Request exceeded the limit of 10 internal redirects

[Daniel H]

Hi,
since the last update of BulletProof (.47.8) I get the following error every 5 minutes:

[Sat Jan 26 13:15:00 2013] [error] [client 127.0.0.1] Request exceeded the limit of 10 internal redirects due to probable configuration error. 
Use 'LimitInternalRecursion' to increase the limit if necessary. 
Use 'LogLevel debug' to get a backtrace.

I have no custom code, and the error is gone when I switch to default wordpress htaccess. The error happens only since the newest version…
My wordpress version is 3.5 german…
Does anybody have a solution or a workaround for this problem?
Thanks for an answer!
– daniel

[AITpro Admin]

Typically this means that there is a coding mistake in your Root .htaccess file.  Are you testing BPS on a local installation of WordPress on your computer like XAMPP or WAMP?  Your IP address in the error you posted is 127.0.0.1, which indicates a local installation of WordPress on your computer.

Activate BulletProof Modes again.  If the error is still occurring then check your root .htaccess file to ensure that you do not see 127.0.0.1 anywhere in that file.  If you do see 127.0.0.1 and you are not using XAMPP or some other local server app on your computer than post the code here.

 

[Daniel H]

Hi, no my installation is public on a linux root server, the confusing is that the error happens exactly every 5 mins, so my guess is maybe its cron.php from wordpress. this would explain the 127.0.0.1… I generated serveral times a new secure htaccess but the error is still there, with the standard wordpress htaccess file everything is alright. The secure htaccess from the bulletproof version before works perfect…. I searched my htaccess for 127.0.0.1 and localhost an this is the only line that contains such a string:

RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]

Thanks for your help! – daniel
edit: here’s the complete htaccess of root dir:

# BULLETPROOF .47.8 >>>>>>> SECURE .HTACCESS

# If you edit the BULLETPROOF .47.8 >>>>>>> SECURE .HTACCESS text above
# you will see error messages on the BPS Security Status page
# BPS is reading the version number in the htaccess file to validate checks
# If you would like to change what is displayed above you
# will need to edit the BPS /includes/functions.php file to match your changes
# If you update your WordPress Permalinks the code between BEGIN WordPress and
# END WordPress is replaced by WP htaccess code.
# This removes all of the BPS security code and replaces it with just the default WP htaccess code
# To restore this file use BPS Restore or activate BulletProof Mode for your Root folder again.

# BEGIN WordPress
# IMPORTANT!!! DO NOT DELETE!!! - B E G I N WordPress above or E N D WordPress - text in this file
# They are reference points for WP, BPS and other plugins to write to this htaccess file.
# IMPORTANT!!! DO NOT DELETE!!! - BPSQSE BPS QUERY STRING EXPLOITS - text
# BPS needs to find the - BPSQSE - text string in this file to validate that your security filters exist

# TURN OFF YOUR SERVER SIGNATURE
ServerSignature Off

# ADD A PHP HANDLER
# If you are using a PHP Handler add your web hosts PHP Handler below

# DO NOT SHOW DIRECTORY LISTING
# If you are getting 500 Errors when activating BPS then comment out Options -Indexes
# by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
Options -Indexes

# DIRECTORY INDEX FORCE INDEX.PHP
# Use index.php as default directory index file
# index.html will be ignored will not load.
DirectoryIndex index.php index.html /index.php

# BPS ERROR LOGGING AND TRACKING
# BPS has premade 403 Forbidden, 400 Bad Request and 404 Not Found files that are used
# to track and log 403, 400 and 404 errors that occur on your website. When a hacker attempts to
# hack your website the hackers IP address, Host name, Request Method, Referering link, the file name or
# requested resource, the user agent of the hacker and the query string used in the hack attempt are logged.
# All BPS log files are htaccess protected so that only you can view them.
# The 400.php, 403.php and 404.php files are located in /wp-content/plugins/bulletproof-security/
# The 400 and 403 Error logging files are already set up and will automatically start logging errors
# after you install BPS and have activated BulletProof Mode for your Root folder.
# If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file
# to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.
# You can open the BPS 404.php file using the WP Plugins Editor.
# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php template file.

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php

# DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot
RedirectMatch 403 /\..*$

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# REQUEST METHODS FILTERED
# This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
# HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
# a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
# all bots to make a HEAD request then remove HEAD from the Request Method filter.
# The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

# PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES
# IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
# Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.

