BulletProof Security BuddyPress Compose Message autocomplete

Home Forums BulletProof Security Free BulletProof Security BuddyPress Compose Message autocomplete

Tagged: , ,

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • December 1, 2012 at 4:25 pm #557
    AITpro Admin
    Keymaster

    Email Question:
    Hey, just wanted to log what seems to be a bug — when I enable BPS on our BuddyPress site, it breaks username autocomplete from messages/compose (for me, anyway!). I had to disable BPS to prevent this error. And yes, I reviewed your relevant post: http://www.ait-pro.com/aitpro-blog/3429/misc-projects/wordpress-tips-tricks-fixes/bulletproof-security-403-forbidden-errors-troubleshooting/ Unfortunately that didn’t help. Thanks for reading! Hope this is fixed in a future version.z

    Answer:
    Are you sure BPS is causing the problem?  Have you deactivated Root Folder BulletProof Mode to make sure BPS is causing this?  This may also be a Multisite specific issue.  The BulletProof Security BuddyPress Forum is a standard WordPress installation and i am not familiar with using Compose Message autocomplete, but will see what this is and if this problem is occurring on the BulletProof Security BuddyPress Forum.  Can you give me specific details about how to use the BuddyPress Compose Message autocomplete feature?  Thanks.

    I found this BuddyPress Forum Topic by doing a Google search, but it is dated to a year ago.
    http://buddypress.org/support/topic/bp-messages-compose-message-autocomplete-issue/

    December 3, 2012 at 10:07 pm #589
    AITpro Admin
    Keymaster

    Email Reply:
    Hello,

    I believe BPS was the cause, because when I deactivate root folder bulletproof mode the problem was fixed. In order to test, you’ll need a BuddyPress installation. Then, go to your profile page, messages, compose (easy to access from the BP bar on top of the screen). You’ll need another user to send to as well. When you start typing, there should be a menu that pops up below the text field with suggestions for autocomplete. If you look with Chrome web inspector (network section), you can see requests going to /wp-admin/admin-ajax.php returning with status 403.

    December 3, 2012 at 10:42 pm #590
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    Yes you are correct I see that a 403 error is being logged (shown below) when admin-ajax.php is being called in this way.  I can successfully compose and send messages, but I never noticed that autocomplete was not functioning as it is supposed to function.

    This is actually not a bug since BPS is actively blocking wp-admin files from being exploited.  This issue actually occurs with several other plugins and I have considered permanently adding admin-ajax.php to the wp-admin .htaccess file with a skip/bypass rule since this file is pretty much always safe to call.  The  press-this.php is permanently added to the wp-admin .htaccess file in this way already as a safe file to call.  The thing that always stops me from adding this file permanently as a file to allow is that the basic philosophy with BPS is that BPS starts with the maximum security settings and then if folks choose to decrease that security then that is a personal choice that they can decide on.  I will look into this again and make a decision about adding permanently adding a skip/bypass rule for admin-ajax.php in the wp-admin .htaccess file.  I am not choosing to create a skip/bypass rule for this BuddyPress Forum since I prefer not to allow admin-ajax.php to be called in this way, but if you would like to allow this then see the admin-ajax.php skip/bypass rule below.

    HTTP_REFERER: http://forum.ait-pro.com/members/f371905/messages/compose/
REQUEST_URI: /wp-admin/admin-ajax.php?q=dfdfadf&limit=10&action=messages_autocomplete_results&cookie=wp-settings-1

    To add a skip/bypass rule for the admin-ajax.php file to your wp-admin htaccess file:
    1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

    Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

    # admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]
    January 31, 2013 at 8:14 am #1586
    Giorgos
    Member

    Unfortunately autocomplete still doesn’t work for me. It works only when i use the default .htaccess file. I place the suggested code to wp-admin .htaccess File Custom Code but it generated an error log as follows:

    >>>>>>>>>>> 403 Error Logged - January 31, 2013 - 3:47 pm <<<<<<<<<<<
REMOTE_ADDR: Host Name: HTTP_CLIENT_IP: 
HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: http://members/gk/messages/compose/
REQUEST_URI: /wp-admin/admin-ajax.php?q=giorg&limit=10&action=messages_autocomplete_results&cookie=__utma%253D1.1281569344.1359647057.1359647057.1359647057.1%253B%2520__utmb%253D1.4.10.1359647057%253B%2520__utmc%253D1%253B%2520__utmz%253D1.1359647057.1.1.utmcsr%253D(direct)%257Cutmccn%253D(direct)%257Cutmcmd%253D(none)%253B%2520bp-activity-oldestpage%253D1%253B%2520wordpress_test_cookie%253DWP%252BCookie%252Bcheck%253B%2520pt_ay_v1%253Dvisit%253A%253A1359647059.066%253B%2520PHPSESSID%253DyNh1AoWaiQKWnZOwF8nwk3
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17   Any idea what is going wrong? Thanks in advance Giorgos
    January 31, 2013 at 8:29 am #1588
    AITpro Admin
    Keymaster

    The error is not being caused by adding the .htaccess code.  The error is telling you that you need to add the skip/bypass rule.  So something was not done correctly if you are seeing that error. Please try again to create the admin-ajax.php bypass skip rule in your wp-admin .htaccess file.  Also with BuddyPress you also want to create this skip/bypass rule for post.php as well so you might as well do them together as shown below.

    1. Add the admin-ajax.php & post.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

    Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

    # admin-ajax.php & post.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php|post\.php) [NC]
RewriteRule . - [S=2]
    January 31, 2013 at 8:43 am #1589
    Giorgos
    Member

    Fantastic!! Thanks for you fast response and resolution on this.
    I had placed the bypass rule in wp-admin .htaccess File Custom Code instead of  CUSTOM CODE WPADMIN PLUGIN FIXES: Add ONLY WPADMIN personal plugin fixes code here text box 
    Also I didn’t de-activate / re-activate the wp-admin mode the first time. works fine now.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.