Wish you do not deny all sites with "Warning:" by default


i am using Comodo ModSecurity rules and my site got 403 forbidden error because the PHP script demand function that was disabled for security reasons. This rule was triggered:

SecRule RESPONSE_BODY "Warning.{0,100}?:.{0,1000}?\bon line\b" \ "id:1,msg:'COMODO WAF: PHP Information Leakage||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterPHP'"

log entry:

[Wed Sep 06 14:02:02 2017] [error] [client *.*.*.*] ModSecurity: Access denied with code 403 (phase 4). Pattern match "Warning.{0,100}?:.{0,1000}?\\\\bon line\\\\b" at RESPONSE_BODY. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/17_Outgoing_FilterPHP.conf"] [line "14"] [id "214420"] [rev "1"] [msg "COMODO WAF: PHP Information Leakage||*.*.info|F|3"] [data "Matched Data: Warning: curl_exec() has been disabled for security reasons in /home/*/public_html/_sub/*.info/wp-content/plugins/samsarin-php-widget/samsarin-php-widget.php(97) : eval()'d code on line found within RESPONSE_BODY: \\xef\\xbb\\xbf\\x0d\\x0a\\x0d\\x0a\\x0d\\..."] [severity "ERROR"] [tag "CWAF"] [tag "FilterPHP"] [hostname "*.*.info"] [uri "/index.php"] [unique_id "Wa--2ZteQx0AAB5H28AAAAAX"] [Wed Sep 06 14:02:02 2017] [error] [client] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/22_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|*.*.info|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "*.*.info"] [uri "/index.php"] [unique_id "Wa--2ZteQx0AAB5H28AAAAAX"]

I do not think this ModSecurity rule should be enabled by default as i think many newbie website admins want to discover errors on their sites and being 403 forbidden seems confusing. I do not think it is such a big security issue when potential hacker knows the site has certain function disabled and knows the full path to the script.

Or maybe if there is a custom error shown by default, like “Your script requested function that is disabled for security reasons. Please check error_log file.”

Rule is correct. This issue belongs to OWASP Top 10 vulnerabilities, what it can cause you can find at https://www.owasp.org/index.php/Top_10_2017-A5-Security_Misconfiguration . Users install WAF in order to minimize risks. We do as much as possible from our side, weakening of protection it’s a personal deal of users. If you think that particular rule should be disabled you can do that for your website.