# Adminer MySQL management tool data populate
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=12]
# Comment Spam Pack MU Plugin - CAPTCHA images not displaying
RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
RewriteRule . - [S=11]
# Peters Custom Anti-Spam display CAPTCHA Image
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
RewriteRule . - [S=10]
# Status Updater plugin fb connect
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
RewriteRule . - [S=9]
# Stream Video Player - Adding FLV Videos Blocked
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]
# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=7]
# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]
# redirect_to=
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
RewriteRule . - [S=5]
# Login Plugins Password Reset And Redirect 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=4]
# Login Plugins Password Reset And Redirect 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=3]

# TimThumb Forbid RFI By Host Name But Allow Internal Requests
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*danielh.de.*
RewriteRule . - [S=1]

# BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Add or remove user agents temporarily or permanently from the first User Agent filter below.
# If you want a list of bad bots / User Agents to block then scroll to the end of this file.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;||'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)||%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;||'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# DENY BROWSER ACCESS TO THESE FILES
# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
# Replace Allow from 88.77.66.55 with your current IP address and remove the
# pound sign # from in front of the Allow from line of code below to access these
# files directly from your browser.

Order allow,deny
Deny from all
#Allow from 88.77.66.55

# IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
# END WordPress

# BLOCK HOTLINKING TO IMAGES
# To Test that your Hotlinking protection is working visit http://altlab.com/htaccess_tutorial.html
#RewriteEngine On
#RewriteCond %{HTTP_REFERER} !^https?://(www\.)?add-your-domain-here\.com [NC]
#RewriteCond %{HTTP_REFERER} !^$
#RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]

# FORBID COMMENT SPAMMERS ACCESS TO YOUR wp-comments-post.php FILE
# This is a better approach to blocking Comment Spammers so that you do not
# accidentally block good traffic to your website. You can add additional
# Comment Spammer IP addresses on a case by case basis below.
# Searchable Database of known Comment Spammers http://www.stopforumspam.com/

Order Allow,Deny
Deny from 46.119.35.
Deny from 46.119.45.
Deny from 91.236.74.
Deny from 93.182.147.
Deny from 93.182.187.
Deny from 94.27.72.
Deny from 94.27.75.
Deny from 94.27.76.
Deny from 193.105.210.
Deny from 195.43.128.
Deny from 198.144.105.
Deny from 199.15.234.
Allow from all

# BLOCK MORE BAD BOTS RIPPERS AND OFFLINE BROWSERS
# If you would like to block more bad bots you can get a blacklist from
# http://perishablepress.com/press/2007/06/28/ultimate-htaccess-blacklist/
# You should monitor your site very closely for at least a week if you add a bad bots list
# to see if any website traffic problems or other problems occur.
# Copy and paste your bad bots user agent code list directly below.

[AITpro Admin]

Ok your Root .htaccess file looks fine and the problem i suspected is not what is occurring so the problem is going to be in one of the plugins you have installed that does a check every 5 minutes for something.  And that plugin will probably be doing something with SESSION.  You can use this code below to solve the problem, but it acts more like an override than actually fixing the true source of the problem.  Basically what this code does is stops looping from happening, but like i said it does not fix the true source of the problem.

Fix for Infinite Loops in either your .htaccess files or coding – this is a general fix for Infinite Loops and does not pertain specifically to BPS

The error message related to Infinite Loops is this – Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’
to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace or you may see Request exceeded the limit, probable configuration error, Use ‘LogLevel debug’ to get a backtrace or Use ‘LimitInternalRecursion’ to increase the limit if necessary.  The symptoms are that some php coding is looping infinitely, which causes extreme lag times or your website comes to a complete halt when trying to process a php script.  You can add this to either the Top or Bottom Root Custom Code text area boxes on the Custom Code page. Please read the Blue Read Me help button on the BPS Custom Code page to find out how Custom Code works.

# .htaccess Fix for Infinite Loops
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule .* - [L]

[Daniel H]

Unfortunately this fix don´t help, same errors than before…
I checked my logs again, and the error appears directly after upgrading to the newest version of bulletproof. Maybe you are right and a plugin is guilty, but I updated only bulletproof the last days, the version before was not vulnerable, so how can I insert the code from the version before or downgrade to this version? Would you suggest to take the htaccess file from my week old backup and insert this line at the begining?
# BULLETPROOF .47.8 >>>>>>> SECURE .HTACCESS

[AITpro Admin]

UPDATE:  newer versions of BPS now have a Turn Off Error Logging option
[obsolete-removed]
If the problem is not solved then do these 2 things next:

Go to the BPS Security Log tab page and click the Turn Off Error Logging button.

1. Copy this code below to this BPS Root Custom Code text box: CUSTOM CODE DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
# RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

If doing the 2 things above worked that means that your server or something else installed on your server is already handling error logging and/or does not allow RedirectMatch to be used to handle errors.

If the problem is still occurring then you actually have bad redirect code somewhere that you will need find, you have some sort of Permalink problem or something else is interfering with URL rewriting – ie another plugin, DNS settings in your Host control panel, using various cPanel Tools that are broken/do not work correctly.

