BulletProof Security BuddyPress Compose Message autocomplete

Home Forums BulletProof Security Free BulletProof Security BuddyPress Compose Message autocomplete

This topic contains 5 replies, has 2 voices, and was last updated by  Giorgos 1 year, 10 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #557 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Email Question:

    Hey, just wanted to log what seems to be a bug — when I enable BPS on our BuddyPress site, it breaks username autocomplete from messages/compose (for me, anyway!)

    I had to disable BPS to prevent this error. And yes, I reviewed your relevant post: http://www.ait-pro.com/aitpro-blog/3429/misc-projects/wordpress-tips-tricks-fixes/bulletproof-security-403-forbidden-errors-troubleshooting/

    Unfortunately that didn’t help.

    Thanks for reading! Hope this is fixed in a future version.z

    Answer:

    Are you sure BPS is causing the problem?  Have you put BPS in Default Mode to make sure BPS is causing this?  This may also be a Multisite specific issue.  The BulletProof Security BuddyPress Forum is a standard WordPress installation and i am not familiar with using Compose Message autocomplete, but will see what this is and if this problem is occurring on the BulletProof Security BuddyPress Forum.  Can you give me specific details about how to use the BuddyPress Compose Message autocomplete feature?  Thanks.

    I found this BuddyPress Forum Topic by doing a Google search, but it is dated to a year ago.

    http://buddypress.org/support/topic/bp-messages-compose-message-autocomplete-issue/

    #589 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Email Reply:

    Hello,

    I believe BPS was the cause, because when I set it into ‘default mode’ the problem was fixed.

    In order to test, you’ll need a BuddyPress installation. Then, go to your profile page, messages, compose (easy to access from the BP bar on top of the screen). You’ll need another user to send to as well.

    When you start typing, there should be a menu that pops up below the text field with suggestions for autocomplete.

    If you look with Chrome web inspector (network section), you can see requests going to /wp-admin/admin-ajax.php returning with status 403.

    #590 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Yes you are correct I see that a 403 error is being logged (shown below) when admin-ajax.php is being called in this way.  I can successfully compose and send messages, but I never noticed that autocomplete was not functioning as it is supposed to function.

    This is actually not a bug since BPS is actively blocking wp-admin files from being exploited.  This issue actually occurs with several other plugins and I have considered permanently adding admin-ajax.php to the wp-admin .htaccess file with a skip/bypass rule since this file is pretty much always safe to call.  The  press-this.php is permanently added to the wp-admin .htaccess file in this way already as a safe file to call.  The thing that always stops me from adding this file permanently as a file to allow is that the basic philosophy with BPS is that BPS starts with the maximum security settings and then if folks choose to decrease that security then that is a personal choice that they can decide on.  I will look into this again and make a decision about adding permanently adding a skip/bypass rule for admin-ajax.php in the wp-admin .htaccess file.  I am not choosing to create a skip/bypass rule for this BuddyPress Forum since I prefer not to allow admin-ajax.php to be called in this way, but if you would like to allow this then see the admin-ajax.php skip/bypass rule below.

    HTTP_REFERER: http://forum.ait-pro.com/members/f371905/messages/compose/
    REQUEST_URI: /wp-admin/admin-ajax.php?q=dfdfadf&limit=10&action=messages_autocomplete_results&cookie=wp-settings-1

    To add a skip/bypass rule for the admin-ajax.php file to your wp-admin htaccess file:

    Add this wp-admin .htaccess bypass / skip rule below to the wp-admin Custom Code box – CUSTOM CODE WPADMIN PLUGIN FIXES: and then activate BulletProof Mode for your wp-admin folder again.   The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. This bypass / skip rule is safe to use because the wp-admin area is protected with WP Authentication security.

    # admin-ajax.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
    RewriteRule . - [S=2]
    #1586 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Giorgos
    Member

    Unfortunately autocomplete still doesn’t work for me. It works only when i use the default .htaccess file. I place the suggested code to wp-admin .htaccess File Custom Code but it generated an error log as follows:

    >>>>>>>>>>> 403 Error Logged - January 31, 2013 - 3:47 pm <<<<<<<<<<<
    REMOTE_ADDR: Host Name: HTTP_CLIENT_IP: 
    HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: http://members/gk/messages/compose/
    REQUEST_URI: /wp-admin/admin-ajax.php?q=giorg&limit=10&action=messages_autocomplete_results&cookie=__utma%253D1.1281569344.1359647057.1359647057.1359647057.1%253B%2520__utmb%253D1.4.10.1359647057%253B%2520__utmc%253D1%253B%2520__utmz%253D1.1359647057.1.1.utmcsr%253D(direct)%257Cutmccn%253D(direct)%257Cutmcmd%253D(none)%253B%2520bp-activity-oldestpage%253D1%253B%2520wordpress_test_cookie%253DWP%252BCookie%252Bcheck%253B%2520pt_ay_v1%253Dvisit%253A%253A1359647059.066%253B%2520PHPSESSID%253DyNh1AoWaiQKWnZOwF8nwk3
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17   Any idea what is going wrong? Thanks in advance Giorgos
    #1588 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    The error is not being caused by adding the .htaccess code.  The error is telling you that you need to add the skip/bypass rule.  So something was not done correctly if you are seeing that error.

    Please try again to create the admin-ajax.php bypass skip rule in your wp-admin .htaccess file.  Also with BuddyPress you also want to create this skip/bypass rule for post.php as well so you might as well do them together as shown below.  Add this in Custom Code to the .

    # admin-ajax.php and post.php skip/bypass rules
    RewriteCond %{REQUEST_URI} (admin-ajax\.php|post\.php) [NC]
    RewriteRule . - [S=2]

     

    #1589 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Giorgos
    Member

    Fantastic!! Thanks for you fast response and resolution on this.
    I had placed the bypass rule in wp-admin .htaccess File Custom Code instead of  CUSTOM CODE WPADMIN PLUGIN FIXES: Add ONLY WPADMIN personal plugin fixes code here text box 
    Also I didn’t de-activate / re-activate the wp-admin mode the first time. works fine now.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.