Download
2021-01-20, 01:31:06
Hi,
Please find below the feedback of the Hosting party:
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
I checked the logging for your website and retrieved the following error message in our Comodo Web Application Firewall. The issue is the following: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355). Because this might be a false positive I want to advise you to create a case at Comodo Support via the following URL, so they can modify it:
- https://support.comodo.com/
Below is the log:
11087:{"transaction":{"time":"18/Jan/2021:22:06:26 +0100","transaction_id":"YAX4UiEc4VqWzf9MEidzsAAAAHM","remote_address":"2001:984:310d:1:801e:3fbd:d0b4:de56","remote_port":55048,"local_address":"2001:678:76c:3401::146","local_port":80},"request":{"request_line":"POST /admin/changedata.php HTTP/1.1","headers":{"Host":"ja21flevoland.nl","Connection":"keep-alive","Content-Length":"874","Cache-Control":"max-age=0","Upgrade-Insecure-Requests":"1","Origin":"http://ja21flevoland.nl","Content-Type":"application/x-www-form-urlencoded","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Referer":"http://ja21flevoland.nl/admin/edit.php?id=nieuws","Accept-Encoding":"gzip, deflate","Accept-Language":"nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6","Cookie":"GS_ADMIN_USERNAME=3yx51g; 319d8cb82dfa64e821a8dbbdb4adee80de1992cc=2d2258b9521180ff0f54e1cd047054c3ee2a8e11; __atuvc=39%7C2%2C49%7C3; __atuvs=6005f41f861aa273002"},"body":["nonce=e6309a704039f3fc95bd11dad3b6b356286fbe1a&post-author=3yx51g&post-title=Nieuws&post-private=&post-parent=&post-template=template.php&post-menu-enable=on&post-menu=Nieuws&post-menu-order=2&post-id=nieuws&post-metak=&post-metad=&post-content=%3Cp%3EJA21+Flevoland+op+Social+Media%3C%2Fp%3E%0D%0A%0D%0A%3Cul%3E%0D%0A%09%3Cli%3ELike+en+deel+onze+Twitter+pagina+op%26nbsp%3Bhttps%3A%2F%2Ftwitter.com%2FJA21Flevoland%3C%2Fli%3E%0D%0A%09%3Cli%3Een+onze+Facebook+pagina+op%26nbsp%3Bhttps%3A%2F%2Fwww.facebook.com%2FJA21Flevoland%3C%2Fli%3E%0D%0A%3C%2Ful%3E%0D%0A%0D%0A%3Cp%3E%3Cimg+alt%3D%22%22+src%3D%22https%3A%2F%2Fja21flevoland.nl%2Fdata%2Fuploads%2Fja21-logo.png%22+style%3D%22width%3A+150px%3B+height%3A+150px%3B%22+%2F%3E%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E%0D%0A&existing-url=nieuws&redirectto=&submitted=Save+Updates"]},"response":{"protocol":"HTTP/1.1","status":403,"headers":{"Content-Length":"199","Keep-Alive":"timeout=2, max=100","Connection":"Keep-Alive","Content-Type":"text/html; charset=iso-8859-1"},"body":""},"audit_data":{"messages":["Access denied with code 403 (phase 2). Pattern match \"\\\\x22\" at ARGS_POST:post-content. [file \"/usr/local/cwaf/rules/30_Apps_OtherApps.conf\"] [line \"635\"] [id \"240710\"] [rev \"1\"] [msg \"COMODO WAF: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355)||ja21flevoland.nl|F|2\"] [severity \"CRITICAL\"] [tag \"CWAF\"] [tag \"OtherApps\"]"],"action":{"intercepted":true,"phase":2,"message":"Pattern match \"\\\\x22\" at ARGS_POST:post-content."},"handler":"application/x-httpd-lsphp","stopwatch":{"p1":323,"p2":2461,"p3":0,"p4":0,"p5":4,"sr":0,"sw":0,"l":0,"gc":0},"response_body_dechunked":true,"producer":["ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/)","CWAF_Apache"],"server":"Apache/2","engine_mode":"ENABLED"}}
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Does this help ?
