BeZazz
February 25, 2014, 5:51pm
#1
I removed the following from /var/cpanel/cwaf/rules/cwaf_05.conf" and so far it seems ok
SecRule REQUEST_URI "!@contains /wp-admin/admin.php?page=newsletter-manager-" \
"id:220500,\
phase:2,\
log,\
t:none, t:urlDecodeUni, t:lowercase"
SecRule ARGS:xyz_em_campname|ARGS:xyz_em_name "!@rx ^[a-z0-9-\+\?@=!\\\*.,_ ]{0,64}$" \
"id:220501,\
msg:'COMODO WAF: found CVE-2012-6628 attack',\
phase:2,\
deny,\
status:403,\
log,\
t:urlDecodeUni, t:lowercase"
SecRule ARGS:id|ARGS:xyz_em_exportbatchSize|ARGS:xyz_em_limit "!@rx ^\d{1,64}$" \
"id:220502,\
msg:'COMODO WAF: found CVE-2012-6628 attack',\
phase:2,\
deny,\
status:403,\
log,\
t:none, t:urlDecodeUni, t:lowercase"
SecMarker END_SECMARKER_220500
netdias
February 25, 2014, 9:37pm
#2
Yes Happened to me also, high load and lots of processes in apache, sites not working
Tue Feb 25 20:51:14 2014] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Match of “contains /wp-admin/admin.php?page=newsletter-manager-” against “REQUEST_URI” required. [file “/var/cpanel/cwaf/rules/cwaf_05.conf”] [line “910”] [id “220500”] [hostname “www.xxxx.com ”] [uri “/air/index.php”] [unique_id “Uw0CQrIg37IAAFC6G-gAAAAH”]
This site does not have a wordpress script installed
Had to disable the include in modsec2.conf because the problem persisted after I turned off all rules in the comodo UI
Pedro
BeZazz
February 25, 2014, 9:40pm
#3
Same here
Seems strange having an option to turn off rules that does not turn them off.
ahbao
February 26, 2014, 5:51am
#4
0.39 is causing problem to all my sites, I revert back to 0.38
MoovIt
February 26, 2014, 7:38am
#5
Very sad – Never had this issue with gotroot free rules, have also reverted back to 0.38 rules.
You would think these rules would be tested prior to releasing and bug tested!
ModSecurity: Access denied with code 403 (phase 2). Match of “contains /wp-admin/admin.php?page=newsletter-manager-” against “REQUEST_URI” required. [file “/var/cpanel/cwaf/rules/cwaf_05.conf”] [line “910”] [id “220500”]
This rule triggered by me visiting my own site which has no wordpress installed also a a few more Ips visiting sites without wordpress.
Please test your rules before releasing to the general public as we are not beta testers.
If this keeps happening I will ditch in favor of better prepared rules!
Reverted to 0.38 after rule #220502 identified the LiveChat as attack vector. Is there an easy way to filter anything out of the catalog? Right now it is utterly confusing.
TDmitry
February 27, 2014, 10:13am
#9
Please, post your logs related to rule #220502 and LiveChat.
This is what I get:
Access denied with code 403 (phase 2). Match of "rx ^\\d{1,64}$" against "ARGS:ID" required. [file "/var/cpanel/cwaf/rules/cwaf_05.conf"] [line "927"] [id "220502"] [msg "COMODO WAF: found CVE-2012-6628 attack"]
By the way, just reverting to previous version via the WHM plugin seems to leave the rule on the server, which means you can’t exclude it anymore through the UI.
vadim
March 5, 2014, 10:20am
#11
Which version of rules do you use now? Do you see this rule in Catalog (Group “CVE → ID 220502”)?
You may just disable this rule if you see it in Catalog.
