LiteSpeed Cache Triggering WAF Rule in Cloudflare

  • Resolved worpressy

    (@worpressy)


    3 years ago

    Hello,

    We recently discover that the plugin LiteSpeed Cache is triggering a false positive WAF Rule in Cloudflare, this would be Rule ID: 100139B (PHP – XSS, Code Injection – Data URI)

    This is affecting Bing search engine.

    The problem is that for example when Bing process a regular URL it should looks like this:

    https://mysite.com/crazy-cat/

    But instead the URL that Bing is trying to process it looks like this:

    https://mysite.com/crazy-cat/data:text/javascript;base64,kgfkc2j5z29vz2xlpxdpbmrvdy5hzhniewdvb2dszxx8w10plnb1c2goe30p

    So Cloudflare blocks Bing thinking is a hacking attempt.

    We tried a few thing on our end and the only thing that worked was disabling the plugin LiteSpeed Cache.

    This has created a huge problem for us as our home page has been delisted from Yahoo, AOL, Duckduck Go and of course Bing as they all use the Bing engine to index sites.

    Report number: ZUKVMWBD

    If you could help us with this it would be great.

    Best regards

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support qtwrk

    (@qtwrk)

    Hi,

    the code in HTML is like <script src="data:text/javascript;base64,IWZ1bmN0aW9uKGEpeyJ1 , which is correct , for whatever reason Bing process it that way , we can’t really do anything about that part

    I can only suggest to disable JS defer, these data URI text/javascript is coming from that feature.

    Best regards,

    Thread Starter worpressy

    (@worpressy)

    Hi @qtwrk,

    We went ahead and disabled JS defer, cleared all caches and database, executed a full cache purge on Cloudflare and executed a new crawl by Bing.

    The /data:text/javascript;base64 is still getting appended to the URL, triggering a WAF rule and blocking Bing from crawling.

    This is the actual info getting appended to the URL:

    /data:text/javascript;base64,kgfkc2j5z29vz2xlpxdpbmrvdy5hzhniewdvb2dszxx8w10plnb1c2goe30p

    What is really strange is that we are not seeing this /data:text/javascript;base64 on the page source HTML.

    We also monitored the blocking live to make sure we were not seeing a cached version of the site.

    Report number: DDDVDCGP

    Best regards,

    Plugin Support qtwrk

    (@qtwrk)

    Hi,

    my guess is Being still have some cache and needs to be expired/updated ?

    Best regards,

    Thread Starter worpressy

    (@worpressy)

    Hi @qtwrk,

    That it what we originally thought was taken place and after 2 days it was still the same. Even when creating new content.

    The only thing that works is disabling the plugin LiteSpeed Cache.

    Best regards

    Plugin Support qtwrk

    (@qtwrk)

    Hi,

    what if you reset it to default setting ?

    Best regards,

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘LiteSpeed Cache Triggering WAF Rule in Cloudflare’ is closed to new replies.