Blocked in WordPress when saving settings via AJAX and uploading images

Hi,

We are developing a platform for an entity that uses Cloudflare. It’s a public entity by the way.

We have tested everything in our development and staging environment and everything is working perfectly. We too use Cloudflare for our servers, but since they are our servers, we obviously can manage our rules.

Now with this public entity, they seemed to have implemented this solution recently and problems seem to arise, not only with this platform we developed but also with many others as well.

Here is a lists of errors, where we were basically saving theme settings which are saved using AJAX:

|920230: Multiple URL Encoding Detected|Cloudflare OWASP Core Ruleset|Score (+3)|
|920272: Invalid character in request (outside of printable chars below ascii 127)|Cloudflare OWASP Core Ruleset|Score (+5)|
|932200: RCE Bypass Technique|Cloudflare OWASP Core Ruleset|Score (+5)|
|941150: XSS Filter - Category 5: Disallowed HTML Attributes|Cloudflare OWASP Core Ruleset|Score (+5)|
|941330: IE XSS Filters - Attack Detected|Cloudflare OWASP Core Ruleset|Score (+5)|
|941340: IE XSS Filters - Attack Detected|Cloudflare OWASP Core Ruleset|Score (+5)|
|942180: Detects basic SQL authentication bypass attempts 1/3|Cloudflare OWASP Core Ruleset|Score (+5)|
|942300: Detects MySQL comments, conditions and ch(a)r injections|Cloudflare OWASP Core Ruleset|Score (+5)|
|942330: Detects classic SQL injection probings 1/3|Cloudflare OWASP Core Ruleset|Score (+5)|
|942370: Detects classic SQL injection probings 2/3|Cloudflare OWASP Core Ruleset|Score (+5)|
|942490: Detects classic SQL injection probings 3/3|Cloudflare OWASP Core Ruleset|Score (+5)|

I don’t have right now the list of errors for when we simply tried to upload one image, but it also happened.

As far as we could search, this is something potentially only solved by applying rules in Cloudflare. But let’s assume that’s impossible.

Is there any other way to have images being uploaded to the platform (WordPress) without these errors?

Saving settings is something we may be able to solve somehow, using other methods. But uploading images and files is really crucial for the system to work properly and the platform to be useful at all.

If someone can give a help, I will very much appreciate that.

Best regards,
Pedro Lima

These are the errors when we try to upload one image in WordPress:

920270 Invalid character in request (null character) Cloudflare OWASP Core Ruleset Score (+5)
920271 Invalid character in request (non printable characters) Cloudflare OWASP Core Ruleset Score (+5)
920460 Abnormal character escapes in request Cloudflare OWASP Core Ruleset Score (+5)
932130 Remote Command Execution: Unix Shell Expression Found Cloudflare OWASP Core Ruleset Score (+5)
933180 PHP Injection Attack: Variable Function Call Found Cloudflare OWASP Core Ruleset Score (+5)
941310 US-ASCII Malformed Encoding XSS Filter - Attack Detected Cloudflare OWASP Core Ruleset Score (+5)
941320 Possible XSS Attack Detected - HTML Tag Handler Cloudflare OWASP Core Ruleset Score (+5)
942120 SQL Injection Attack: SQL Operator Detected Cloudflare OWASP Core Ruleset Score (+5)
942310 Detects chained SQL injection attempts 2/2 Cloudflare OWASP Core Ruleset Score (+5)
942440 SQL Comment Sequence Detected Cloudflare OWASP Core Ruleset Score (+5)

Can anyone help here with this question, please?

1 Like

Thank you for your reply. So this means there is definitely no other way to setup the platform (whether it is WordPress or any other platform) in order to have it working without being blocked, correct?

I mean, we have seen other posts where these false positives had only one solution: creating a specific rule for this due to the fact that they are false positives, but we just wanted to be 100% sure that’s the case.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.