The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

COMODO WAF Rule Blocking Access

Discussion in 'Security' started by Metro2, Apr 7, 2017.

Tags:
  1. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Starting at 3:30am EST (right after upcp / updates) , a bunch of my customers can't log in to their PHP cms's (WordPress and others).

    So I checked the error logs and saw a lot of this for each user who was getting 403'd at their admin areas:

    [:error] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:pwd. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "122"] [id "217250"] [rev "2"] [msg "COMODO WAF: Multiple URL Encoding Detected||example.com|F|4"] [data "ARGS:pwd=W04KsIGrA*6olA%u6Ku"] [severity "WARNING"] [hostname "example.com"] [uri "/wp-login.php"]

    Then I thought "Well, at least I can use ConfigServer CMC to globally disable / whitelist rule ID 217250"

    But... NOPE!

    The ONLY thing that works is going into ConfigServer CMC and then going to each individual user's account ModSec whitelist, and disabling 217250 for each account one by one.

    ALSO starting at 3:30am EST right after upcp / updates, this started and has been no-stop:

    [:error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/mod
    sec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "113"] [id "217220"] [rev "1"] [msg "COMODO WAF: Request Missing a Host Header|||F|4"] [data "REQUEST_HEADERS
    =0"] [severity "WARNING"] [hostname "server.example.net"] [uri "/whm-server-status"]

    Also tried stopping this by disabling / whitelisting rule ID 217220 in ConfigServer Modsec Control globally, but no luck.

    Hoping to find a common factor with others that leads to a fix.
    CloudLinux 6.8 / Apache 2.4.25 / EA3 / cPanel 11.62.0.20
     
    #1 Metro2, Apr 7, 2017
    Last edited: Apr 7, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,029
    Likes Received:
    1,277
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    linux4me2 likes this.
  3. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks for letting me know cPanelMichael. Though it seems more than a coincidence that this issue just started the same time is the issue posted by users in that other thread. Haven't seen anything quite like this in years.

    I don't have a /cwaf/ folder as mentioned in the second link you provided, so unsure where rules cache file is, or I'd delete it.
     
  4. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    RELATED:

    Starting at 3:30am EST (right after upcp / updates) this also started and has been non-stop in the apache error log:

    [:error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/mod
    sec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "113"] [id "217220"] [rev "1"] [msg "COMODO WAF: Request Missing a Host Header|||F|4"] [data "REQUEST_HEADERS
    =0"] [severity "WARNING"] [hostname "server.example.net"] [uri "/whm-server-status"]
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,029
    Likes Received:
    1,277
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Since the issue stems from a rules update in the Comodo WAF plugin, it's likely that different rules resulted in separate issues. The issue reported on the other thread is something cPanel can offer some help with, however the rule in this thread relates to WordPress so it's something you'd want to report to the vendor that added the rules.

    This particular hit is related to the issue reported on the other thread:

    217220 COMODO WAF: Request Missing a Host Header

    Thank you.
     
  6. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thank you.

    The 217250 rule issue is affecting other scripts too, not just WordPress.

    What is really troubling is that disabling 217250 globally in ConfigServer Modsec Control doesn't work (but disabling it per user account works, so manually going through user accounts now). I did send a note to ConfigServer this morning but it looks like I might not hear back until Monday.
     
Loading...

Share This Page