Search String Apostrophe / Single Quote 403 error

Home Forums BulletProof Security Free Search String Apostrophe / Single Quote 403 error

This topic contains 14 replies, has 3 voices, and was last updated by  AITpro Admin 5 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #1400 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    justawebbie
    Member

    When anyone searches the site using an ” ‘ ” in the name it directs them to a 403 error.  I was told by our server company it was coming from the plugin.  How can I fix this so it does not happen anymore?

    #1402 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    If you want to allow the apostrophe or single quote code character in searches or in URL’s or Feeds then you would need to modify several security filters in your root .htaccess file.  I do not recommend doing this of course because the single quote coding character is one of the top 3 most dangerous coding characters.  Please see this Forum Topic for the security rules/filters you would need to modify >>> http://forum.ait-pro.com/forums/topic/feedburner-feed-header-causing-403-error/

    #14372 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Searching in the WordPress backend area in any of the Search Windows using a single quote code character/apostrophe will result in a 403 error.

    Options:

    1.  Do not use the single quote code character/apostrophe when searching in the WordPress backend Dashboard/wp-admin area.

    2.  Whitelist/allow the single quote code character/apostrophe in search strings in the WordPress backend Dashboard/wp-admin area.

    Copy this modified (single quote code character filters are removed) wp-admin .htaccess BPS Query String Exploits code below to this BPS wp-admin Custom Code text box:  CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS:
    Modify Query String Exploit code here

    EDIT/UPDATE: The new security filter has been added in this code below.
    IMPORTANT NOTE:  This is the wp-admin .htaccess file code and not the Root .htaccess file code.  There are slight differences between the root .htaccess file and wp-admin .htaccess file Query String Exploits code.

    This Forum Topic link below shows the Root .htaccess file Query String Exploits code with apostrophe/single quote modifications made to the Root .htaccess file BPS Query String Exploits code.
    http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

    # BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    # WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR] 
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    # END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

    Click the Save wp-admin Custom Code button.
    Go to the BPS Security Modes page and activate wp-admin BulletProof Mode.

    • This reply was modified 4 months, 2 weeks ago by  AITpro Admin.
    #15606 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Jeff Rivett
    Participant

    I’m seeing the same behaviour on a couple of my WordPress sites. On one, attempting to search for a string with a single quote gives an immediate 403. On the other, searching for something with a single quote shows me the search results page, but clicking anything on that page (not just search results, but ANY link on the page, including the site logo, which links to the site root) gives me a 403 error.

    I understand that this is the default behaviour of BPS (blocking URLs with quotes), but isn’t there a more elegant way of handling it? I understand that BPS works at the URL level, and quotes in URLs are dangerous, and BPS can’t differentiate between URLs generated by WordPress and all others, so maybe there’s no (safe) way to modify what BPS is doing. So now I’m thinking about stripping out quote characters from search terms. At least that will prevent the 403 errors.

    Has anyone else found a good solution to this?

    #15607 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    There are other security rules that protect against sql injection so making this modification is actually irrelevant in the big picture.  ie your website is still protected against sql injection if you decide to make the modification above.  This is the primary sql injection security filter below and it is defined in a way that it would only block an actual sql injection attempt.  The other security filters are just general security filters.  The general idea is BPS starts out with the maximum security protection and allows folks to decrease that security protection on a personal basis/choice/preference.

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    #15903 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Jeff Rivett
    Participant

    Thanks for the additional info. I used the BPSQSE code from this thread on the affected sites and they are now working as expected.

    However, I’ve run into another problem: when the official BPSQSE rules change between BPS versions, I’m faced with a choice between keeping my new custom rules (that allow quotes), which are apparently based on a much earlier BPS version, or use the latest default rules, thereby reintroducing the unwanted quote filtering behaviour. Although I suppose my other option is to compare the new rules with the old rules and try to figure out which ones to keep, I’m a bit wary of fiddling with them.

    Maybe BPS needs a new interface for selecting specific protections. A list of rules (translated into English) with checkboxes could be presented to the site admin, allowing them to decide which rules to use. BPS would use these choices when generating the secure htaccess file.

    #15905 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    The new BPS security filters are listed on the Whats New page in BPS Pro and the Whats New tab page in BPS free and here:  http://www.ait-pro.com/aitpro-blog/5009/bulletproof-security-pro/whats-new-in-bulletproof-security-pro-9-0/

    Yep, we need to go through all topics in the forum site today and replace all instances of these 2 old security filters with the new security filters.

