Symptoms
-
A Wordpress website is not accessible with one of the below errors in a browser:
Forbidden
You don't have permission to access this resource.
Apache Server at example.com Port 443
404 Not found
-
Centos Test page may be shown instead of website content or part of the content may not be displayed correctly.
-
The WooCommerce plugin is enabled for the affected instance and it was recently updated to version 8.5.
-
Comodo ruleset is enabled in Tools & Settings > Web Application Firewall (ModSecurity).
Cause
Comodo rule with ID 218500
is triggered when Woocommerce 8.5 or above is in use.
Woocommerce is working to avoid this rule being triggered.
The lines below can be found in Domains > example.com > Logs:
ModSecurity: Warning. Pattern match "[\\[\\]\\x22',()\\.]{10}$|\\b(?:union\\sall\\sselect\\s(?:(?:null|\\d+),?)+|order\\sby\\s\\d{1,4}|(?:and|or)\\s\\d{4}=\\d{4}|waitfor\\sdelay\\s'\\d+:\\d+:\\d+'|(?:select|and|or)\\s(?:(?:pg_)?sleep\\(\\d+\\)|\\d+\\s?=\\s?(?:dbms_pipe\\.receive_message\\ ..." at REQUEST_COOKIES:sbjs_first. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||example.com|F|2"] [data "Matched Data: |||id=(none) found within REQUEST_COOKIES:sbjs_first: typ=organic|||src=google|||mdm=organic|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "example.com"]
Reported to Comodo, email Rule "218500" false-positive triggering after Woocommerce plugin update to 8.5
Resolution
As a workaround before changes on WooCommerce plugin side:
- Log into Plesk.
- Disable rule with ID
218500
for the affected domains as per the following article.
Comments
6 comments
Yes, I had this problem too, thx for sharing
The solution works for me too. Thanks.
hello,
Can the WAF be updated by CLI, logging into over 100 Plesk instances to bypass this rule is a non runner.
Rgds
D.
I also had to disable these rulesets to get rid of all the Apache errors.
210831
214940
Thank you, took me a few days trying to get rid of the crashes. The
218500
sorted the problem :-)Thanks.
Please sign in to leave a comment.