[patsa]

hi there,
we have problem with search bar, when we try to search something with a few letters e.g.: ab,ex, etc. we get error 403.

in our servers log there are this messages show as CRITICAL:

ModSecurity: Access denied with code 403 (phase 4). Pattern match “(?i)(?:ORA-[0-9][0-9][0-9][0-9]|java\\\\.sql\\\\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)” at MATCHED_VAR. [file “/etc/httpd/conf/modsecurity.d/rules/comodo_free/17_Outgoing_FilterSQL.conf”] [line “22”] [id “218020”] [rev “1”] [msg “COMODO WAF: Oracle SQL Information Leakage||www.emmanouilidoutoys.gr|F|2”] [data “Matched Data: error found within MATCHED_VAR: <!DOCTYPE html>\\x0d\\x0a<html xmlns=\\x22http://www.w3.org/1999/xhtml\\x22 lang=\\x22el\\x22>\\x0d\\x0a\\x09<head>\\x0d\\x0a\\x09\\x09<!– Global site tag (gtag.js) – Google Analytics –>\\x0d\\x0a<script async src=\\x22https://www.googletagmanager.com/gtag/js?id=UA-148078308-53\\x22></script>\\x0d\\x0a<script>\\x0d\\x0a window.dataLayer = window.dataLayer || [];\\x0d\\x0a function gtag(){dataLayer.push(arguments);}\\x0d\\x0a gtag(‘js’, new Date());\\x0d\\x0a\\x0d\\x0a gtag(‘config’…”] [severity “CRITICAL”] [tag “CWAF”] [tag “FilterSQL”] [hostname “www.emmanouilidoutoys.gr”] [uri “/index.php”] [unique_id “YZUMXZcfJXv9msiIZKmTjwAAANg”], referer: https://www.emmanouilidoutoys.gr/

ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file “/etc/httpd/conf/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf”] [line “38”] [id “214940”] [rev “2”] [msg “COMODO WAF: Outbound Points Exceeded| Total Points: 5|www.emmanouilidoutoys.gr|F|2”] [severity “CRITICAL”] [tag “CWAF”] [tag “FiltersEnd”] [hostname “www.emmanouilidoutoys.gr”] [uri “/error_docs/forbidden.html”] [unique_id “YZUMXZcfJXv9msiIZKmTjwAAANg”], referer: https://www.emmanouilidoutoys.gr/

As you can see modsecurity is enabled in our server with comodo_free.

Please give us a solution. You may ask us for credentials for dashboard or FTP account if needed.

Thanks

[Althemist]

Hello patsa,

the PHP modsecurity should be disabled. This is not theme related, it’s one of the official WordPress and WooCommerce system requirements.

There are many ways to protect your WordPress website, but modsecurity is not one of them.

[Althemist]

BTW, we have checked your website and it’s extremely slow to the point where it’s almost unusable. We’d strongly suggest to optimize it and may be even change your hosting.

https://gtmetrix.com/reports/www.emmanouilidoutoys.gr/rLrvTcxd/

It’s even worse on mobiles and most probably at least 75% of your traffic is mobile, so you should definitely do something. Right now you are probably losing 90% of your potential customers because of that.

[patsa]

Hello Althemist,

regarding your answer, i am not sure if it is theme related or not as we have in the same server more WordPress sites with woocommerce system, and in our server logs we do not have any error regarding MODsecurity.
Please feel free to do a search to https://www.circo.gr, https://www.circo.gr/?s=ex&post_type=product this is a site with the same plugins enabled as in https://www.emmanouilidoutoys.gr/ but with other theme, and the search url works as it should.

Wordpress and woocommerce is updated to their latest versions.

Disabling MODsecurity is not an option.

Please consider the fact that the this one of 14 WordPress sites with Woocommerce search functionality which is hosted in the same server and none of them produce the above report in logs.

Awaiting your reply.
Thanks in advance.

[Althemist]

Could you, please give us temporary admin access to your site, so we can check what could be wrong? Also, is there a reason to use Oracle database? That’s highly unusual for WordPress installation?

Anyways, keep in mind that 403 is a server permissions type error, so it really can’t be theme related. As you can see it works absolutely fine on our demo:

https://babystreet.althemist.com/?s=ex&post_type=product

[patsa]

This reply has been marked as private.

[Alex]

Hello patsa,

This is really strange problem.
If we remove the post_type parameter, mod_security doesn’t complain…

Could please send us also an FTP account, so we can look at the logs? It will help if you tell us where can we find them.

Regards,
Alex

[patsa]

This reply has been marked as private.

[Alex]

Hello patsa,

Thank you.

Please keep in mind that it will take some time to investigate this, as it is quite an unusual issue.

Regards,
Alex

[patsa]

Hi alex,

Is there any update about this issue ?

Thanks.

[Alex]

Hello patsa,

We are still investigating. Will give you update later today.

Regards,
Alex

[Alex]

Hello patsa,

After researching the issue, we’ve found that ModSecurity quite often triggers false positive alerts.

Anyway, we double-checked our code for SQL injection vulnerabilities and we can assure you that all the parameters are properly escaped and there is no real threat.

The cause for the false positive trigger could be a specific combination of conditions provided by all the plugins and theme. We suggest that you modify the rules according your current configuration. Unfortunately we are not specialists in this area and can’t help you with this.

If you find a concrete problem, please let us know and we will investigate and resolve it.

Regards,
Alex

[patsa]

This reply has been marked as private.

[Alex]

This reply has been marked as private.

[Author]

Posts