Author Topic: Caution: CWP Default ModSecurity Holes  (Read 4311 times)

0 Members and 1 Guest are viewing this topic.

Caution: CWP Default ModSecurity Holes
« on: February 10, 2020, 11:34:06 AM »
I've been setting up a new server and needed to add a few modsec exceptions for an oscommerce derivative..
I've only just discovered that CWP, in their wisdom have decided to disable quite a few modsec rules by default.
Code: [Select]
########################################
## Removed Rules for Joomla, WordPress and Drupal CMSs ##
########################################
## Joomla ##
SecRuleRemoveById 960024
SecRuleRemoveById 950120
SecRuleRemoveById 981173
SecRuleRemoveById 950901
SecRuleRemoveById 981257
SecRuleRemoveById 981245
SecRuleRemoveById 973338
SecRuleRemoveById 973300
SecRuleRemoveById 973304
SecRuleRemoveById 973333
SecRuleRemoveById 973333
## Wordpress ##
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 959073
SecRuleRemoveById 958030
## Drupal ##
SecRuleRemoveById 981231
## Removed rules for the webftp_simple ##
SecRuleRemoveById 950922
SecRuleRemoveById 981000
SecRuleRemoveById 950109

These should NOT be disabled by default, as not everyone installs all these applications.  :o You are defeating the principle purpose of modsec!
If you must, then why not include a couple of /scripts to install these exceptions, should the need arise?

Offline
**
Re: Caution: CWP Default ModSecurity Holes
« Reply #1 on: February 10, 2020, 12:50:47 PM »
I've been setting up a new server ...

Hi "ejsolutions",

You use OSWAP or CWAF as roles ?

Can you show me where to find these disabled roles ?

Thanks in advance for the support.


« Stay hungry, stay foolish. »

Re: Caution: CWP Default ModSecurity Holes
« Reply #2 on: February 10, 2020, 01:33:33 PM »
This is primarily for those using freebie CWP, with the free OWASP (old) rules. CWP Pro users will likely use one of the two alternatives.
In Security, Mod Security Manager, bottom right for the button to disable rules.