Apostrophe – Single Quote Code Character 403 Error

[James]

Hi, For some reason I get this 403 error for most of my links, I thinks it’s due to the wired characters it has:

>>>>>>>>>>> 403 GET or Other Request Error Logged - June 16, 2013 - 12:50 am <<<<<<<<<<<
REMOTE_ADDR: 72.47.224.85
Host Name: agaacqmame.c03.gridserver.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: [removed]
REQUEST_URI: /download.php?authid=1515&id=3250&type=older_v2&movie=Greaser%27s+Palace
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

I have a few 1000 of these error throught my error log…
Can you please tell me what would I need to change in the .htaccess file to eliminate these 403 errors?

[AITpro Admin]

The Request URI Query string has a single quote code character/Apostrope in it and that is why it is generating a 403 error

Greaser%27s+Palace = Greaser's Palace

You can either remove the single quote character/Apostrophe from your website URL’s or you can copy the already modified BPS Query String Exploits htaccess code below to BPS Custom Code. Modifications made:  %27 is removed from these security filters below and the single quote coding character in the QUERY_STRING filter has been removed.

RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

IMPORTANT NOTE: This code below is for the root .htaccess file. If you want to allow/whitelist apostrophe’s|single quote code characters in your wp-admin backend area then use this wp-admin .htaccess file Query String Exploits code in this link:  http://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372

1. Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
Important Note: If you have existing htaccess code in this Custom Code text box then overwrite the existing htaccess code with this new htaccess code.
2. Click the Save Root Custom Code button.
3. Go to the BPS Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

Impact to overall website security:  BPS has several overlapping security filters/rules. So by modifying these particular rules/filters your website is still protected against SQL Injection attacks. The SQL Injection security filter/rule below will still protect the site from all SQL Injection attacks. The single quote code character is used in most SQL Injection attacks.

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

[James]

Thanks, it seems to be working great now.

One last thing I wanted to ask, can you please remove my domain from my original post?

[James]

Hmm.. After a few hours of letting this run, I still seem to be getting 403 errors..

BPS SECURITY / HTTP ERROR LOG
==============================
==============================
>>>>>>>>>>> 403 GET or Other Request Error Logged - June 16, 2013 - 3:53 am <<<<<<<<<<<
REMOTE_ADDR: 174.52.221.202
Host Name: c-174-52-221-202.hsd1.ut.comcast.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Genieo/1.0 http: //www.genieo.com/webfilter.html)

>>>>>>>>>>> 403 GET or Other Request Error Logged - June 16, 2013 - 3:53 am <<<<<<<<<<<
REMOTE_ADDR: 65.55.215.100
Host Name: msnbot-65-55-215-100.search.msn.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/get-related-imdb-info/imdbimage.php?url=http://ia.media-imdb.com/images/M/MV5BMjE4MzE4MjcyMF5BMl5BanBnXkFtZTcwMjEzNDcyOQ@@._V1._SY0.jpg._V1_SX800_CR0,0.jpg
QUERY_STRING:
HTTP_USER_AGENT: msnbot-media/1.1 (+http: //search.msn.com/msnbot.htm)

[AITpro Admin]

These are totally different issues than the single quote issue.

1.  You DO want the Genio bot to be blocked so that is not an error, but is instead a blocked nuisance bot being logged.  If you do not want to see these security log entries in your security / http error log you can choose to ignore logging the Genio bot on the Security Log page.  Please read the Blue Read Me help button on the Security Log page for more information.

2.  The second error is being logged because the get related imdb info plugin is simulating an RFI hacking attempt against your website.  You will need to whitelist both the imdbimage.php file and the media-imdb.com external domain name as shown below.

1. You will need to copy this code to BPS Custom Code to the Timthumb Forbid RFI Custom Code Text box.
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
Note: Add your actual domain name below where you see “add-your-domain-name-here.com” below….

CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (imdbimage\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^(.*add-your-domain-name-here.com.*|.*media-imdb.com.*)
RewriteRule . - [S=1]

[AITpro Admin]

FYI – the imdbimage.php file is a timthumb file/script that has been renamed to imdbimage.php.  Out of curiousity where did you get/buy this plugin?

[James]

Thanks, I just added the code above and now im waiting to see the log.

As for the plugin, I have a personal programmer who I pay to make custom plugins and websites.

[AITpro Admin]

Yep, there are lots of IMDB scrapers out there that are very similar.  Was curious because I found several that had very similar coding to your specific plugin when I scanned your site, but the naming conventions were different.  😉

[Deb]

I followed the instructions above. Added the custom code. A notice appeared at the top – but no matter how many times I click “Save Root Custom Code” button and steps on Security Mode – it never disappears now:

Notice: BPS Query String Exploits Code Changes
Older BPS Query String Exploits code was found in BPS Custom Code. Several Query String Exploits rules were changed/added/modified in the root .htaccess file in BPS Pro 7.9.
Copy the new Query String Exploits section of code from your root .htaccess file and paste it into this BPS Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS and click the Save Root Custom Code button.
This Notice will go away once you have copied the new Query String Exploits code to BPS Custom Code and clicked the Save Root Custom Code button.

Notice still there. Any thoughts? – mine are not working.

I checked the code in the File Editor tab to the left and it’s not there, so it’s not saving.
I’ll do it manually for the moment.

Back: the code in that portion of BPS was identical upon comparison, so the code was as you have above in the BPSQSE BPS QUERY STRING EXPLOITS code area.

[Deb]

Okay. I found newer BPS Query String Exploits code at
http://forum.ait-pro.com/forums/topic/backupbuddy-ping-waiting-for-server/  and pasted/saved etc. and now notice is gone.
🙂

 

[AITpro Admin]

I just updated the BPS Query String Exploits code above with the new code.  I thought I had found all posts with the old code, but must have missed this Topic.

[Author]

Posts