Regards, Eric
Please find below the feedback of the Hosting party:
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
I checked the logging for your website and retrieved the following error message in our Comodo Web Application Firewall. The issue is the following: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355). Because this might be a false positive I want to advise you to create a case at Comodo Support via the following URL, so they can modify it:
- https://support.comodo.com/
Below is the log:
11087:{"transaction":{"time":"18/Jan/2021:22:06:26 +0100","transaction_id":"YAX4UiEc4VqWzf9MEidzsAAAAHM","remote_address":"2001:984:310d:1:801e:3fbd:d0b4:de56","remote_port":55048,"local_address":"2001:678:76c:3401::146","local_port":80},"request":{"request_line":"POST /admin/changedata.php HTTP/1.1","headers":{"Host":"ja21flevoland.nl","Connection":"keep-alive","Content-Length":"874","Cache-Control":"max-age=0","Upgrade-Insecure-Requests":"1","Origin":"http://ja21flevoland.nl","Content-Type":"application/x-www-form-urlencoded","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Referer":"http://ja21flevoland.nl/admin/edit.php?id=nieuws","Accept-Encoding":"gzip, deflate","Accept-Language":"nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6","Cookie":"GS_ADMIN_USERNAME=3yx51g; 319d8cb82dfa64e821a8dbbdb4adee80de1992cc=2d2258b9521180ff0f54e1cd047054c3ee2a8e11; __atuvc=39%7C2%2C49%7C3; __atuvs=6005f41f861aa273002"},"body":["nonce=e6309a704039f3fc95bd11dad3b6b356286fbe1a&post-author=3yx51g&post-title=Nieuws&post-private=&post-parent=&post-template=template.php&post-menu-enable=on&post-menu=Nieuws&post-menu-order=2&post-id=nieuws&post-metak=&post-metad=&post-content=%3Cp%3EJA21+Flevoland+op+Social+Media%3C%2Fp%3E%0D%0A%0D%0A%3Cul%3E%0D%0A%09%3Cli%3ELike+en+deel+onze+Twitter+pagina+op%26nbsp%3Bhttps%3A%2F%2Ftwitter.com%2FJA21Flevoland%3C%2Fli%3E%0D%0A%09%3Cli%3Een+onze+Facebook+pagina+op%26nbsp%3Bhttps%3A%2F%2Fwww.facebook.com%2FJA21Flevoland%3C%2Fli%3E%0D%0A%3C%2Ful%3E%0D%0A%0D%0A%3Cp%3E%3Cimg+alt%3D%22%22+src%3D%22https%3A%2F%2Fja21flevoland.nl%2Fdata%2Fuploads%2Fja21-logo.png%22+style%3D%22width%3A+150px%3B+height%3A+150px%3B%22+%2F%3E%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E%0D%0A&existing-url=nieuws&redirectto=&submitted=Save+Updates"]},"response":{"protocol":"HTTP/1.1","status":403,"headers":{"Content-Length":"199","Keep-Alive":"timeout=2, max=100","Connection":"Keep-Alive","Content-Type":"text/html; charset=iso-8859-1"},"body":""},"audit_data":{"messages":["Access denied with code 403 (phase 2). Pattern match \"\\\\x22\" at ARGS_POST:post-content. [file \"/usr/local/cwaf/rules/30_Apps_OtherApps.conf\"] [line \"635\"] [id \"240710\"] [rev \"1\"] [msg \"COMODO WAF: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355)||ja21flevoland.nl|F|2\"] [severity \"CRITICAL\"] [tag \"CWAF\"] [tag \"OtherApps\"]"],"action":{"intercepted":true,"phase":2,"message":"Pattern match \"\\\\x22\" at ARGS_POST:post-content."},"handler":"application/x-httpd-lsphp","stopwatch":{"p1":323,"p2":2461,"p3":0,"p4":0,"p5":4,"sr":0,"sw":0,"l":0,"gc":0},"response_body_dechunked":true,"producer":["ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/)","CWAF_Apache"],"server":"Apache/2","engine_mode":"ENABLED"}}
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Does this help ?
Regards, Eric
