Search String Apostrophe / Single Quote 403 error

[justawebbie]

When anyone searches the site using an ” ‘ ” in the name it directs them to a 403 error.  I was told by our server company it was coming from the plugin.  How can I fix this so it does not happen anymore?

[AITpro Admin]

If you want to allow the apostrophe or single quote code character in searches or in URL’s or Feeds then you would need to modify several security filters in your root .htaccess file.  I do not recommend doing this of course because the single quote coding character is one of the top 3 most dangerous coding characters.  Please see this Forum Topic for the security rules/filters you would need to modify >>> http://forum.ait-pro.com/forums/topic/feedburner-feed-header-causing-403-error/

[AITpro Admin]

Searching in the WordPress backend area in any of the Search Windows using a single quote code character/apostrophe will result in a 403 error.

Options:
1.  Do not use the single quote code character/apostrophe when searching in the WordPress backend Dashboard/wp-admin area.
2.  Whitelist/allow the single quote code character/apostrophe in search strings in the WordPress backend Dashboard/wp-admin area.

1. Copy this modified (single quote code character filters are removed) wp-admin .htaccess BPS Query String Exploits code below to this BPS wp-admin Custom Code text box:  CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS:
Modify Query String Exploit code here
2. Click the Save wp-admin Custom Code button.
3. Go to the BPS Security Modes page and activate wp-admin BulletProof Mode.

IMPORTANT NOTE:  This is the wp-admin .htaccess file code and not the Root .htaccess file code.  There are slight differences between the root .htaccess file and wp-admin .htaccess file Query String Exploits code.

Additional Note: This Forum Topic link below shows the Root .htaccess file Query String Exploits code with apostrophe/single quote modifications made to the Root .htaccess file BPS Query String Exploits code.
http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
# Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

Additional Notes:  These are the 3 Query String Exploits security filters/lines of code that have been changed/modified in the code above:
Before:

RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

After:

RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]

[Jeff Rivett]

I’m seeing the same behaviour on a couple of my WordPress sites. On one, attempting to search for a string with a single quote gives an immediate 403. On the other, searching for something with a single quote shows me the search results page, but clicking anything on that page (not just search results, but ANY link on the page, including the site logo, which links to the site root) gives me a 403 error.

I understand that this is the default behaviour of BPS (blocking URLs with quotes), but isn’t there a more elegant way of handling it? I understand that BPS works at the URL level, and quotes in URLs are dangerous, and BPS can’t differentiate between URLs generated by WordPress and all others, so maybe there’s no (safe) way to modify what BPS is doing. So now I’m thinking about stripping out quote characters from search terms. At least that will prevent the 403 errors.

Has anyone else found a good solution to this?

[AITpro Admin]

There are other security rules that protect against sql injection so making this modification is actually irrelevant in the big picture.  ie your website is still protected against sql injection if you decide to make the modification above.  This is the primary sql injection security filter below and it is defined in a way that it would only block an actual sql injection attempt.  The other security filters are just general security filters.  The general idea is BPS starts out with the maximum security protection and allows folks to decrease that security protection on a personal basis/choice/preference.

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

[Jeff Rivett]

Thanks for the additional info. I used the BPSQSE code from this thread on the affected sites and they are now working as expected.

However, I’ve run into another problem: when the official BPSQSE rules change between BPS versions, I’m faced with a choice between keeping my new custom rules (that allow quotes), which are apparently based on a much earlier BPS version, or use the latest default rules, thereby reintroducing the unwanted quote filtering behaviour. Although I suppose my other option is to compare the new rules with the old rules and try to figure out which ones to keep, I’m a bit wary of fiddling with them.

Maybe BPS needs a new interface for selecting specific protections. A list of rules (translated into English) with checkboxes could be presented to the site admin, allowing them to decide which rules to use. BPS would use these choices when generating the secure htaccess file.

[AITpro Admin]

The new BPS security filters are listed on the Whats New page in BPS Pro and the Whats New tab page in BPS free and here:  http://www.ait-pro.com/aitpro-blog/5009/bulletproof-security-pro/whats-new-in-bulletproof-security-pro-9-0/

Yep, we need to go through all topics in the forum site today and replace all instances of these 2 old security filters with the new security filters.

