WAF Comodo 3 and ModSecurity: Warning `userdata_wl_content_type'

[Deleted member 225812]

with activated WAF by COMODO 3.0 i have this warnings

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `userdata_wl_content_type' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/usr/local/lsws/conf/modsec/comodo/09_HTTP_HTTP.conf"] [line "16"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mysite.com|F|2"] [data "REQUEST_METHOD=POST"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.mysite.com"] [uri "/threads/\myurlhere/draft"] [unique_id "160526124213.806973"] [ref "v0,4o0,33o0,33v306,48"]

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `userdata_wl_content_type' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/usr/local/lsws/conf/modsec/comodo/09_HTTP_HTTP.conf"] [line "16"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mysite.com|F|2"] [data "REQUEST_METHOD=POST"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.mysite.com"] [uri "/threads/\myurlhere/draft"] [unique_id "160526124213.806973"] [ref "v0,4o0,33o0,33v306,48"]

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `userdata_wl_content_type' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/usr/local/lsws/conf/modsec/comodo/09_HTTP_HTTP.conf"] [line "16"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mysite.com|F|2"] [data "REQUEST_METHOD=POST"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "HTTP"] [hostname "www.mysite.com"] [uri "/threads/\myurlhere/draft"] [unique_id "160526124213.806973"] [ref "v0,4o0,33o0,33v306,48"]

should i ignore their or how I can fix it? (ubuntu 20+openlitespeed+php 7.4.11) XF2.2

I found that when this rule (WAF by comodo) is activated, I have error on forum : oopps something wrong... when users trying insert some smiles

 

[Mike]

All rules like this are heuristic based and thus you have to be prepared for false positives. This means you may need to disable specific URLs in different scenarios.

Alternatively, rules may need configuration. This is implied by the error message shown:

Request content type is not allowed by policy. Please update file userdata_wl_content_type.

Doing a bit of Googling does show a couple other references to this that weren't resolved and I think it led to people submitting tickets to Litespeed.

 

[Deleted member 225812]

All rules like this are heuristic based and thus you have to be prepared for false positives. This means you may need to disable specific URLs in different scenarios.

Alternatively, rules may need configuration. This is implied by the error message shown:

Doing a bit of Googling does show a couple other references to this that weren't resolved and I think it led to people submitting tickets to Litespeed.

thank you for your attention, I sent request to LiteSpeed server support.

I found more warnings, just want to know if I also should send this to LiteSpeed support?

ModSecurity: Warning. Matched "Operator Rx' with parameter (asfunction|data|javascript|livescript|mocha|vbscript):' against variable ARGS:message_html' (Value: <p>\post-name-here (969 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/comodo/06_XSS_XSS.conf"] [line "358"] [id "212770"] [rev "5"] [msg "COMODO WAF: XSS Attack Detected||www.misite.here|F|2"] [data "Matched Data: myiphere found within REQUEST_FILENAME: /threads/\url-here/draft"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.misite.here"] [uri "/threads/\url-here/draft"] [unique_id "16052727245.325337"] [ref "v5,166o82,5o82,4v1304,451t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Rx' with parameter (asfunction|data|javascript|livescript|mocha|vbscript):' against variable ARGS:message_html' (Value: <p>\post-name-here (969 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/comodo/06_XSS_XSS.conf"] [line "358"] [id "212770"] [rev "5"] [msg "COMODO WAF: XSS Attack Detected||www.mysite.here |F|2"] [data "Matched Data: myip-here found within REQUEST_FILENAME: /threads/\url-here/draft"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "XSS"] [hostname "www.mysite.here"] [uri "/threads/\url-here/draft"] [unique_id "16052727245.325337"] [ref "v5,166o82,5o82,4v1304,451t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace"]

this warning also appears when trying insert some smiles (no addons or any custom smiles) and with error to end user : oops we have error and no ability to public post, only after smile removed.

 

[Mike]

No, these are what I was referring to as being heuristic-based and thus you may get false positives. The editor submits HTML to the server which we then parse and convert to BB code. These rules are picking that up (incorrectly given that they are expected inputs).

 

[Deleted member 225812]

No, these are what I was referring to as being heuristic-based and thus you may get false positives. The editor submits HTML to the server which we then parse and convert to BB code. These rules are picking that up (incorrectly given that they are expected inputs).

Should I just disable this rule (comodo/06_XSS_XSS.conf) for xenforo? or is it better to disable the ability to use smilies due to secure reasons?

 

[Mike]

Yes, you would need to disable this rule or adjust it so it didn't hit a false positive. There is nothing insecure about what is being sent to XF.

Rulesets like these don't know anything about the underlying application, so they will have a tendency to catch all sorts of things incorrectly, so you may find that you need to tune this over time.

 

[Deleted member 225812]

adjust it so it didn't hit a false positive

Would be very happy if someone could help me with this

I assume that I need to configure the comodo files, but what exactly...