WAF Comodo 3 and ModSecurity: Warning `userdata_wl_content_type'

Z

zonzon

Guest
#1
with activated WAF by COMODO 3.0 i have these warnings (activated via cyberpanel not in openLS directly)

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `userdata_wl_content_type' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/usr/local/lsws/conf/modsec/comodo/09_HTTP_HTTP.conf"] [line "16"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mysite.com|F|2"] [data "REQUEST_METHOD=POST"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/threads/\myurlhere/draft"] [unique_id "160526124213.806973"] [ref "v0,4o0,33o0,33v306,48"]



how i can fix it?

Thanks!
 

gilles

Active Member
#5
That's odd because the rule is not supposed to trigger for POST requests and the report says: REQUEST_METHOD=POST

Here is the rule:
SecRule REQUEST_METHOD "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
"id:210710,chain,msg:'COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||%{tx.domain}|%{tx.mode}|2',phase:1,pass,logdata:'%{matched_var_name}=%{matched_var}',t:none,rev:5,severity:2,tag:'CWAF',tag:'HTTP'"
 

gilles

Active Member
#7
That's odd because the rule is not supposed to trigger for POST requests and the report says: REQUEST_METHOD=POST

Here is the rule:
Oh I have it reversed. The POST request method is not allowed, that's why it triggered.
You may have to disable the rule for this website.
 
Last edited:

gilles

Active Member
#8
What the rule is telling you is, if you need it, add the format to this file: /usr/local/lsws/conf/modsec/comodo/userdata_wl_content_type

Mine looks like this:
# Put your Content-Type whitelist here
application/x-www-form-urlencoded
multipart/form-data
text/xml
application/xml
application/x-amf
application/json
application/octet-stream
multipart/mixed
As I have application/x-www-form-urlencoded listed, I don't think the rule would trigger in my case.
 
Top