cPanel Comodo WAF Rule 214540 (In Progress)
  • Priority - Critical
  • Affecting System - Entire Cluster
  • We discovered an issue with our users who used Google Tag Manager; specifically the following code.

    > <!-- Google Tag Manager -->
    > <noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-XXXXXX"
    > height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    >
    > <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
    > new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
    > j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
    > '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
    > })(window,document,'script','dataLayer','GTM-XXXXXX');</script>
    > <!-- End Google Tag Manager -->


    This would trigger a Comodo WAF Mod Security Rule # 214540

    /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/21_Outgoing_FilterInFrame.conf


    SecRule RESPONSE_BODY "<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\x22']{0,1}[^a-zA-Z0-9_]{0,}?\bdisplay\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\bnone\b" \

    "id:214540,chain,msg:'COMODO WAF: Possibly malicious iframe tag in output||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:replaceComments,rev:5,severity:3,tag:'CWAF',tag:'FilterInFrame'"

    SecRule &REQUEST_COOKIES:sugar_user_theme "@eq 0" \

    "chain,t:none"

    SecRule TX:0 "!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=" \

    "t:none,t:urlDecodeUni"


    This would in turn cause the following to show in the error logs.

    > [Wed May 09 10:19:29.618567 2018] [:error] [pid 536577:tid 139855023412992] [client 173.X.X.X:50282] [client 173.X.X.X] ModSecurity: Access denied with code 403 (phase 4). Match of "rx \\\\ssrc=\\\\x22https:\\\\/\\\\/www\\\\.googletagmanager\\\\.com\\\\/ns\\\\.html\\\\?id=GTM|\\\\ssrc=\\\\x22https:\\\\/\\\\/w\\\\.soundcloud\\\\.com\\\\/player\\\\/\\\\?url=" against "TX:0" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/21_Outgoing_FilterInFrame.conf"] [line "14"] [id > "214540"] [rev "5"] [msg "COMODO WAF: Possibly malicious iframe tag in output||www.XX.com|F|3"] [data "Matched Data: <iframe src=\\x22//www.googletagmanager.com/ns.html?id=GTM-XXXXXX\\x22\\x0aheight=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none found within TX:0: <iframe src=\\x22//www.googletagmanager.com/ns.html?id=GTM-XXXXXX\\x22\\x0aheight=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none"] [severity "ERROR"] [tag "CWAF"] [tag "FilterInFrame"] [hostname "www.XX.com"] [uri > "/en/fr/experts/clinic/403.shtml/"] [unique_id "WvMDcZoDJW7ZSWGe@Ei9hQAAAIE"], referer: http://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0ahUKEwjg-qGO6fjaAhWOl-AKHXaIBcMQFghwMAI&url=http%3A%2F%2Fwww.XX.com%2Ffr%2Fexperts%2Fclinic%2Fst-bruno%2F&usg=AOvVaw2pNPWXqcIe4bE6SHIn9AlG


    > <!-- Google Tag Manager (noscript) -->
    > <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-XXXX"
    > height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    > <!-- End Google Tag Manager (noscript) -->

    As you can see they specify https://

    We will escalate this case to Comodo and Google and continue to monitor the situation internally.

  • Date - 09/05/2018 03:00 - 09/05/2018 14:20
  • Last Updated - 09/05/2018 14:40
Placeholder (Reported)
  • Priority - Low
  • Affecting Server - Caspar - WEBCA
  • This is a placeholder. Please ignore. If nothing above this post is displayed, then no issues are currently reported.

  • Date - 23/02/2016 01:41
  • Last Updated - 01/12/2016 10:03