• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue Problem with web application firewall - file extension is restricted by policy

R

Ras Alghul

New Pleskian
Server operating system version
Plesk Obsidian v18.0.58_build1800240123.15 os_Ubuntu 22.04
Plesk version and microupdate number
Plesk Obsidian v18.0.58_build1800240123.15 os_Ubuntu 22.04
Hi,

We are experiencing an issue with one of our customers, unique to their case.

They encounter difficulties accessing our Nextcloud installation when the Web Application Firewall is enabled. This user, who operates on both Mac and iPhone, faces constant rejections. This issue persists whether they use the Nextcloud app or the desktop application, and even attempts to connect via an HTTPS browser result in rejection.

Upon reviewing the log files, this problem's cause remains unclear. It's particularly puzzling as other Apple Mac users do not encounter these issues.

Could you help us understand why this is happening and why it's isolated to this specific user?

Code: 
--f7d4e022-H--
Message: Access denied with code 403 (phase 2). Match of "pmFromFile userdata_wl_extensions" against "TX:extension" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "27"] [id "210730"] [rev "5"] [msg "COMODO WAF: URL file extension is restricted by policy||customer.domain.com|F|2"] [data ".com"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 80.187.80.166] ModSecurity: Access denied with code 403 (phase 2). Match of "pmFromFile userdata_wl_extensions" against "TX:extension" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "27"] [id "210730"] [rev "5"] [msg "COMODO WAF: URL file extension is restricted by policy||customer.domain.com|F|2"] [data ".com"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "customer.domain.com"] [uri "/remote.php/dav/files/user@domain.com"] [unique_id "ZcCchXhdkYMpOqMcyyQ3eQAAAI4"]
Action: Intercepted (phase 2)
Apache-Handler: proxy:unix:/var/www/vhosts/system/customer.domain.com/php-fpm.sock|fcgi://127.0.0.1:9000
Stopwatch: 1707121797791133 788374 (- - -)
Stopwatch2: 1707121797791133 788374; combined=1391, p1=556, p2=705, p3=0, p4=0, p5=129, sr=142, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

I'm struggling to understand the issue related to the file extension.

Interestingly, when the Application Firewall is disabled, this particular user does not experience any problems. This further complicates our understanding of the issue.


2024-02-07 14_48_56-Web Application Firewall - Plesk Obsidian 18.0.58.png
2024-02-07 14_49_05-Web Application Firewall - Plesk Obsidian 18.0.58.png
 
The request offends rule no. 210730. You can add rule no. 210730 to the lists of exceptions in the "Web Application Firewall" icon of the domain. Store the new configuration, then try again.
 
Wow thank you very much, I added the exception and now I wait for my customer what experience he has after this.
I researched that rule but even with Chatgpt4 I didn't understand it well. But lets not go too deep in the rabbithole :)
 
Peter Debik said:
uri "/remote.php/dav/files/user@domain.com
Click to expand...

This is the problem. WAF thinks you are trying to access a file with a .com extension.

.com is an old executable extension, but they are still used, on windows 10 in c:\windows\system32 there are still a few .com files. format.com, tree.com, chcp.com, etc...

COM - DOS Command File Format

Learn about COM file format and APIs that can create and open COM files.
docs.fileformat.com

regards
Jan
 
You must log in or register to reply here.

Similar threads

S
Issue Need Help Whitelisting GTM Noscript in Comodo WAF Rule 214540 on Plesk
Replies
1
Views
311
alvarezcruz
alvarezcruz
L
Resolved ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/"
Replies
7
Views
9K
loman
L
F
Issue SQLmap attack detected (ID: 218500) on blank page
Replies
5
Views
2K
abdulsemiu
A
U
Issue Error message ID 19494#0, 5467#0 and ModSecurity
Replies
3
Views
4K
Peter Debik
P
F
Issue Issue with modsecurity
Replies
3
Views
10K
payday
P
Back
Top