    EDIT/Update for BPS .50.3/.50.4:

    Old security filters

    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} \?+(%20{1,}|[^\s])+HTTP+(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} \/+(\*|%2a)+(%20|\s){1,}+HTTP+(:/|/) [NC,OR]

    New security filter .50.3 – has some issues/problems

    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\s+|%20+\s+|\s+%20+|\s+%20+\s+)HTTP(:/|/) [NC,OR]

    New security filter .50.4 – no known issues/problems

    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR]

    So what you need to do is just replace the 2 old security filters with the 2 new security filters in Custom Code.

    Maybe BPS needs a new interface for selecting specific protections. A list of rules (translated into English) with checkboxes could be presented to the site admin, allowing them to decide which rules to use. BPS would use these choices when generating the secure htaccess file.

    That method of breaking up .htaccess code into multiple (excessive) separate options is done in several other security plugins and we have found that using a one-click method is much better.

    BulletProof Security One-Click Method vs Multiple Separate Option Settings
    BulletProof Security uses a one-click setup method vs breaking up options and settings into multiple separate different options and settings. One-click is used figuratively and not literally. One-click is the concept where several tasks are performed with one-click of a button. BPS BulletProof Modes setup actually takes 4 clicks, but with those 4 clicks BPS BulletProof Modes are setup and the website has maximum security enabled with all BPS security features and code enabled instead of having to choose multiple separate options and settings. Customization, whitelisting, adding BPS Bonus Custom Code or adding other personal custom .htaccess code is done with the BPS Custom Code feature.

    • This reply was modified 4 months, 2 weeks ago by  AITpro Admin.
    #15937 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Jeff Rivett
    Participant

    I would argue that it make sense to have an ‘advanced’ interface for people who want to customize the rules beyond what the ‘one click’ interface provides, but I see your point.

    Also, I think it would also help if you updated this thread with a version of the BPSQSE rules that has all the latest stuff MINUS the quote-blocking stuff. The rules posted earlier in this thread are from an earlier version of BPS that I can’t identify, making it difficult to identify exactly what rules were changed to remove quote checking.

    I *think* the rules I need to change are:

    [1]
    FROM: RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    TO: RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]
    [2]
    FROM: RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    TO: RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    [3]
    FROM: RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    TO: RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    
    #15940 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Custom Code is an advanced interface that allows someone to customize their custom code and it is simple to use / user friendly too.

    I guess I should have mentioned that we tried that method first of having multiple options/settings and it was a huge failure.  I see the same problems and failures occurring in other security plugins that are still using that method.  The primary problem is this:  If someone does not understand exactly what the option/setting and code does for that option/setting then what occurs is massive confusion and excessive additional problems – we have been there and done that.

    What makes the Custom Code method far superior is people can visually see what is occurring in the code itself whether or not they understand the code.  It basically becomes a “paint by numbers” copy and paste instead of requiring any thought or knowledge by the end user.  For advanced users they can customize that custom code directly and save it permanently.

    We are currently in the process of updating all threads in this Forum that have the older security rules.  This thread has already been updated.

    #15958 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Jeff Rivett
    Participant

    Thanks, but the updated version of the BPSQSE section in this thread is still very different from the latest from version .50.2. It might make more sense to post the version .50.2 code with the quote blocking stuff removed. It would certainly be more useful to me.

    As for the changes I think I need (that I posted above): are they anywhere near being correct?

    #15959 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    The BPS Query String Exploits code is current in this forum thread.  The BPS Query String Exploits code is also current in this thread:  http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939 which shows which security filters/rules have been modified.

    Post your BPS Query String Exploits code so that I can see your code.

    #15961 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Oops you are right.  This is the wp-admin .htaccess file code and I thought it was root .htaccess file code. I will add a Note so that I do not miss that in the future.

    #15963 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Ok this is the wp-admin .htaccess file’s Query String Exploits code so I added a Note so that I would see this as well.  ;)

    IMPORTANT NOTE:  This is the wp-admin .htaccess file code and not the Root .htaccess file code.  There are slight differences between the root .htaccess file and wp-admin .htaccess file Query String Exploits code.

    This Forum Topic shows the Root .htaccess file Query String Exploits code.

    http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

    #15968 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Jeff Rivett
    Participant

    Well, that certainly explains a lot! :)

    From that other thread, I can see that the changes I made to the .50.2 root code were correct. At this point, everything looks fine.

    Sorry for messing up this thread.

    #15969 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Actually you pointed out something very important that will be corrected today throughout the forum so thanks for that. :)  All threads that have Query String Exploits code in them need to have a Note added to them to make it crystal clear which .htaccess file Query String Exploits code is in that particular forum topic.  I completely missed that until you said your Query String Exploits code was different DOH.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.