Problems since migrating WAF managed rules as directed by Cloudflare

sevans1 · September 28, 2023, 7:42pm

Hello,

About 4 weeks ago, I attempted to follow Cloudflare’s instructions to migrate the WAF manage rules. This is a wordpress site, using the WP Cloudflare plugin, which I thought was supposed to make it relatively painless for non-developer to make use of Cloudflare PRO. We had not implemented any special rules or conditions prior to migrating the managed rules, nor did we add any AFTER the migration.

Since the migration, we’ve experienced several problems:

Export Orders plugin will not export or preview without triggering a Cloudflare security check, and when it does, it loads overlaid on the page contents, and stalls or fails, preventing the export.
Uploading a new plugin was blocked. In Events, it mentioned Adobe ColdFusion. The plugin is WP All Export (pro).

Please, send any laymen tips for Cloudflare WAF setup that works for your Wordpress/Woocommerce site.

I’m starting to regret buying a yearly license for Cloudflare Pro.

Thanks.

cbrandt · September 28, 2023, 8:01pm

Hi, and welcome to the community.

Please visit your website with Developer Tools open (F12 on Windows/Chrome) and perform the action that is not going through. After a minute or so, visit your Cloudflare Dashboard > Security > Events, and find the event that was just blocked. It should have a field Service, with information regarding the feature or product that is blocking your request. And follow the pertinent suggestions from the actions listed here:

I hope you change your mind soon.

sevans1 · September 28, 2023, 10:34pm

@cbrandt – thanks for the input and encouragement!

I performed the action as suggested. The event service is Managed Rules, with additional detail as follows.

Ruleset: Cloudflare OWASP Core Ruleset
Rule: 949110: Inbound Anomaly Score Exceeded
OWASP score: 61

Then the additional logs of this event listed further below. Earlier today, I created a rule to allow the office IP to bypass the managed rules, and that allowed me to get the plugin uploaded, and to export orders. So I disabled it for this test. But an IP rule isn’t a practical solution. The WP Cloudflare plugin settings seem to be irrelevant now, but at least the WAF seems to be working, albeit to agressively.

932100: Remote Command Execution: Unix Command Injection
Cloudflare OWASP Core Ruleset Score (+5)

932200: RCE Bypass Technique
Cloudflare OWASP Core Ruleset Score (+5)

933151: PHP Injection Attack: Medium-Risk PHP Function Name Found
Cloudflare OWASP Core Ruleset Score (+5)

942110: SQL Injection Attack: Common Injection Testing Detected
Cloudflare OWASP Core Ruleset Score (+3)

942200: Detects MySQL comment-/space-obfuscated injections and backtick termination
Cloudflare OWASP Core Ruleset Score (+5)

942260: Detects basic SQL authentication bypass attempts 2/3
Cloudflare OWASP Core Ruleset Score (+5)

942300: Detects MySQL comments, conditions and ch(a)r injections
Cloudflare OWASP Core Ruleset Score (+5)

942330: Detects classic SQL injection probings 1/3
Cloudflare OWASP Core Ruleset Score (+5)

942340: Detects basic SQL authentication bypass attempts 3/3
Cloudflare OWASP Core Ruleset Score (+5)

942370: Detects classic SQL injection probings 2/3
Cloudflare OWASP Core Ruleset Score (+5)

942380: SQL Injection Attack
Cloudflare OWASP Core Ruleset Score (+5)

942430: Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
Cloudflare OWASP Core Ruleset Score (+3)

942440: SQL Comment Sequence Detected
Cloudflare OWASP Core Ruleset Score (+5)