Mibew Messenger – Live Chat 403 error

Home Forums BulletProof Security Free Mibew Messenger – Live Chat 403 error

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #14424
    AITpro Admin
    Keymaster

    Email Question:

    Hello!

    I’m not sure what my Server API is. However, my live chat option is being blocked by BPS.

    When you visit here: [domain name removed for privacy] and click on the “Live Chat” link at the top it opens the BPS “403 Forbidden Error Page”. The same thing happens when you visit here: secure.[domain name removed for privacy] and click “Live Chat” and when you visit here: secure.[domain name removed for privacy]/client-portal/clientarea.php and click “Live Chat”.

    How can I modify BPS so that it doesn’t block my site’s chat feature?

    Thank you!

    #14425
    AITpro Admin
    Keymaster

    The Mibew Messenger pop up window link that is being blocked because it simulates an RFI hacking attempt against your website.  The BPS Security Log will have a log entry that logs exactly what is being blocked so that you can create a whitelist rule based on what is being blocked.  The BPS Security Log is the primary troubleshooting tool in BPS.  http://forum.ait-pro.com/forums/topic/plugin-conflicts-actively-blocked-plugins-plugin-compatibility/

    secure.[domain name removed for privacy].com/click-to-chat/client.php?locale=en&style=silver&url=http%3A//[domain name removed for privacy].com/&referrer=

    [post information was deleted as it was not relevant to the actual cause of the problem]

    #14436
    HCE
    Participant

    Hello!

    Thank you for that quick reply!  I really appreciate it.

    I did just as you have instructed above, however, the chat is still not working.  It is still generating a 403 error.  I replaced: *example.com* with *secure.mydomain.com* in the custom code.

    I have to offer a slight correction to my initial post.  I indicated that the chat feature was generating a 403 error when clicked from all domains (mydomain.com, secure.mydomain.com, and secure.mydomain.com/custom).  The 403 was only generating on mydomain.com and secure.mydomain.com.  It was always working on secure.mydomain.com/custom.  It is still working on the custom domain, but is not working on the secure or the root domain.  Please note that the root domain and the secure domain are both separate WordPress installations that both have BPS on them.  The custom domain is not a WordPress site; it is a commercial billing software.

    What other options do I have to prevent the 403 error from generating on the chat when clicked from the root and secure domains?

    Thanks!

    #14462
    AITpro Admin
    Keymaster

    Based on the Security Log entries you need to create a whitelist rule on the secure.eldllc.com site.  The 3rd party app RewriteRule above should work.

    403 GET / HEAD Request: April 2, 2014 - 2:21 PM]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: [removed]
    Host Name: [removed]
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://[removed]/
    REQUEST_URI: /click-to-chat/client.php?locale=en&url=https%3A//[removed]/&referrer=
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
    
    [403 GET / HEAD Request: April 2, 2014 - 2:21 PM]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: [removed]
    Host Name: [removed]
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://[removed]/
    REQUEST_URI: /click-to-chat/client.php?locale=en&style=silver&url=http%3A//[removed]/&referrer=
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
    #14479
    HCE
    Participant

    I was able to resolve the issue, but I’m not sure this is an appropriate resolve.

    I reviewed the link you posted (http://forum.ait-pro.com/forums/topic/custom-applications-outside-of-wordpress-3rd-party-apps/) about 3rd party apps outside of WordPress, and I applied the “Alternative Method” at the bottom.  I added  “RewriteEngine Off” to the .htaccess file that was already in my chat app’s root folder.  So now that .htaccess file looks like this:

    RewriteEngine Off
    
    # Set default handler for incoming requests
    DirectoryIndex index.php
    
    # Disable directory listing
    Options -Indexes
    
    # Follow symbolic links in the directory
    Options +FollowSymLinks
    
    # Disable mod_security for Apache 1.x
    <IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </IfModule>
    
    # Explicitly set right settings for mod_php 5 for Apache 1.x and 2.x
    <IfModule mod_php5.c>
    php_flag magic_quotes_gpc off
    php_flag magic_quotes_sybase off
    php_flag register_globals off
    php_flag mbstring.encoding_translation off
    php_value mbstring.http_input pass
    php_value mbstring.http_output pass
    php_flag session.auto_start off
    </IfModule>

    I also still have the 3rd party app RewriteRule in my secure site’s .htaccess file.  A few questions:

    1. Do I need to keep the Custom Application RewriteRule code in my secure site’s BPS and my secure site’s .htaccess?
    2. What does “RewriteEngine Off” actually do?
    3. Will putting “RewriteEngine Off” in my chat app’s .htaccess file affect anything else already in that file or any of the functionality of the chat app itself?
    4. Is there any loss of security in using RewriteEngine Off?

    Thank you for your time and attention!

    #14523
    AITpro Admin
    Keymaster

    Mibew Messenger Testing results
    Mibew Messenger has been installed and tested and there are no conflicts or issues between BPS and Mibew Messenger.

    Mibew Messenger

    #14555
    HCE
    Participant

    It has been confirmed that my button code was and is valid and has been added correctly.

    I have followed your instructions above for rewriting all URL’s to SSL.  That did not correct the issue.

    After my further investigation, it was discovered that this line in my .htaccess is what was causing the BPS 403 error:

    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]

    I have commented out that line by placing a # in front of it, and now the live chat link works perfectly, as expected.

    What does that line in the .htaccess do, and why was it causing the 403 with my chat link?

    #14556
    AITpro Admin
    Keymaster

    That line of code is not standard BPS .htaccess code in current versions of BPS.  It did exist in a version of BPS that is 2.5 years old. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.