Google Analytics utm_source – 403 error

Home Forums BulletProof Security Free Google Analytics utm_source – 403 error

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #15078
    DoubleSpeed
    Participant

    I have an issue where Google Analytics referral URL strings are being blocked ?utm_source=blah…. these give the:
    403 Forbidden Error Page
    If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
    How do I fix/allow these stings?

    #15081
    AITpro Admin
    Keymaster

    I assume this is a feedburner issue/problem where something in the URL is being blocked – parenthesis, apostrophe or some other dangerous code character in the URL.  Post the log entry from your BPS Security Log for one of these 403 errors.  Please verify that you are using feedburner or if not then post the name of the plugin.

    http://forum.ait-pro.com/forums/topic/feedburner-error/

    http://forum.ait-pro.com/forums/topic/allowing-parentheses-in-query-strings/#post-10589

    #16518
    DoubleSpeed
    Participant

    Hi,

    Its not feedburner here is an example of the kind of link that is generating the generating the 403 page I’ve tried the modification to the .htaccess for feedburning of changing to this…

    RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
    
    http://www.eu-cookie-law.com/?utm_source=cookietab&utm_medium=infobox&utm_campaign=http://www.e-termsandconditions.com&browserName=&majorVersion=

    However this has not helped
    Please advise?

    #16528
    AITpro Admin
    Keymaster

    The URL/Query String is simulating an RFI hacking attempt against your website.

    [code removed – see working solution below]

    #16551
    DoubleSpeed
    Participant

    I’ve added however unfortunately it doesn’t work, can I disable just RFI hacking function altogether there will be more than just the e-terms site that links to the eu cookie site using this same method?

    #16553
    AITpro Admin
    Keymaster

    I was able to duplicate and solve the problem on a test site.  The Google Analytics UTM string/link is being blocked by a combination of 3 security filters.

    The 3 security filters that are causing the block/403 error.

    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]

    1. Copy the modified (3 security filters have been commented out with pound signs) BPS Query String Exploits code below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #16563
    DoubleSpeed
    Participant

    Yes thank you it works!

    #21728
    RaceMan
    Participant

    Hello Admin

    I’m having a similar 403 error problem that I can not seem to resolve with the provided code above.

    My email manager / auto-responder (ActiveCampaign) provides the ability to both track the click of links in my email and also pass UTM Data in the URL so Google Analytics can see the  incoming traffic as Campaign and track the traffic in Google Analytics.

    FYI: I am using Google Analytics by Yoast to handle my connection to Google Analytics

    Whenever I have Google Analytics tracking and Bulletproof enabled together I am presented with a 403 Forbidden error when visiting the following link: (Do not attempt to follow this link, the site is restricted to my home IP for development purposes.)

    http://howtogetcreative.com/top-10-sewing-room-secrets/?utm_source=ActiveCampaign&utm_medium=email&utm_content=Welcome+to+HowToGetCreative+-+Here%27s+your+Video%21&utm_campaign=AutoResponderWelcomeEmailReminderToWatch

    This is the exact error I’m getting even though I am logged in to WordPress as admin.
    Forbidden
    You don’t have permission to access /top-10-sewing-room-secrets/ on this server.

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
    This is an absolutely legitimate URL (without the UTM tracking code attached)

    [403 GET / HEAD Request: March 30, 2015 - 1:02 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 38.104.242.98
    Host Name: 38.104.242.98
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 38.104.242.98
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /top-10-sewing-room-secrets/?utm_source=ActiveCampaign&utm_medium=email&utm_content=Welcome+to+HowToGetCreative+-+Here%27s+your+Video%21&utm_campaign=AutoResponderWelcomeEmailReminderToWatch
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36

    What do you recommend I do to resolve this error?
    RaceMan

    #21739
    AITpro Admin
    Keymaster

    The 403 error is being caused by the url encoded apostrophe/single quote code character – %27.  The Custom Code solution is here:   http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939 So you do not need to use the Custom Code solution in this forum topic since the error is similar, but is not the exact same issue/problem.

    #21743
    RaceMan
    Participant

    Success! The updated code at the link you provided has allowed BPS to accommodate the

    %27

    character in the ActiveCampaign Google Analytic tracking links.

    Thanks for the help!

    #21744
    AITpro Admin
    Keymaster

    Great!  Thanks for confirming that did the trick.

    #21906
    RaceMan
    Participant

    Hello Admin

    Have you had a moment to test the Woocommerce redirection issue.

    I really need to secure a solution so that I can fully process payments on my with without BPS blocking the paypal return path.

    Your assistance is greatly appreciated.

    Richard

    #21944
    AITpro Admin
    Keymaster

    The WooCommerce Checkout issue/problem was previously split into this new Topic here:  http://forum.ait-pro.com/forums/topic/woocommerce-checkout-403-error/#post-21805

    Please do the things/steps in that Forum Topic and let me know if they work.  Please also respond in the new forum Topic.  Thanks.

Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.