Open Web Analytics – 403 error

[Bea]

Hi am getting logs for a plugin that records site activity
Event Code: WPADMIN-SBR
Really appreciate your advice:

HTTP_REFERER: http://Siting.com/wp-admin/index.php?page=owa&owa_siteId=cacc5b68e1fabdc7f92ac7d34efd9053&owa_period=last_seven_days&owa_startDate=20160717&owa_endDate=20160724&owa_do=base.reportDomstreams
REQUEST_URI: /wp-admin/index.php?page=owa&owa_do=base.overlayLauncher&owa_document_id=3873866798&owa_overlay_params=siteId%3D%3Ecacc5b68e1fabdc7f92ac7d34efd9053%7C%7C%7Cperiod%3D%3Elast_seven_days%7C%7C%7CstartDate%3D%3E20160717%7C%7C%7CendDate%3D%3E20160724%7C%7C%7Caction%3D%3EloadPlayer%7C%7C%7Capi_url%3D%3Ehttp%3A%2F%2Fconstructtesting.co.nz%2Findex.php%3Fowa_apiAction%7C%7C%7Cdomstream_guid%3D%3E1469423172155985145

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

There is an url encoded angle bracket code character: %3E is > in the Query String that is being blocked by the BPS wp-admin htaccess file security filters.  The angle bracket code character looks like a coding mistake to me, but if you think it is supposed to be there in the Query String then to allow/whitelist the > angle bracket code character in Query Strings do the steps below.

1. Copy the modified wp-admin htaccess file Query String Exploits code below to this BPS wp-admin Custom Code text box: CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and click the wp-admin Folder BulletProof Mode Activate button.

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
# Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
#RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
#RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
#RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

[Bea]

Thank you so much again. Will do and let the plugin dev know (possible typo )
Appreciate your help again

[Bea]

Can I please follow up since placing this code the admins of the site are being redirected to a 403
Am unsure if it relates because if I test and turn off root RBM they can access
using site access – http://site/wp-admin results in this link http://site/wp-login.php?redirect_to=http%3A%2F%2Fsite%2Fwp-admin%2F&reauth=1

with BPS 403 message|
403 Forbidden
site 403 Forbidden Error Page

If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you. and IP Have attempted a work around by adding allow their IP to custom code Brute force but they remain 403

[AITpro Admin]

This sounds like a new/different problem.  Maybe the BPS Query String Exploits code was not copied correctly or this is just a completely different problem.  Go to the B-Core > htaccess File Editor tab page > click the secure.htaccess tab > copy the entire file contents and post it in your reply.  Go to the BPS Security Log page and post any Security Log entries that relate to your Login page and this problem.

 

[Author]

Posts