MailChimp tracking code causing 403

Home Forums BulletProof Security Free MailChimp tracking code causing 403

This topic contains 6 replies, has 2 voices, and was last updated by  AITpro Admin 8 months, 2 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #329 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Robert
    Participant

    We are using MailChimp for email marketing and the campaigns have links to our WordPress posts. Links from the email are getting 403 Forbidden. When I switch to default mode in BPS the link works. The links have tracking parameters attached.

    Here is a typical link:

    http://mysite.com/some-post/?utm_source=My+Blog+%27Our+Newsletter%27&utm_campaign=5cbc1db70f-11_16_2012&utm_medium=email&mc_cid=5cbc1db70f&mc_eid=9374262861

    How can I fix this?

    #330 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    The %27 URL encoded character in the URL is the single quote coding character, which is probably the most dangerous coding character there is if used maliciously or if hijacked.

    BPS blocks the single quote in several filters in your Root .htaccess file.

    You will need to edit these security filters in your root .htaccess below to allow %27′ queries / requests against your website by removing %27 from these 3 security filters and also the single quote in the Query String filter.

    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

    And you might also have to modify this security filter since MailChimp also uses cURL. Only modify this security filter if modifying the 3 security filters above does not work. You would remove the single quote, the url encoded %27 and also curl from this security filter below.

    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] 

    And possibly this security filter as well by removing cURL

    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] 
    #337 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Hmm i just thought of something obvious.  Is your Post literally named with single quotes?  If so, then you should remove the single quotes in the Post Title.

    …’Our Newsletter’…
    …Our Newsletter… – without single quotes

    • This reply was modified 1 month, 2 weeks ago by  AITpro Admin.
    #381 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Robert
    Participant

    Removing the single quotes in the newsletter is the obvious first choice. Totally missed that issue. Thanks so much for your help. I will test to see if this fixes the issue.

    #1640 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Also MailChimp makes a HEAD Request.

    The new Custom Code features/options in BPS and BPS Pro allow you to now add this to BPS Custom Code.

    1. Copy this entire section of .htaccess code below to this Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED: Whitelist User Agents or remove HEAD here.

    # REQUEST METHODS FILTERED
    # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
    # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
    # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
    # all bots to make a HEAD request then remove HEAD from the Request Method filter.
    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F,L]

    2. Click the Save Root Custom Code button.
    3.  Go to the Security Modes page and click the Create secure.htaccess File AutoMagic button.
    4. Activate Root Folder BulletProof Mode.

    #1644 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Or if you want to go for something more advanced you could add a Whitelist condition for MailChimp.  Check your Security Log for the MailChimp 403 error and add whatever User Agent / Bot that MailChimp uses to the nuisance filter as shown below.  Replace “add-the-user-agent-for-mailchimp-here” with whatever the actual User Agent / Bot is for MailChimp.

    # REQUEST METHODS FILTERED
    # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
    # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
    # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
    # all bots to make a HEAD request then remove HEAD from the Request Method filter.
    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteCond %{HTTP_USER_AGENT} !^(add-the-user-agent-for-mailchimp-here) [NC]
    RewriteRule ^(.*)$ - [F,L]
    #13778 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    MailChimp or general parenthesis round brackets ( and ) in URL’s BPS Query String Exploits code modification.  Allows round brackets/parenthesis in URL’s so that they are not blocked by BPS.

    1.  Copy the modified code below (round bracket code characters/parenthesis have been removed) to this BPS Root Custom Code text box:  

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Add or remove user agents temporarily or permanently from the first User Agent filter below.
    # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    # END BPSQSE BPS QUERY STRING EXPLOITS

    2. Click the Save Root Custom Code button.

    3. Go to the BPS Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode.

    • This reply was modified 4 months, 1 week ago by  AITpro Admin.
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.