Event Espresso – espresso_batch 403 error

[Rob B]

[Topic has been Split into a new Topic]
Ok I did have the WP Edit installed.  I deactivated it and am now getting a 403 error with no other information.

In BP security log I am getting.

[403 GET Request: March 22, 2017 1:58 pm]
BPS: .54.5
WP: 4.7.3
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: xx.xxx.xx.xx
Host Name: xx-xx-xxx-xx.isp.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://example.org/Dir/wp-admin/admin.php?page=espresso_registrations&action=default&event_id=1163&default_nonce=db653d011f
REQUEST_URI: /Dir/wp-admin/admin.php?page=espresso_batch&use_filters=1&filters=a%3A5%3A%7Bi%3A0%3Ba%3A2%3A%7Bs%3A6%3A%22EVT_ID%22%3Bi%3A1163%3Bs%3A6%3A%22STS_ID%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A2%3A%22%21%3D%22%3Bi%3A1%3Bs%3A3%3A%22RIC%22%3B%7D%7Ds%3A4%3A%22caps%22%3Bs%3A10%3A%22read_admin%22%3Bs%3A24%3A%22default_where_conditions%22%3Bs%3A15%3A%22this_model_only%22%3Bs%3A8%3A%22order_by%22%3Ba%3A1%3A%7Bs%3A8%3A%22REG_date%22%3Bs%3A4%3A%22DESC%22%3B%7Ds%3A5%3A%22limit%22%3Ba%3A2%3A%7Bi%3A0%3Bi%3A0%3Bi%3A1%3Bi%3A10%3B%7D%7D&return_url=%2F%2Fnaweoa.org%2FConf%2Fwp-admin%2Fadmin.php%3Fpage%3Despresso_registrations%26action%3Ddefault%26event_id%3D1163%26default_nonce%3Ddb653d011f&action=default&registrations_report_nonce=e06be76b8e&return=default&batch=file&job_handler=EventEspressoBatchRequest%5CJobHandlers%5CRegistrationsReport&default_nonce=db653d011f
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

I added this rule to 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES:

# Event Espresso Query String skip/bypass rule
RewriteCond %{QUERY_STRING} limit%5B%5D=(.*) [NC]
RewriteRule . - [S=13]

But no luck.

[AITpro Admin]

See final working solution for this problem here: https://forum.ait-pro.com/forums/topic/event-espresso-espresso_batch-403-error/#post-32875

@ Rob B – Try this whitelist rule instead and let me know if it works or not.

1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the Security Modes tab page and click the Root Folder BulletProof Mode Activate button.

# Event Espresso Query String skip/bypass rule
RewriteCond %{QUERY_STRING} page=espresso(.*) [NC]
RewriteRule . - [S=13]

Also if you already have other plugin skip/bypass rules then be sure to change the Skip numbers.

Skip rules MUST be in descending consecutive number order: 15, 14, 13… If you add one plugin skip/bypass rule in this text box it should be skip rule #13. For each additional plugin skip rule that you add the S= skip number is increased by one. Example: if you add 3 plugin skip rules in this text box they would be Skip rules #15, #14 and #13 – RewriteRule . – [S=15] and RewriteRule . – [S=14] and RewriteRule . – [S=13] in descending consecutive order

And most likely you can activate the WP Edit plugin again once you have added and tested that this whitelist rule for Event Espresso is working. The original problem/error that occurs with the WP Edit plugin and the BPS 403.php Security logging template has something to do with how output buffering is flushed in the BPS 403.php logging template and something else that WP Edit is doing with Object output buffering. The BPS 403.php logging template must do what is does with output buffering or else it would cause problems for other plugins.

[Rob B]

No sorry that did not do it.  I am still getting the same error and same entry in the security log

 

[AITpro Admin]

See final working solution for this problem here: https://forum.ait-pro.com/forums/topic/event-espresso-espresso_batch-403-error/#post-32875

@ Rob B – Ok then you will need to do these steps below. [code removed – see solution link above]

[Rob B]

That did the trick.  Thanks so much for being so responsive and thorough with your explanations.

[AITpro Admin]

@ Rob B – Great!  Thanks for confirming that worked.

[Rob B]