OLDER INFO

Try commenting out the ErrorDocument htaccess code in your Root .htaccess file.  What is probably happening is you have another plugin installed or maybe your Theme itself that is conflicting with the new BPS ErrorDocument .htaccess code.  Comment out this code by adding a pound sign in front of it.  This of course removes your capability to log / track errors on your website, but it will give you clues to figuring out what might be happening so that you can start eliminating plugins and your Theme from causing this problem by doing the standard WordPress troubleshooting steps – deactivate all plugins and activate them one by one until you find the problem plugin and switch your Theme, etc.

#ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
#ErrorDocument 401 default
#ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
#ErrorDocument 404 /404.php

[AITpro Admin]

Also list/post your plugins that you have installed and the name of your Theme and I can probably tell you which plugin is most likely causing the problem.

[Daniel H]

Commenting out the error docs was the solution! maybe it conflicts with my yootheme theme…
thats great and thanks for your help!

– daniel

[AITpro Admin]

Yep if you open and look at the top of the /bulletproof-security/403.php file you will see this code.  What I suspect is happening is that either another plugin or your Theme is doing something with SESSION.  What you can do next is this.  comment out all of this code at the top of the 403.php file and then uncomment the ErrorDocument .htaccess code in your Root .htaccess file and see if the problem still occurs.  This way you still have error logging capability if you want it.  The Security Log is also a general HTTP error log so it is a nice feature that makes it simple to check for any HTTP errors that are occurring on your website and makes troubleshooting very very simple.  😉

<?php ob_start(); ?>
<?php session_cache_limiter('nocache'); ?>
<?php session_start(); ?>
<?php error_reporting(0); ?>
<?php session_destroy(); ?>

[AITpro Admin]

Oh and reason the infinite loop .htaccess code did not work is because the Redirect Status is not 200 OK and is going to be a 403 Forbidden HTTP Status response.  😉

And doing something like this would NOT work because the ErrorDocument directive already has a Redirect Status 403 and what is probably happening is something like this – you have another plugin that is trying to handle 403 redirects or maybe your Host is trying to handle these and this creates an infinite loop for handling 403 Errors.  So in a case like this you would have to choose which 403 Error handling you wanted to use – one or the other.

# .htaccess Fix for 403 Error Infinite Loops
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 403
RewriteRule .* - [L]

Example: If errors are being handled by something else then you end with BPS trying to handle this and something else at the same time so this creates an infinite redirect problem.  You can turn Off BPS Security logging on the Security Log page if error logging is being handled/checked/logged elsewhere. Check with your Host and see if they are already handling error logging at the Server with something like mod_security, etc.

[Vilmondes]

Hi,

I’m trying to monitor Apache using http: //exchange.nagios.org/directory/Plugins/Web-Servers/Apache/check_apachestatus/details.

When I run it, I get the below error in the apache error.log:

AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

I’ve tried the following, but it didn’t work:

http://wordpress.org/support/topic/request-exceeded-the-limit-of-10-internal-redirects?replies=23

I found this another suggestion, but I’d like to ask you for a suggestion before I try it:

http://wordpress.org/support/topic/request-exceeded-the-limit-of-10-internal-redirects?replies=23

My .htaccess was generated by clicking on the “magic link” first. I deleted the .htaccess and I didn’t get that error and the script worked perfectly, so I’m wondering what can be causing that.

Thank you.

[AITpro Admin]

@ Vilmondes – your post has been merged into this relevant topic

Click the link below to go to a post above within this Topic.

http://forum.ait-pro.com/forums/topic/request-exceeded-the-limit-of-10-internal-redirects/#post-1430

The .htaccess ErrorDocument directive in the BPS root .htaccess file is a redirect so if you are choosing to use something else to handle error logging then you would turn Off BPS Pro error logging otherwise this will create an infinite redirect loop since you cannot have 2 things doing the exact same thing.  This is the same priniciple as using only 1 Login Security plugin or Login Security plugin feature.  You would choose to use one or the other and cannot use both at the same time.

[Vilmondes]

Thanks for the quick response. When I turn off the logs, I no longer get that error, however, the script that I run still won’t work. There’s something in the .htaccess file preventing it from working. The script returns a 403 error regardless of whether the error logging is on or off, but my website is working perfectly. I tried commenting out the ErrorDocument lines, but no luck =/

Thanks!

[AITpro Admin]

The ironic thing is that by turning Off BPS Pro Security Logging / Error Logging you can no longer check for the error that is occurring.  😉  You will need to check whatever else you are using for error logging instead.

You will need to go through the root .htaccess file and manually comment out lines of code until you find which root .htaccess code is blocking this.  Or you can comment out all Query String Exploits security filters with # signs and then work backwards by uncommenting them.  I assume it is a Query String Exploits security filter that is blocking this so comment out each Query String security filter and test. DO NOT comment out this security filter: RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
...
...
...
#RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[Vilmondes]

I have resolved the problem by adding to my script “Mozilla Firefox” as the User-Agent instead of commenting out the lines to find out which one is the culprit. There’s probably a line in .htaccess blocking that.

Thanks for your help.

[Author]

Posts