COMODO WAF Rule Blocking Access

Metro2

• April 07, 2017 13:13

Starting at 3:30am EST (right after upcp / updates), a bunch of my customers can't log in to their PHP cms's (WordPress and others). So I checked the error logs and saw a lot of this for each user who was getting 403'd at their admin areas: [:error] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:pwd. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"> [line "122"> [id "217250"> [rev "2"> [msg "COMODO WAF: Multiple URL Encoding Detected||example.com|F|4"> [data "ARGS:pwd=W04KsIGrA*6olA%u6Ku"> [severity "WARNING"> [hostname "example.com"> [uri "/wp-login.php"> Then I thought "Well, at least I can use ConfigServer CMC to globally disable / whitelist rule ID 217250" But... NOPE! The ONLY thing that works is going into ConfigServer CMC and then going to each individual user's account ModSec whitelist, and disabling 217250 for each account one by one. ALSO starting at 3:30am EST right after upcp / updates, this started and has been no-stop: [:error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/mod sec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"> [line "113"> [id "217220"> [rev "1"> [msg "COMODO WAF: Request Missing a Host Header|||F|4"> [data "REQUEST_HEADERS =0"> [severity "WARNING"> [hostname "server.example.net"> [uri "/whm-server-status"> Also tried stopping this by disabling / whitelisting rule ID 217220 in ConfigServer Modsec Control globally, but no luck. Hoping to find a common factor with others that leads to a fix. CloudLinux 6.8 / Apache 2.4.25 / EA3 / cPanel 11.62.0.20

• 

  cPanelMichael

  • April 07, 2017 18:17

  Hello @Metro2, I've moved this post to it's own thread as the thread you replied to related to GET requests to /whm-server-status. You can report Comodo WAF false positives to Comodo via their thread at: False-Positive report thread - Free Modsecurity rules - Comodo Web Application Firewall | Page 10 Also, see this post on their forums regarding rules cache: False-Positive report thread - Free Modsecurity rules - Comodo Web Application Firewall | Page 11 Thank you.

  0
• 

  Metro2

  • April 07, 2017 18:28

  Thanks for letting me know cPanelMichael. Though it seems more than a coincidence that this issue just started the same time is the issue posted by users in that other thread. Haven't seen anything quite like this in years. I don't have a /cwaf/ folder as mentioned in the second link you provided, so unsure where rules cache file is, or I'd delete it.

  0
• 

  Metro2

  • April 07, 2017 18:34

  RELATED: Starting at 3:30am EST (right after upcp / updates) this also started and has been non-stop in the apache error log: [:error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/mod sec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"> [line "113"> [id "217220"> [rev "1"> [msg "COMODO WAF: Request Missing a Host Header|||F|4"> [data "REQUEST_HEADERS =0"> [severity "WARNING"> [hostname "server.example.net"> [uri "/whm-server-status">

  0
• 

  cPanelMichael

  • April 07, 2017 18:37

  New Thanks for letting me know cPanelMichael. Though it seems more than a coincidence that this issue just started the same time is the issue posted by users in that other thread. Haven't seen anything quite like this in years.

  
  Since the issue stems from a rules update in the Comodo WAF plugin, it's likely that different rules resulted in separate issues. The issue reported on the other thread is something cPanel can offer some help with, however the rule in this thread relates to WordPress so it's something you'd want to report to the vendor that added the rules.

  RELATED: Starting at 3:30am EST (right after upcp / updates) this also started and has been non-stop in the apache error log: [:error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/mod sec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"> [line "113"> [id "217220"> [rev "1"> [msg "COMODO WAF: Request Missing a Host Header|||F|4"> [data "REQUEST_HEADERS =0"> [severity "WARNING"> [hostname "server.example.net"> [uri "/whm-server-status">

  
  This particular hit is related to the issue reported on the other thread: 217220 COMODO WAF: Request Missing a Host Header Thank you.

  0
• 

  Metro2

  • April 07, 2017 18:56

  Thank you. The 217250 rule issue is affecting other scripts too, not just WordPress. What is really troubling is that disabling 217250 globally in ConfigServer Modsec Control doesn't work (but disabling it per user account works, so manually going through user accounts now). I did send a note to ConfigServer this morning but it looks like I might not hear back until Monday.

  0

Please sign in to leave a comment.