Now getting an error on a separate report

[403 GET Request: March 27, 2017 10:48 pm]
BPS: .54.5
WP: 4.7.3
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: xx.xx.xxx.xx
Host Name: xx-xx-xxx-xx.example.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://example.com/Conf/wp-admin/admin.php?s&_wpnonce=85ccd72aaf&_wp_http_referer=%2FConf%2Fwp-admin%2Fadmin.php%3Fpage%3Despresso_registrations&action=-1&month_range=March+2017&EVT_CAT=-1&_reg_status=0&page=espresso_registrations&route=default&perpage=10&approve_registration_nonce=ac4c3ea821&approve_and_notify_registration_nonce=2ce9db3c8c&decline_registration_nonce=516cb6a03b&pending_registration_nonce=b5dbab2e0e&pending_and_notify_registration_nonce=78a1d2a08b&no_approve_registration_nonce=17c8f01afa&cancel_registration_nonce=bea64a3740&cancel_and_notify_registration_nonce=d3a752f0a9&trash_registrations_nonce=99c2de1edc&paged=1&action2=-1&default_nonce=4f253b70e0
REQUEST_URI: /Conf/wp-admin/admin.php?page=espresso_batch&use_filters=1&filters=a%3A5%3A%7Bi%3A0%3Ba%3A2%3A%7Bs%3A6%3A%22STS_ID%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A2%3A%22%21%3D%22%3Bi%3A1%3Bs%3A3%3A%22RIC%22%3B%7Ds%3A8%3A%22REG_date%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22BETWEEN%22%3Bi%3A1%3Ba%3A2%3A%7Bi%3A0%3BO%3A49%3A%22EventEspresso%5Ccore%5Cdomain%5Centities%5CDbSafeDateTime%22%3A1%3A%7Bs%3A19%3A%22%00%2A%00_datetime_string%22%3Bs%3A40%3A%222017-03-01+00%3A00%3A00+%2B0000+Africa%2FAbidjan%22%3B%7Di%3A1%3BO%3A49%3A%22EventEspresso%5Ccore%5Cdomain%5Centities%5CDbSafeDateTime%22%3A1%3A%7Bs%3A19%3A%22%00%2A%00_datetime_string%22%3Bs%3A40%3A%222017-03-31+23%3A59%3A59+%2B0000+Africa%2FAbidjan%22%3B%7D%7D%7D%7Ds%3A4%3A%22caps%22%3Bs%3A10%3A%22read_admin%22%3Bs%3A24%3A%22default_where_conditions%22%3Bs%3A15%3A%22this_model_only%22%3Bs%3A8%3A%22order_by%22%3Ba%3A1%3A%7Bs%3A8%3A%22REG_date%22%3Bs%3A4%3A%22DESC%22%3B%7Ds%3A5%3A%22limit%22%3Ba%3A2%3A%7Bi%3A0%3Bi%3A0%3Bi%3A1%3Bi%3A10%3B%7D%7D&return_url=%2F%2Fexample.com%2FConf%2Fwp-admin%2Fadmin.php%3Fs%26_wpnonce%3D85ccd72aaf%26_wp_http_referer%3D%252FConf%252Fwp-admin%252Fadmin.php%253Fpage%253Despresso_registrations%26action%3D-1%26month_range%3DMarch%2B2017%26EVT_CAT%3D-1%26_reg_status%3D0%26page%3Despresso_registrations%26route%3Ddefault%26perpage%3D10%26approve_registration_nonce%3Dac4c3ea821%26approve_and_notify_registration_nonce%3D2ce9db3c8c%26decline_registration_nonce%3D516cb6a03b%26pending_registration_nonce%3Db5dbab2e0e%26pending_and_notify_registration_nonce%3D78a1d2a08b%26no_approve_registration_nonce%3D17c8f01afa%26cancel_registration_nonce%3Dbea64a3740%26cancel_and_notify_registration_nonce%3Dd3a752f0a9%26trash_registrations_nonce%3D99c2de1edc%26paged%3D1%26action2%3D-1%26default_nonce%3D4f253b70e0&action=default&registrations_report_nonce=21ca0732a7&return=-1&batch=file&job_handler=EventEspressoBatchRequest%5CJobHandlers%5CRegistrationsReport&default_nonce=4f253b70e0
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

[AITpro Admin]

See final working solution for this problem here: https://forum.ait-pro.com/forums/topic/event-espresso-espresso_batch-403-error/#post-32875

@ Rob B – Yeah I see at least 5 different things in the Event Espresso Query String that would appear be to an attack against your website.  Give me second and I will post the solution for this one.

[AITpro Admin]

See final working solution for this problem here: https://forum.ait-pro.com/forums/topic/event-espresso-espresso_batch-403-error/#post-32875

@ Rob B – Oops the Query String skip/bypass rule that I first had you try was for the Root htaccess file and not the wp-admin htaccess file.  This Query String skip/bypass rule below works for the second Security Log entry you posted and also for the first Security Log entry that you posted as well or in other words allows these Query Strings in Event Espresso to do whatever they are doing.  😉  Also since you are whitelisting/allowing ONLY the Event Espresso Query String match of:  espresso_batch then this is completely safe to do and would not alter your wp-admin file security protection for other attacks that use the same dangerous types of things in Query Strings to attack your website. 😉

1. Copy the wp-admin htaccess code below into this BPS wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the save wp-admin Custom Code button.
3. Go to the Security Modes page and click the wp-admin folder BulletProof Mode Activate button.

# Event Espresso Query String skip/bypass rule
RewriteCond %{QUERY_STRING} espresso_batch(.*) [NC]
RewriteRule . - [S=2]

[Rob B]

Added this last code  and  the report started then got

Forbidden
An error occurred and the job has been stopped.

Also getting Forbidden
You don’t have permission to access /Conf/wp-admin/index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

for all other Dashboard requests.
No BPS Error Log entry.
Disabled the wp-admin folder security  Same result
Disabled the root folder security,  Then the report worked.

[AITpro Admin]

See final working solution for this problem here: https://forum.ait-pro.com/forums/topic/event-espresso-espresso_batch-403-error/#post-32875

@ Rob B – At this point send me a WordPress Administrator login to this site and an FTP login to this site so I can login to this site and figure out and fix whatever is going on. Send the login info to:  info at ait-pro dot com.

[Rob B]

Just checking to see if you got the credentials for FTP and login.  Let me know if you neeed anything else

[AITpro Admin]

@ Rob B – Nope, we have not received an email from you.

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

UPDATED: 6-7-2017
@ Rob B – Ok got it working.
Note: The Event Espresso Report Request is bounced from the backend of a site to the frontend of a site (using both GET and POST Requests at various stages) and then back to the backend of a site with a return URL.

1. Copy the code below to this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Go to the Security Modes tab page and click the Root Folder BulletProof Mode Activate button.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
#RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

1. Copy the wp-admin htaccess code below into this BPS wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES

Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

# admin.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin\.php) [NC]
RewriteRule . - [S=2]

2. Copy the modified wp-admin htaccess code below to this BPS wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
3. Click the Save wp-admin Custom Code button.
4. Go to the Security Modes page and click the wp-admin BulletProof Mode Activate button.

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
# Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
#RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
#RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

[Rob B]

Thanks for the solution, It works now, will have to deal with Event Espresso.  Great support.

[Author]

Posts