Symptoms
-
A WordPress website is not accessible with one of the below errors in a browser:
Forbidden
You don't have permission to access this resource.
Apache Server at example.com Port 443
404 Not found
-
Centos Test page may be shown instead of website content or part of the content may not be displayed correctly.
-
The WooCommerce plugin is enabled for the affected instance and it was recently updated to version 8.5.
-
Comodo ruleset is enabled in Tools & Settings > Web Application Firewall (ModSecurity).
Cause
Comodo rule with ID 218500 is triggered when Woocommerce 8.5 is in use.
Woocommerce is working to avoid this rule being triggered.
The lines below can be found in Domains > example.com > Logs:
ModSecurity: Warning. Pattern match "[[]x22',().]{10}$|b(?:unionsallsselects(?:(?:null|d+),?)+|ordersbysd{1,4}|(?:and|or)sd{4}=d{4}|waitforsdelays'd+:d+:d+'|(?:select|and|or)s(?:(?:pg_)?sleep(d+)|d+s?=s?(?:dbms_pipe.receive_message ..." at REQUEST_COOKIES:sbjs_first. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||example.com|F|2"] [data "Matched Data: |||id=(none) found within REQUEST_COOKIES:sbjs_first: typ=organic|||src=google|||mdm=organic|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "example.com"]
Resolution
As a workaround before changes on WooCommerce plugin side:
- Log into Plesk.
- Disable rule with ID
218500for the affected domains as per the following article.