MailChimp tracking code causing 403

Home Forums BulletProof Security Free MailChimp tracking code causing 403

This topic contains 6 replies, has 2 voices, and was last updated by  AITpro Admin 9 months, 1 week ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #329 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Robert
    Participant

    We are using MailChimp for email marketing and the campaigns have links to our WordPress posts. Links from the email are getting 403 Forbidden. When I switch to default mode in BPS the link works. The links have tracking parameters attached.

    Here is a typical link:

    http://mysite.com/some-post/?utm_source=My+Blog+%27Our+Newsletter%27&utm_campaign=5cbc1db70f-11_16_2012&utm_medium=email&mc_cid=5cbc1db70f&mc_eid=9374262861

    How can I fix this?

    • This topic was modified 3 months, 4 weeks ago by  AITpro Admin.
    • This topic was modified 3 months, 4 weeks ago by  AITpro Admin.
    • This topic was modified 2 months, 2 weeks ago by  AITpro Admin.
    #330 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    The %27 URL encoded character in the URL is the single quote coding character, which is probably the most dangerous coding character there is if used maliciously or if hijacked.

    BPS blocks the single quote in several filters in your Root .htaccess file.

    You will need to edit these security filters in your root .htaccess below to allow %27′ queries / requests against your website by removing %27 from these 3 security filters and also the single quote in the Query String filter.

    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

    And you might also have to modify this security filter since MailChimp also uses cURL. Only modify this security filter if modifying the 3 security filters above does not work. You would remove the single quote, the url encoded %27 and also curl from this security filter below.

    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] 

    And possibly this security filter as well by removing cURL

    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] 
    #337 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Hmm i just thought of something obvious.  Is your Post literally named with single quotes?  If so, then you should remove the single quotes in the Post Title.

    …’Our Newsletter’…
    …Our Newsletter… – without single quotes

    • This reply was modified 2 months, 2 weeks ago by  AITpro Admin.
    #381 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Robert
    Participant

    Removing the single quotes in the newsletter is the obvious first choice. Totally missed that issue. Thanks so much for your help. I will test to see if this fixes the issue.

    #1640 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Also MailChimp makes a HEAD Request.

    1. Copy this .htaccess code below to this BPS Root Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED: Whitelist User Agents or remove HEAD here
    2. Click the Save Root Custom Code button.
    3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and 
    # remove/delete HEAD| from the Request Method filter.
    # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    • This reply was modified 3 months, 4 weeks ago by  AITpro Admin.
    • This reply was modified 3 weeks, 1 day ago by  AITpro Admin.
    #1644 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Or if you want to go for something more advanced you could add a Whitelist condition for MailChimp.  Check your Security Log for the MailChimp 403 error and add whatever User Agent / Bot that MailChimp uses to the nuisance filter as shown below.  Replace “add-the-user-agent-for-mailchimp-here” with whatever the actual User Agent / Bot is for MailChimp.

    1. Copy this .htaccess code below to this BPS Root Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED: Whitelist User Agents or remove HEAD here
    2. Click the Save Root Custom Code button.
    3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and 
    # remove/delete HEAD| from the Request Method filter.
    # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteCond %{HTTP_USER_AGENT} !^(add-the-user-agent-for-mailchimp-here) [NC]
    RewriteRule ^(.*)$ - [F]
    • This reply was modified 3 weeks, 1 day ago by  AITpro Admin.
    #13778 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    MailChimp or general parenthesis round brackets ( and ) in URL’s BPS Query String Exploits code modification.  Allows round brackets/parenthesis in URL’s so that they are not blocked by BPS.

    1.  Copy the modified code below (round bracket code characters/parenthesis have been removed) to this BPS Root Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    # END BPSQSE BPS QUERY STRING EXPLOITS
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.