Starting at 3:30am EST (right after upcp / updates) , a bunch of my customers can't log in to their PHP cms's (WordPress and others).
So I checked the error logs and saw a lot of this for each user who was getting 403'd at their admin areas:
[:error] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:pwd. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "122"] [id "217250"] [rev "2"] [msg "COMODO WAF: Multiple URL Encoding Detected||example.com|F|4"] [data "ARGS:pwd=W04KsIGrA*6olA%u6Ku"] [severity "WARNING"] [hostname "example.com"] [uri "/wp-login.php"]
Then I thought "Well, at least I can use ConfigServer CMC to globally disable / whitelist rule ID 217250"
But... NOPE!
The ONLY thing that works is going into ConfigServer CMC and then going to each individual user's account ModSec whitelist, and disabling 217250 for each account one by one.
ALSO starting at 3:30am EST right after upcp / updates, this started and has been no-stop:
[:error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/mod
sec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "113"] [id "217220"] [rev "1"] [msg "COMODO WAF: Request Missing a Host Header|||F|4"] [data "REQUEST_HEADERS
=0"] [severity "WARNING"] [hostname "server.example.net"] [uri "/whm-server-status"]
Also tried stopping this by disabling / whitelisting rule ID 217220 in ConfigServer Modsec Control globally, but no luck.
Hoping to find a common factor with others that leads to a fix.
CloudLinux 6.8 / Apache 2.4.25 / EA3 / cPanel 11.62.0.20
So I checked the error logs and saw a lot of this for each user who was getting 403'd at their admin areas:
[:error] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:pwd. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "122"] [id "217250"] [rev "2"] [msg "COMODO WAF: Multiple URL Encoding Detected||example.com|F|4"] [data "ARGS:pwd=W04KsIGrA*6olA%u6Ku"] [severity "WARNING"] [hostname "example.com"] [uri "/wp-login.php"]
Then I thought "Well, at least I can use ConfigServer CMC to globally disable / whitelist rule ID 217250"
But... NOPE!
The ONLY thing that works is going into ConfigServer CMC and then going to each individual user's account ModSec whitelist, and disabling 217250 for each account one by one.
ALSO starting at 3:30am EST right after upcp / updates, this started and has been no-stop:
[:error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/mod
sec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "113"] [id "217220"] [rev "1"] [msg "COMODO WAF: Request Missing a Host Header|||F|4"] [data "REQUEST_HEADERS
=0"] [severity "WARNING"] [hostname "server.example.net"] [uri "/whm-server-status"]
Also tried stopping this by disabling / whitelisting rule ID 217220 in ConfigServer Modsec Control globally, but no luck.
Hoping to find a common factor with others that leads to a fix.
CloudLinux 6.8 / Apache 2.4.25 / EA3 / cPanel 11.62.0.20
Last edited:
