WAF Comodo 3 and ModSecurity: Warning `userdata_wl_content_type'

  • Thread starter Thread starter Deleted member 225812
  • Start date Start date
D

Deleted member 225812

Guest
with activated WAF by COMODO 3.0 i have this warnings

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `userdata_wl_content_type' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/usr/local/lsws/conf/modsec/comodo/09_HTTP_HTTP.conf"] [line "16"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mysite.com|F|2"] [data "REQUEST_METHOD=POST"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.mysite.com"] [uri "/threads/\myurlhere/draft"] [unique_id "160526124213.806973"] [ref "v0,4o0,33o0,33v306,48"]

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `userdata_wl_content_type' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/usr/local/lsws/conf/modsec/comodo/09_HTTP_HTTP.conf"] [line "16"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mysite.com|F|2"] [data "REQUEST_METHOD=POST"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.mysite.com"] [uri "/threads/\myurlhere/draft"] [unique_id "160526124213.806973"] [ref "v0,4o0,33o0,33v306,48"]

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `userdata_wl_content_type' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/usr/local/lsws/conf/modsec/comodo/09_HTTP_HTTP.conf"] [line "16"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mysite.com|F|2"] [data "REQUEST_METHOD=POST"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "HTTP"] [hostname "www.mysite.com"] [uri "/threads/\myurlhere/draft"] [unique_id "160526124213.806973"] [ref "v0,4o0,33o0,33v306,48"]

should i ignore their or how I can fix it? (ubuntu 20+openlitespeed+php 7.4.11) XF2.2

I found that when this rule (WAF by comodo) is activated, I have error on forum : oopps something wrong... when users trying insert some smiles
 
All rules like this are heuristic based and thus you have to be prepared for false positives. This means you may need to disable specific URLs in different scenarios.

Alternatively, rules may need configuration. This is implied by the error message shown:
Request content type is not allowed by policy. Please update file userdata_wl_content_type.
Doing a bit of Googling does show a couple other references to this that weren't resolved and I think it led to people submitting tickets to Litespeed.
 
All rules like this are heuristic based and thus you have to be prepared for false positives. This means you may need to disable specific URLs in different scenarios.

Alternatively, rules may need configuration. This is implied by the error message shown:

Doing a bit of Googling does show a couple other references to this that weren't resolved and I think it led to people submitting tickets to Litespeed.
thank you for your attention, I sent request to LiteSpeed server support.

I found more warnings, just want to know if I also should send this to LiteSpeed support?

ModSecurity: Warning. Matched "Operator Rx' with parameter (asfunction|data|javascript|livescript|mocha|vbscript):' against variable ARGS:message_html' (Value: <p>\post-name-here (969 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/comodo/06_XSS_XSS.conf"] [line "358"] [id "212770"] [rev "5"] [msg "COMODO WAF: XSS Attack Detected||www.misite.here|F|2"] [data "Matched Data: myiphere found within REQUEST_FILENAME: /threads/\url-here/draft"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.misite.here"] [uri "/threads/\url-here/draft"] [unique_id "16052727245.325337"] [ref "v5,166o82,5o82,4v1304,451t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Rx' with parameter (asfunction|data|javascript|livescript|mocha|vbscript):' against variable ARGS:message_html' (Value: <p>\post-name-here (969 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/comodo/06_XSS_XSS.conf"] [line "358"] [id "212770"] [rev "5"] [msg "COMODO WAF: XSS Attack Detected||www.mysite.here |F|2"] [data "Matched Data: myip-here found within REQUEST_FILENAME: /threads/\url-here/draft"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "XSS"] [hostname "www.mysite.here"] [uri "/threads/\url-here/draft"] [unique_id "16052727245.325337"] [ref "v5,166o82,5o82,4v1304,451t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace"]

this warning also appears when trying insert some smiles (no addons or any custom smiles) and with error to end user : oops we have error and no ability to public post, only after smile removed.
 
No, these are what I was referring to as being heuristic-based and thus you may get false positives. The editor submits HTML to the server which we then parse and convert to BB code. These rules are picking that up (incorrectly given that they are expected inputs).
 
No, these are what I was referring to as being heuristic-based and thus you may get false positives. The editor submits HTML to the server which we then parse and convert to BB code. These rules are picking that up (incorrectly given that they are expected inputs).
Should I just disable this rule (comodo/06_XSS_XSS.conf) for xenforo? or is it better to disable the ability to use smilies due to secure reasons?
 
Yes, you would need to disable this rule or adjust it so it didn't hit a false positive. There is nothing insecure about what is being sent to XF.

Rulesets like these don't know anything about the underlying application, so they will have a tendency to catch all sorts of things incorrectly, so you may find that you need to tune this over time.
 
Top Bottom