EDIT/Update for BPS .50.3/.50.4:

Old security filters

RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} \?+(%20{1,}|[^\s])+HTTP+(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} \/+(\*|%2a)+(%20|\s){1,}+HTTP+(:/|/) [NC,OR]

New security filter .50.3 – has some issues/problems

RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\s+|%20+\s+|\s+%20+|\s+%20+\s+)HTTP(:/|/) [NC,OR]

New security filter .50.4 – no known issues/problems

RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR]

So what you need to do is just replace the 2 old security filters with the 2 new security filters in Custom Code.

Maybe BPS needs a new interface for selecting specific protections. A list of rules (translated into English) with checkboxes could be presented to the site admin, allowing them to decide which rules to use. BPS would use these choices when generating the secure htaccess file.

That method of breaking up .htaccess code into multiple (excessive) separate options is done in several other security plugins and we have found that using a one-click method is much better.

BulletProof Security One-Click Method vs Multiple Separate Option Settings
BulletProof Security uses a one-click setup method vs breaking up options and settings into multiple separate different options and settings. One-click is used figuratively and not literally. One-click is the concept where several tasks are performed with one-click of a button. BPS BulletProof Modes setup actually takes 4 clicks, but with those 4 clicks BPS BulletProof Modes are setup and the website has maximum security enabled with all BPS security features and code enabled instead of having to choose multiple separate options and settings. Customization, whitelisting, adding BPS Bonus Custom Code or adding other personal custom .htaccess code is done with the BPS Custom Code feature.

[Jeff Rivett]

I would argue that it make sense to have an ‘advanced’ interface for people who want to customize the rules beyond what the ‘one click’ interface provides, but I see your point.

Also, I think it would also help if you updated this thread with a version of the BPSQSE rules that has all the latest stuff MINUS the quote-blocking stuff. The rules posted earlier in this thread are from an earlier version of BPS that I can’t identify, making it difficult to identify exactly what rules were changed to remove quote checking.

I *think* the rules I need to change are:

[1]
FROM: RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
TO: RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]
[2]
FROM: RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
TO: RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
[3]
FROM: RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
TO: RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]

[AITpro Admin]

Custom Code is an advanced interface that allows someone to customize their custom code and it is simple to use / user friendly too.

I guess I should have mentioned that we tried that method first of having multiple options/settings and it was a huge failure.  I see the same problems and failures occurring in other security plugins that are still using that method.  The primary problem is this:  If someone does not understand exactly what the option/setting and code does for that option/setting then what occurs is massive confusion and excessive additional problems – we have been there and done that.

What makes the Custom Code method far superior is people can visually see what is occurring in the code itself whether or not they understand the code.  It basically becomes a “paint by numbers” copy and paste instead of requiring any thought or knowledge by the end user.  For advanced users they can customize that custom code directly and save it permanently.

We are currently in the process of updating all threads in this Forum that have the older security rules.  This thread has already been updated.

[Jeff Rivett]

Thanks, but the updated version of the BPSQSE section in this thread is still very different from the latest from version .50.2. It might make more sense to post the version .50.2 code with the quote blocking stuff removed. It would certainly be more useful to me.

As for the changes I think I need (that I posted above): are they anywhere near being correct?

[AITpro Admin]

The BPS Query String Exploits code is current in this forum thread.  The BPS Query String Exploits code is also current in this thread:  http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939 which shows which security filters/rules have been modified.

Post your BPS Query String Exploits code so that I can see your code.

[AITpro Admin]

Oops you are right.  This is the wp-admin .htaccess file code and I thought it was root .htaccess file code. I will add a Note so that I do not miss that in the future.

[AITpro Admin]

Ok this is the wp-admin .htaccess file’s Query String Exploits code so I added a Note so that I would see this as well.  😉

IMPORTANT NOTE:  This is the wp-admin .htaccess file code and not the Root .htaccess file code.  There are slight differences between the root .htaccess file and wp-admin .htaccess file Query String Exploits code.

This Forum Topic shows the Root .htaccess file Query String Exploits code.

http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

[Jeff Rivett]

Well, that certainly explains a lot! 🙂

From that other thread, I can see that the changes I made to the .50.2 root code were correct. At this point, everything looks fine.

Sorry for messing up this thread.

[AITpro Admin]

Actually you pointed out something very important that will be corrected today throughout the forum so thanks for that. 🙂  All threads that have Query String Exploits code in them need to have a Note added to them to make it crystal clear which .htaccess file Query String Exploits code is in that particular forum topic.  I completely missed that until you said your Query String Exploits code was different DOH.

[Author]

Posts