Lately we have gotten a storm of customers just logged into cPanel and webmail. They cannot change table/rows in phpmyadmin and just reading their webmail get’s them blocked by our csf/firewall because WAF rule 211000 is hitting all websites with cpanel.domain.tld and webmail.domain.tld host.
See webmail here:
For cPanel/phpmyadmin edit:
Could you please fix that rule asap? Or disable WAF on all subdomains for cpanel/webmail?
This is something that needs to be fixed asap.
Please get a fix for this. We have not had problems with this before so it has to be with the latest rules updates.
Well, we still got serious issues when customer is updating/deleting a row in phpmyadmin inside cPanel:
Request: POST /cpsess9710167270/3rdparty/phpMyAdmin/import.php
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match “(?:\b(?:c(?:d(?:\b[^a-zA-Z0-9_]{0,}?[/\]|[^a-zA-Z0-9_]{0,}?\.\.)|hmod.{0,40}?\+.{0,3}x|md(?:\b[^a-zA-Z0-9_]{0,}?/c|(?:\.exe|32)\b))|(?:echo\b[^a-zA-Z0-9_]{0,}?\by{1,}|n(?:et(?:\b[^a-zA-Z0-9_]{1,}?\blocalgroup|\.exe)|(?:c|map)\.exe)|t(?:c …” at ARGS:sql_query.
This is other rule: 211210
We can try to disable it for phpMyAdmin import only.
Please add this to you mod_security configuration (in Plugin open ‘Userdata’ - ‘Custom Rules’, or in console edit /etc/cwaf/httpd/custom_user.conf)
I think weakening of security have to be conscious act of certain user :P0l
I will ask rule writers if it possible to fix this rule somehow not reducing overall rules security.
No it’s not real!
We are trying to edit .htaccess trough file manager inside cPanel.
As I said before your rules should not act against something done within cpanel, webmail etc subdomains.
If someone get’s access there this rule is not enough to stop a hacker.