tracking cookies in 8.5.0 triggering modescurity

  • Resolved donlee101

    (@donlee101)


    10 months, 2 weeks ago

    my website was one of a few that received the faulty update.

    Then i noticed users were getting ” you are not allowed to view this page” when browsing through a website… Upon checking logs, it was due to modsecurity being triggered. Specifically this rule 218500 COMODO WAF: SQLmap attack detected

    hopefully you can do something about it. For now i whitelisted the rule.

Viewing 5 replies - 1 through 5 (of 5 total)

  • Same to me.
    Reason: WAF Comodo rule with ID?218500?is false-positively triggered when Woocommerce 8.5 is in use.

    ModSecurity: Warning. Pattern match "[\\[\\]\\x22',()\\.]{10}$|\\b(?:union\\sall\\sselect\\s(?:(?:null|\\d+),?)+|order\\sby\\s\\d{1,4}|(?:and|or)\\s\\d{4}=\\d{4}|waitfor\\sdelay\\s'\\d+:\\d+:\\d+'|(?:select|and|or)\\s(?:(?:pg_)?sleep\\(\\d+\\)|\\d+\\s?=\\s?(?:dbms_pipe\\.receive_message\\ ..." at REQUEST_COOKIES:sbjs_first. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||example.com|F|2"] [data "Matched Data: |||id=(none) found within REQUEST_COOKIES:sbjs_first: typ=organic|||src=google|||mdm=organic|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "example.com"]

    The problem you are seeing is that WooCommerce 8.5.0 added new tracking cookies with names starting with sbjs_ whose contents run afoul of a security rule many hosts use.
    What I discovered is that if you turn off this new feature in 8.5.0, the sbjs cookies are not created:
    WooCommerce -> Settings -> Advanced -> Features: Order Attribution. [] Enable this feature to track and credit channels and campaigns that contribute to orders on your site
    8.5.0 turns that on by default. Turn it off and the offending cookies will not be created.
    It won’t immediately get rid of customers whose browsers already have those cookies. They will need to delete those cookies or wait for them to expire. But new users will not get those problematic cookies.

    Hey there! Thank you for bringing this issue to our attention.

    There was an issue with the 8.5 release, so reverted the stable tag to 8.4. We expect to have a fix in place by Monday, January 15th, and release 8.5.1. More info can be found in the?release notes?for 8.5.

    For now, please roll back to 8.4 until 8.5.1 is released.

    You can find older versions to download here.

    If you prefer, you can also use a plugin such as WP Rollback to help you with this process. You can find the plugin here.

    Please let us know if you have any questions or if we can assist with anything else.

    Have a wonderful day!

    Hi,

    I have updated WooCommerce to 8.5.1 because I was having the same issue. This issue still persists in 8.5.1, we are getting the comodo 218500 modsecurity.

    To resolve it I had to rollback to 8.4.0

    Plugin Support Shameem R. a11n

    (@shameemreza)

    Hi @tygoo,

    In WC 8.5.1, some Web Application Firewalls (such as the common?ModSecurity) result in 403 errors. Could you please check the solution shared here and see whether it is resolved?

    Looking forward to hearing from you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘tracking cookies in 8.5.0 triggering modescurity’ is closed to new replies.