Serious false positive rule 21100

Hello Guys!

Lately we have gotten a storm of customers just logged into cPanel and webmail. They cannot change table/rows in phpmyadmin and just reading their webmail get’s them blocked by our csf/firewall because WAF rule 211000 is hitting all websites with cpanel.domain.tld and webmail.domain.tld host.

See webmail here:

For cPanel/phpmyadmin edit:

Could you please fix that rule asap? Or disable WAF on all subdomains for cpanel/webmail?

We will investigate this incident and fix will be available within next update. Thank you for your feedback.

Meanwhile you can add faulty rule to exludes by running CWAF CLI script:

/var/cpanel/cwaf/scripts/ -xa 211000

Regards, Oleg

Any updates on this?

Getting more and more customers getting blocked because of this and they cannot do much inside cPanel!

See new screenshot here:

This is something that needs to be fixed asap.
Please get a fix for this. We have not had problems with this before so it has to be with the latest rules updates.

Should be fixed by update.

The latest update by agent/rule that was released today?

Yes, it should help.

Well, we still got serious issues when customer is updating/deleting a row in phpmyadmin inside cPanel:
Request: POST /cpsess9710167270/3rdparty/phpMyAdmin/import.php
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match “(?:\b(?:c(?:d(?:\b[^a-zA-Z0-9_]{0,}?[/\]|[^a-zA-Z0-9_]{0,}?\.\.)|hmod.{0,40}?\+.{0,3}x|md(?:\b[^a-zA-Z0-9_]{0,}?/c|(?:\.exe|32)\b))|(?:echo\b[^a-zA-Z0-9_]{0,}?\by{1,}|n(?:et(?:\b[^a-zA-Z0-9_]{1,}?\blocalgroup|\.exe)|(?:c|map)\.exe)|t(?:c …” at ARGS:sql_query.

We really need this fixed!


This is other rule: 211210
We can try to disable it for phpMyAdmin import only.
Please add this to you mod_security configuration (in Plugin open ‘Userdata’ - ‘Custom Rules’, or in console edit /etc/cwaf/httpd/custom_user.conf)

<LocationMatch "/3rdparty/phpMyAdmin/import.php$"> 
 SecRuleRemoveById 211210

Regards, Oleg

Can’t you whitelist all subdomains like webmail, cpanel ?
Will you fix this on that rule in the next update?


I think weakening of security have to be conscious act of certain user :P0l
I will ask rule writers if it possible to fix this rule somehow not reducing overall rules security.

Regards, Oleg

Could they fix this?

We still have brand new customers contacting us about this issue. It’s causing us to loose customers. See screenshot:

Will be fixed in next update.

Still not fixed!
Do you know when this will be fixed? We use the latest rules also.
Take a look:

It seems to be a real attack.
If you suppose that it’s false-positive just exclude this rule.

No it’s not real!
We are trying to edit .htaccess trough file manager inside cPanel.

As I said before your rules should not act against something done within cpanel, webmail etc subdomains.
If someone get’s access there this rule is not enough to stop a hacker.

I suppose you can use directive for some directories you need and turn ModSecurity off for them, but it works as I know for Apache only.