[Bug] Certmate 0.4.13 Update Causes WAF to Falsely Block Legitimate Requests as XSS, Requiring Manual URL Whitelisting #11630
Description
Contact Information
No response
1Panel Version
2.0.16
Problem Description
After updating the Certmate component to version 0.4.13, the WAF (Web Application Firewall) module has begun falsely identifying and blocking legitimate requests as Cross-Site Scripting (XSS) attacks. This is a regression in behavior, as these requests were not blocked prior to the update. The current problematic workaround is that affected URLs or requests must be manually added to the WAF's whitelist to restore normal access, which is not a scalable or secure solution for handling false positives.
Core Problem: The WAF's XSS detection rules or sensitivity appear to have been inadvertently altered in Certmate 0.4.13, leading to excessive blocking of normal web traffic.
Steps to Reproduce
Precondition: Ensure your 1Panel environment has been updated to include Certmate version 0.4.13.
Action: Perform normal, legitimate user interactions on a website protected by 1Panel's WAF. This could include:
Submitting a form containing certain special characters or parameters.
Accessing a URL with query strings that include common symbols (e.g., <, >, &).
Using web application features that involve dynamic content loading.
Observed Result: The WAF intercepts the request and returns a block page or error (typically a 403 Forbidden or similar), logging the event as an XSS attack attempt in the WAF logs, even though the request is
benign.
Workaround Verification: The request is only allowed to proceed if the specific URL pattern or parameter is manually added to the WAF's URL Whitelist or rule exclusion list. This confirms the blocking is a false positive specific to the new version.
The expected correct result
No response
Related log output
Additional Information
No response