Image uploads prevented by Cloudflare OWASP Core Ruleset

I’m having a similar issue to these requests, which didn’t have satisfactory responses. It is on a Cloudflare Pro plan with the Managed Rules WAF enabled:

I’m unable to upload images to a WordPress installation because it is triggering the OWASP Core Ruleset, specifically the rule “949110: Inbound Anomaly Score Exceeded”.

Here is the breakdown of rules triggered (which seems excessive for an image upload in WordPress):

941130: XSS Filter - Category 3: Attribute Vector
941140: XSS Filter - Category 4: Javascript URI Vector
941160: NoScript XSS InjectionChecker: HTML Injection
941180: Node-Validator blocklist Keywords
941150: XSS Filter - Category 5: Disallowed HTML Attributes
941320: Possible XSS Attack Detected - HTML Tag Handler
942370: Detects classic SQL injection probings 2/3
942430: Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440: SQL Comment Sequence Detected

I’m going to do a workaround by allowlisting /wp-admin/async-upload.php from the WAF but I’m wondering if there is something like the old ‘My site uses WordPress’ ruleset that was present in the old WAF rules?

You will have to exclude rule by rule manually until you stop hitting falses (use path and other delimitators, dont globally exclude the rules).

This process would be okay if the ux wasn’t as bad as it is now, but that’s how it is unfortunately, you will have to spend some time building exclusions that fit your setup.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.