changes will take place in next release.

Many False positives this morning for Rule 214540

Basically any legitimate use of iframe, seems to trigger the block. (iframe in page template in wordpress)


[Thu Jun 18 10:35:19 2015] [error] [client] ModSecurity: Access denied with code 403 (phase 4). Pattern match “<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\”']{0,1}[^a-zA-Z0-9_]{0,}?\\bdisplay\\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\\bnone\\b" at RESPONSE_BODY. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/20_Outgoing_FilterInFrame.conf”] [line “17”] [id “214540”] [msg “COMODO WAF: Possibly malicious iframe tag in output”] [data “Matched Data: <iframe style='display:none found within RESPONSE_BODY: \x0a<html lang=\x22en-US\x22 prefix=\x22og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#\\x22>\x0a\x09Best Self Products | Self Tan\x0a\x09\x0a\x09\x0a\x09<meta name=\x22robots\x22 content=\x22…”] [severity “ERROR”] [hostname “www.xxxxxx.com.au”] [uri “/index.php”] [unique_id “VYISRmUAYAIADscANE0AAABF”]


It’s recommended to turn whole “Outgoing” category off.
To do so please open CWAF plugin, go to Catalog tab, and press ‘OFF’ in row containing ‘Outgoing’ category.

Best regards, Oleg

which outgoing category should i disable there is 8 of them, or should i disable them all? what is the point of including them if its recommended you disable? Also which other ones are recommended to be disabled?