Question
A 403 message from ModSecurity such as the one below appears in the logs, what does it mean?
[client 203.0.113.2] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_COOKIES_NAMES. [file "/etc/apache2/modsecurity.d/rules/comodo_free/26_Apps_WordPress.conf"] [line "155"] [id "225170"] [rev "3"] [msg "COMODO WAF: Sensitive Information Disclosure Vulnerability in WordPress 4.7 (CVE-2017-5487)||] [severity "CRITICAL"] [tag "CWAF"] [tag "WordPress"] [hostname "] [uri "/wp-json/wp/v2/users/1"] [unique_id "YR6l04Z@9OqHIdEQWcNAqwAAAEE"]
Answer
Whenever the Web Application Firewall (WAF) detects an insecure access request that matches one of the rules from the ruleset, it blocks the access and records this message in the logs.
This message is usually benign, as it means that WAF is behaving as expected and blocking unwanted requests, however, in some cases, legitimate requests can be blocked. When these false positives occur WAF blocks requests to content (images, pages, menus) that should be available, throwing a 403 error. In such cases, it may be required to disable a rule, as described in the article How to disable specific ModSecurity rules in Plesk.
Comments
0 comments
Please sign in to leave a comment.