test mod security..???

Hi,

when I click the test mod security button:  https://prnt.sc/UtFDAi3VYELK

, the result is this: https://prnt.sc/JgSZ1-UxDYNU


Where could the problem be?

Thanks in advance!

BR
Venty

Why does your URL show an appended SQL query?

What did the logs show?

You should receive a Forbidden if it blocks an attack like it should, and the log should reflect that.

Also Comodo released ruleset version 1.241 that fixes the WooCommerce bug.

What did the logs show?

You should receive a Forbidden if it blocks an attack like it should, and the log should reflect that.

Also Comodo released ruleset version 1.241 that fixes the WooCommerce bug.

Hi,

when I click the test mod security button in the access log:

91.238.255.4 - - [28/Mar/2024:11:07:05 +0200] "GET /index.php?SELECT%20*%20FROM%20mysql.users HTTP/1.0" 403 199


in the error log :

[Thu Mar 28 11:07:05.172107 2024] [:error] [pid 60252:tid 139766892787456] [client 91.238.255.4:54650] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgUzOSQ7YW9-nwQzwPEtQwAAANA"], referer: https://hosting.ven.com:2031/

Mail message:

Time: Thu Mar 28 11:15:49 2024 +0200
IP: 91.238.255.4 (BG/Bulgaria/4.bgports.bg)
Failures: 5 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block [LF_MODSEC]

Log entries:

[Thu Mar 28 11:07:05.172107 2024] [:error] [pid 60252:tid 139766892787456] [client 91.238.255.4:54650] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgUzOSQ7YW9-nwQzwPEtQwAAANA"], referer: https://hosting.ven.com:2031/
[Thu Mar 28 11:15:38.619353 2024] [:error] [pid 59712:tid 139766859216640] [client 91.238.255.4:54738] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgU1OnV9zH5PZsJbMuf24AAAAJQ"], referer: https://hosting.ven.com:2031/
[Thu Mar 28 11:15:43.853579 2024] [:error] [pid 60252:tid 139767018678016] [client 91.238.255.4:54740] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgU1PyQ7YW9-nwQzwPEtYgAAAME"], referer: https://hosting.ven.com:2031/
[Thu Mar 28 11:15:45.091700 2024] [:error] [pid 59712:tid 139766850823936] [client 91.238.255.4:54742] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgU1QXV9zH5PZsJbMuf24QAAAJU"], referer: https://hosting.ven.com:2031/
[Thu Mar 28 11:15:45.868421 2024] [:error] [pid 59712:tid 139766842431232] [client 91.238.255.4:54744] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgU1QXV9zH5PZsJbMuf24gAAAJY"], referer: https://hosting.ven.com:2031/

What do I do?
Thanks in advance!

BR
Venty

Why does your URL show an appended SQL query?

Hi,

I don't know why there is such a request, I downloaded the logs, please see the answer below...

Thanks in advance!

BR
Venty

From those logs, CWAF is working correctly and blocking the request.

The mod_security test is simply a SQL query appended to your server URL, mimicking someone poking at your server with SQL injection attempts. It is blocking it, so it is working as designed & intended. Looks good!