Nasty bugs

Hedloff · May 23, 2017, 11:16am

Hello,

Did try to contact you Dmitry and Andrey on Skype, but you didn’t answer so I’ll post the issue here.

We have lot’s of issues with Comodo WAF on our LiteSpeed servers, but also apache.
Especially rules that are disabled are still “active”.

For example a customer with managewp on 10 different LiteSpeed servers is getting 403 error:
54.191.137.17 - - [22/May/2017:11:43:31 +0200] “POST /wp-load.php?mwprid=5922b2c4124d08.59456565 HTTP/1.1” 403 1139 “http://www.domain.tld/” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36”
54.191.137.17 - - [22/May/2017:15:30:46 +0200] “POST /wp-load.php?mwprid=5922e740189a28.13102215 HTTP/1.1” 403 1139 “http://www.domain.tld/” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36”

Checking in WHM-> Home »Security Center »ModSecurity™ Tools »Hits List
Cannot find anything.

But does find it in Apache errorlog:
[Mon May 22 15:30:49 2017] [error] [client 54.191.137.17] ModSecurity: Access denied with code 403, [Rule: ‘REQUEST_COOKIES|!REQUEST_COOKIES:/utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/’ '@rx (?i:(?:\s?(?:exec|execute).{0,100}?(?:\W)xp_cmdshell)|(?:["']\s*?!\s*?[\"'\w])|(?:from\W+information_schema\W)|(?:(?:(?:current)?user|database|schema|connection_id)\s*?([^)]?)|(?:["‘];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:(?:exec|execute)\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.{0,100}?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"']))’] [id “218540”] [msg “COMODO WAF: Detects MSSQL code execution and information gathering attempts”]
[Mon May 22 15:30:49 2017] [error] [client 54.191.137.17] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/’ ‘@rx (?i:(?:\s*?(?:exec|execute).{0,100}?(?:\W)xp_cmdshell)|(?:["’]\s*?!\s*?[\"'\w])|(?:from\W+information_schema\W)|(?:(?:(?:current)?user|database|schema|connection_id)\s*?([^)]*?)|(?:["’];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:(?:exec|execute)\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.{0,100}?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"']))'] [id “218540”] [msg “COMODO WAF: Detects MSSQL code execution and information gathering attempts”]

But this rule is not active. See screenshot from plugin in WHM.

Hedloff · May 23, 2017, 11:21am

So this rule is also giving false positive, but we don’t use those rules because we know it did from before.

[/var/cpanel/cwaf/rules]# grep -r 218540 *
24_SQL_SQLi.conf: “id:218540,msg:‘COMODO WAF: Detects MSSQL code execution and information gathering attempts’,phase:2,block,setvar:‘tx.points=+%{tx.points_limit4}’,setvar:‘tx.sqli_points=+1’,logdata:‘Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}’,t:none,t:urlDecodeUni,rev:2,severity:2,tag:‘CWAF’,tag:‘SQLi’”
categories.conf:# RULEDATA:218540:SQLi:1:COMODO WAF: Detects MSSQL code execution and information gathering attempts
scheme.yml: 218540: 0
scheme.yml: 218540:
scheme.yml: parent: 218540

1.123
CWAF plugin version 2.21
LiteSpeed version 5.1.15 Enterprise

Please fix it asap.

akabakov · May 26, 2017, 1:44pm

Rule 218540 is removed from the ruleset.