Discourse forum – 403 error

Home Forums BulletProof Security Free Discourse forum – 403 error

Tagged: ,

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • November 18, 2014 at 7:29 am #19249
    Steven
    Participant

    I have a VPS host on Digital Ocean with WordPress 4.0 and a Discourse Forum in a docker instance.  So basically two separate sites on the same server.  My Discouse forum uses WordPress for SSO (Single-sign on).  I am having an issue configuring the root .htacces file to allow the discourse site to call a page on my wordpress site.  Which has some php scripting and passes back session info.

    I tried following this guide here http://forum.ait-pro.com/forums/topic/custom-applications-outside-of-wordpress-3rd-party-apps/#post-13664
    But i am not sure if i am setting it up right or if this is the correct way to go. I get the following when i click on the login button on my discourse site.

    Not Found
    The requested URL /sso/ was not found on this server.
    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    Thanks

    November 18, 2014 at 8:01 am #19251
    AITpro Admin
    Keymaster

    Post the 403 error from your Security Log so I can see what is being blocked.

    November 18, 2014 at 8:58 am #19252
    Steven
    Participant

    There is nothing in the log.  Logging is turned on. and it says the file is writable.

    November 18, 2014 at 9:17 am #19254
    AITpro Admin
    Keymaster

    Ok then you will need to explain everything in specific technical detail and provide actual URL’s so that I can see the exact scenario/issue/problem.  If you do not want to post things publicly in this forum you can send all of that information to info [at] ait-pro [dot] com.

    November 18, 2014 at 9:48 am #19256
    Steven
    Participant

    Ok here we go.
    Site details:
    Wordpress Site: http://104.131.65.236
    Discourse Site: forums.grimreapergamers.com
    When you go to the forum site and try to login it will produce the error.  If i use the default .htaccess file it works as it should.
    Here is what is happening in the background.

    1. When you click login the forum looks for a wordpress page called “sso”.
    2. This page has a special template file assigned to it which calls another php helper class.
      1. Both the template file and helper class are located in the top level of the active wordpres theme folder.
      2. these files will check whether the user is logged in or not
        1. If not redirect to the wordpress login page when logged in pass the user info to the discourse forum
        2. If already logged in on the wordpress site just passes the user info over

    Let me know if there are any other questions and thanks for the quick responses.

    November 18, 2014 at 10:11 am #19260
    AITpro Admin
    Keymaster

    I believe what is being blocked is that you are using a Line Feed %0A in the Query String and BPS explicity blocks Line Feeds in Query Strings because that is a very bad practice and also is a common hacking method used by hackers. %0A should never be used in Query Strings.  Also %3D is the URL Encoded equal sign (=) and that should not be URL encoded.

    http://104.131.65.236/sso/?sso=bm9uY2U9YzNjYTEyMjEyYTc5MTFjMjQ3OWI1MjY4NTlkZWYyYTA%3D%0A&sig=40e17305406a247bfbed1ecd35aab17cd249f64948c32f3fd5aa80a9f14415ad

    To confirm that is what is being blocked you can comment out the BPS security rule in your root htaccess file shown below:

    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

    You may also need to comment out these additional security rules:

    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]

RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

    Once you have confirmed this is what is being blocked you can either allow it by copying your modified BPS Query String Exploits code from your root htaccess file to BPS Custom Code and doing ALL of the Custom Code steps (not recommended) or you can change your Query String to not use %0A in the Query String (recommended).

    November 18, 2014 at 10:28 am #19265
    Steven
    Participant

    Yes commenting out all of the lines you suggested allowed it to work.  I did not write the code so i will need to go back to the developer to see what can be done with it.

    Thanks for your help.

    November 18, 2014 at 10:39 am #19268
    AITpro Admin
    Keymaster

    What you may want to point out to the Discourse folks (gently so as not to ruffle feathers and cause a defensive reaction) is that instead of doing whatever the intended purpose of using the Line Feed in the Query String does, it would be safer/better to do whatever that is AFTER the Query String is sent to wherever it is sent.  ie take the data passed in the Query String and process it on the receiving end/code.  ie got the Query String now do the Line Feed/break.  Typically %0A is used in SQL Injection hacking methods and some Email Injection hacking methods.

    And the most important thing/benefit to them is that a hacker does not exploit this and hack someone’s website.  Better to fix things like this now as opposed to later when folks websites are getting hacked because of this. ;)

    November 18, 2014 at 11:49 am #19272
    Steven
    Participant

    thanks for the explanation.

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.