I have the same problem described in the following issue.
Here is the error log:
[Tue May 16 18:19:38.745674 2023] [:error] [pid 1796577:tid 140122351191808] [remote CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Access denied with code 403 (phase 4). Match of "rx \\\\ssrc=\\\\x22https:\\\\/\\\\/www\\\\.googletagmanager\\\\.com\\\\/ns\\\\.html\\\\?id=GTM|\\\\ssrc=\\\\x22https:\\\\/\\\\/w\\\\.soundcloud\\\\.com\\\\/player\\\\/\\\\?url=" against "TX:0" required. [file "/etc/modsecurity/comodo/19_Outgoing_FilterInFrame.conf"] [line "14"] [id "214540"] [rev "5"] [msg "COMODO WAF: Possibly malicious iframe tag in output||web.site|F|3"] [data "Matched Data: <iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none found within TX:0: <iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none"] [severity "ERROR"] [tag "CWAF"] [tag "FilterInFrame"] [hostname "web.site"] [uri "/index.php"] [unique_id "ZGOtGn8OVNnjiBWdgt2VdgADRxI"]
[Tue May 16 18:19:38.865218 2023] [:error] [pid 1796577:tid 140122167179008] [client CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/modsecurity/comodo/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|web.site|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "web.site"] [uri "/index.php"] [unique_id "ZGOtGn8OVNnjiBWdgt2VdgADRxI"]
Here is the content of the config file /etc/modsecurity/comodo/19_Outgoing_FilterInFrame.conf:
SecRule RESPONSE_BODY "<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\x22']{0,1}[^a-zA-Z0-9_]{0,}?\bdisplay\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\bnone\b" \
"id:214540,chain,msg:'COMODO WAF: Possibly malicious iframe tag in output||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:replaceComments,rev:5,severity:3,tag:'CWAF',tag:'FilterInFrame'"
SecRule &REQUEST_COOKIES:sugar_user_theme "@eq 0" \
"chain,t:none"
SecRule TX:0 "!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=" \
"t:none,t:urlDecodeUni"
SecRule RESPONSE_BODY "(?i:<[\t\n\r ]{0,}IFRAME[\t\n\r ]{0,}?[^>]{0,}?src=\x22javascript:)" \
"id:214550,msg:'COMODO WAF: Malicious iframe+javascript tag in output||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterInFrame'"
SecMarker SECMARKER_214400
As you can see, there is a "whitelist" for googletagmanager and soundcloud but it seems is not working. The mentioned iframe on the website should be the following:
<!-- Google Tag Manager (noscript) -->
<noscript><iframe height="0" width="0" style="display:none;visibility:hidden" data-src="https://www.googletagmanager.com/ns.html?id=GTM-XXXZZZ" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
I don't understand why the following "whitelist rule" doesnt' work, can you help me out?
SecRule TX:0 "!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=" \
"t:none,t:urlDecodeUni"
Thank you for your time
Tried of editing the regexp. I expected that the "whitelist" rule works.
First of all, you can't match against
TX:0like this, it will never work as you expect. Look at the firstSecRulein the chain of rule214540- that is what you need to match i. e.RESPONSE_BODY.I suggest this exclusion rule but note that it will completely disable rule
214540on all pages which contains your Google iframe: