-
AuthorPosts
-
January 27, 2021 at 11:55 am #33276RichardGuest
We seem to have issues with our website getting blocked by a vulnerability in the post-and-page-builder. Can you please help me figure out what the issue might be, we are running PHP version 7.4.14?
Message: Access denied with code 403 (phase 1). Matched phrase “-C” at MATCHED_VAR. [file “/etc/httpd/conf/modsecurity.d/rules/comodo_free/21_PHP_PHPGen.conf”] [line “19”] [id “220030”] [rev “9”] [msg “COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)||www.example.com|F|2”] [severity “CRITICAL”] [tag “CWAF”] [tag “PHPGen”]
Apache-Error: [file “apache2_util.c”] [line 271] [level 3] [client 24.111.23.98] ModSecurity: Access denied with code 403 (phase 1). Matched phrase “-C” at MATCHED_VAR. [file “/etc/httpd/conf/modsecurity.d/rules/comodo_free/21_PHP_PHPGen.conf”] [line “19”] [id “220030”] [rev “9”] [msg “COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)||www.example.com|F|2”] [severity “CRITICAL”] [tag “CWAF”] [tag “PHPGen”] [hostname “www.example.com”] [uri “/wp-content/plugins/post-and-page-builder/vendor/boldgrid/library/src/assets/fonts/boldgrid.woff”] [unique_id “YBF1r8G9gL4idFT9WymsuwAAAMI”]
Action: Intercepted (phase 1)
Stopwatch: 1611756975175547 886 (- – -)
Stopwatch2: 1611756975175547 886; combined=436, p1=374, p2=0, p3=0, p4=0, p5=62, sr=162, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: “ENABLED”January 27, 2021 at 12:11 pm #33281Jesse OwensKeymasterHi Richard-
Thanks for reaching out, I’m sorry to hear about Comodo’s ModSec WAF rule affecting your site.
The first thing about this error log that jumps out to me is that it matched “-C” with a font (.woff) file. I checked your website’s file against the current version of that font asset and I can confirm that they’re identical, so your plugin files haven’t been modified or compromised.
Since you noted that your website is running PHP 7.4, and the vulnerability that this rule is checking only applies to PHP 5.4.2 and lower versions, my first instinct would be to disable this rule for your site.
You can do this by adding the following line to your .htaccess file:
SecRuleRemoveById 220030
Your web host might also be able to help disable that rule, since most modern web hosts don’t include PHP 5.4 in their shared hosting platforms.
January 27, 2021 at 12:25 pm #33283Jesse OwensKeymasterHi Richard-
I wanted to update you with a little more context on this error. I found the actual text of the rule on Comodo’s website, and it includes this caveat:
SecRule REQUEST_FILENAME "!@rx (?:\/themes\/default\/fonts|\/fonts\/themify\.ttf)" \
This seems to indicate that the author of the rule knew that it shouldn’t be applied to font files, but they neglected to omit .woff fonts along with .ttf fonts. We’ve reported the false positive to Comodo so they can update the rule, but that may take some time, and even then your web host would need to update their ModSec rules with the update.
That being said, since this rule only applies to very old versions of PHP, my recommendation would still be to disable that rule for your website.
- This reply was modified 3 years, 10 months ago by Jesse Owens. Reason: Noted that we reported false positive to Comodo
-
AuthorPosts
- The topic ‘Issues with comodo WAF ModSec rule 220030’ is closed to new replies.