Serious false positive rule 21100

Hedloff · August 26, 2015, 7:18pm

Hello Guys!

Lately we have gotten a storm of customers just logged into cPanel and webmail. They cannot change table/rows in phpmyadmin and just reading their webmail get’s them blocked by our csf/firewall because WAF rule 211000 is hitting all websites with cpanel.domain.tld and webmail.domain.tld host.

See webmail here:

For cPanel/phpmyadmin edit:

Could you please fix that rule asap? Or disable WAF on all subdomains for cpanel/webmail?

TDmitry · August 27, 2015, 9:26am

We will investigate this incident and fix will be available within next update. Thank you for your feedback.

oleg.tsygany · August 27, 2015, 1:14pm

Meanwhile you can add faulty rule to exludes by running CWAF CLI script:

/var/cpanel/cwaf/scripts/cwaf-cli.pl -xa 211000

Regards, Oleg

Hedloff · September 10, 2015, 9:03pm

Any updates on this?

Getting more and more customers getting blocked because of this and they cannot do much inside cPanel!

See new screenshot here:

Hedloff · September 15, 2015, 10:29am

This is something that needs to be fixed asap.
Please get a fix for this. We have not had problems with this before so it has to be with the latest rules updates.

TDmitry · September 15, 2015, 10:50am

Should be fixed by update.

Hedloff · September 15, 2015, 12:31pm

The latest update by agent/rule that was released today?

TDmitry · September 15, 2015, 2:50pm

Yes, it should help.

Hedloff · October 18, 2015, 10:21pm

Well, we still got serious issues when customer is updating/deleting a row in phpmyadmin inside cPanel:
Request: POST /cpsess9710167270/3rdparty/phpMyAdmin/import.php
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match “(?:\b(?:c(?:d(?:\b[^a-zA-Z0-9_]{0,}?[/\]|[^a-zA-Z0-9_]{0,}?\.\.)|hmod.{0,40}?\+.{0,3}x|md(?:\b[^a-zA-Z0-9_]{0,}?/c|(?:\.exe|32)\b))|(?:echo\b[^a-zA-Z0-9_]{0,}?\by{1,}|n(?:et(?:\b[^a-zA-Z0-9_]{1,}?\blocalgroup|\.exe)|(?:c|map)\.exe)|t(?:c …” at ARGS:sql_query.

We really need this fixed!

oleg.tsygany · October 19, 2015, 6:20am

Hi

This is other rule: 211210
We can try to disable it for phpMyAdmin import only.
Please add this to you mod_security configuration (in Plugin open ‘Userdata’ - ‘Custom Rules’, or in console edit /etc/cwaf/httpd/custom_user.conf)

<LocationMatch "/3rdparty/phpMyAdmin/import.php$"> 
 SecRuleRemoveById 211210
</LocationMatch>

Regards, Oleg

Hedloff · October 20, 2015, 9:37am

Can’t you whitelist all subdomains like webmail, cpanel ?
Will you fix this on that rule in the next update?

oleg.tsygany · October 20, 2015, 9:50am

Hi

I think weakening of security have to be conscious act of certain user :P0l
I will ask rule writers if it possible to fix this rule somehow not reducing overall rules security.

Regards, Oleg

Hedloff · December 1, 2015, 12:28pm

Could they fix this?

We still have brand new customers contacting us about this issue. It’s causing us to loose customers. See screenshot:
http://imgur.com/sRWhQpi

TDmitry · December 2, 2015, 10:55am

Will be fixed in next update.

Hedloff · December 11, 2015, 12:59pm

Still not fixed!
Do you know when this will be fixed? We use the latest rules also.
Take a look:
http://imgur.com/vcm0yGX

akabakov · December 11, 2015, 4:45pm

It seems to be a real attack.
If you suppose that it’s false-positive just exclude this rule.

Hedloff · December 14, 2015, 10:42am

No it’s not real!
We are trying to edit .htaccess trough file manager inside cPanel.

As I said before your rules should not act against something done within cpanel, webmail etc subdomains.
If someone get’s access there this rule is not enough to stop a hacker.

akabakov · December 14, 2015, 4:15pm

I suppose you can use directive for some directories you need and turn ModSecurity off for them, but it works as I know for Apache only.