• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Issue Need Help Whitelisting GTM Noscript in Comodo WAF Rule 214540 on Plesk

S

SquanchIt

New Pleskian
Server operating system version
Ubuntu 22.04.5 LTS
Plesk version and microupdate number
Plesk Obsidian v18.0.68_build1800250311.08
Hello everyone,


I'm experiencing an issue with my website. A Comodo WAF rule (ID 214540) is blocking my homepage by flagging a standard, legitimate Google Tag Manager (GTM) noscript iframe, which is causing a 403 error.

[client [client IP]] ModSecurity: Access denied with code 403 (phase 4). Match of "rx \\ssrc=\\x22https:\\\\/\\\\/www\\\\.googletagmanager\\\\.com\\\\/ns\\\\.html\\\\?id=GTM|\\ssrc=\\x22https:\\\\/\\\\/w\\\\.soundcloud\\\\.com\\\\/player\\\\/\\?url=" against "TX:0" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/19_Outgoing_FilterInFrame.conf"] [line "14"] [id "214540"] [msg "COMODO WAF: Possibly malicious iframe tag in output||[your-domain.com]|F|3"] [data "Matched Data: <iframe style='display:none found within TX:0: <iframe style='display:none"] [unique_id "[unique id]"]
Click to expand...


The offending GTM code on the page is standard and looks like this:


<noscript>
<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-XXXXXXX" height="0" width="0" style="display:none;visibility:hidden" aria-hidden="true"></iframe>
</noscript>
Click to expand...


I've tried several custom ModSecurity exception rules in the HTTPS Apache directives:

Code: 
SecRule RESPONSE_BODY "@contains googletagmanager.com/ns.html?id=GTM" "phase:4,pass,nolog,ctl:ruleRemoveById=214540,id:1000001"

Code: 
SecRule RESPONSE_BODY "@rx <iframe\s+[^>]*src=[\"']https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM" "phase:4,pass,nolog,ctl:ruleRemoveById=214540,id:1000001,t:none"

Despite adding these rules under HTTPS, the GTM noscript iframe still triggers rule 214540, and I continue to see 403 errors. The error log indicates that the match is on a generic fragment (<iframe style='display:none), suggesting that the offending rule might be triggering before the full GTM URL is captured—or my custom exception isn’t loaded in the proper order.


Has anyone experienced similar issues or have suggestions on how to effectively whitelist the legitimate GTM noscript iframe without disabling the entire rule? I'm particularly interested in ensuring that my custom exception is loaded after the Comodo rules in the HTTPS configuration.


Thank you in advance for your help!
 
I have no clue about ModSec syntax, sorry for being useless there. I just wanted to suggest changing the ruleset to something else. Comodo is very inactive, and they haven't updated their ruleset in a while. It's possible this won't be a problem with a more actively developed ruleset like Atomic.
 
You must log in or register to reply here.

Similar threads

R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
2K
Linulex
Linulex
U
Issue Error message ID 19494#0, 5467#0 and ModSecurity
Replies
3
Views
4K
Peter Debik
P
edesalto
Issue Domains and Subdomains are redirecting to plesk login
Replies
4
Views
3K
Peter Debik
P
Azurel
Issue Extension ModSecurity issues with matomo?
Replies
3
Views
4K
Azurel
Azurel
E
Apache: Graceful kill fail, sending SIGKILL
Replies
2
Views
6K
ehrenwert
E
Back
Top