Anti Exploit Guard – Whitelist

Home Forums BulletProof Security Pro Anti Exploit Guard – Whitelist

This topic contains 6 replies, has 2 voices, and was last updated by  AITpro Admin 2 months, 2 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #35555

    Nik
    Participant

    Hello AIT,

    My slider images show up on the back end but, not the front end of the website.  Looks like a conflict with the js script.  See below.  Would great appreciate your suggestion on where I should Whitelist:

    /list/wp-content/uploads/dynamic_avia/avia-footer-scripts-c8fc904331f0321fbdba896cfedb73ae.js?ver=4.9.4

    [403 GET Request: April 1, 2018 - 2:34 pm]
    BPS Pro: 13.4.1
    WP: 4.9.4
    Event Code: UAEGWR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
    REMOTE_ADDR: 96.49.220.8
    Host Name: B000231.rc.netcable.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://joesgarden.org/list/
    REQUEST_URI: /list/wp-content/uploads/dynamic_avia/avia-footer-scripts-c8fc904331f0321fbdba896cfedb73ae.js?ver=4.9.4
    QUERY_STRING: ver=4.9.4
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0

    Thanks so much.

    Nik

    #35556

    Nik
    Participant

    Hellow AIT,

    Please disregard the website address: https://joesgarden.org/list/
    It’s only an example.

    Nik

    #35559

    AITpro Admin
    Keymaster

    Uploads Anti-Exploit Guard (UAEG) is blocking the .js script in the WordPress /uploads folder.  See the whitelisting options on the UAEG Guide forum topic > https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/.  You want to whitelist the /dynamic_avia/ folder using the “Apache UAEG htaccess Whitelisting Code using SetEnvIf for specific files or folders” example method if you have an Apache server or “LiteSpeed UAEG htaccess Whitelisting Code for specific files or folders” example method if you have a LiteSpeed server.

    #35573

    Nik
    Participant

    Hello AIT,

    Thanks for your suggestions.  I tried, but it didn’t work.  Also tried each of the  code (see below) individually and both together, but the issue persist.  The images and map are still not showing.

    SetEnvIf Request_URI "/wp-content/uploads/dynamic_avia/.*$" whitelist
    SetEnvIf Request_URI "/wp-content/uploads/dynamic_avia/avia-footer-scripts-c8fc904331f0321fbdba896cfedb73ae.js$" whitelist

    Dynamic_avia is a layout builder incorporated into Enfold Theme.

    Love your awesome security plugin,  but it’s can be a real challenge when it doesn’t work.  I have sent a test site admin login to

    Any other suggestions would be greatly appreciated.

    With much thanks,
    Nik

    #35574

    AITpro Admin
    Keymaster

    The correct UAEG htaccess file whitelist rule would be:

    SetEnvIf Request_URI "dynamic_avia/.*$" whitelist

    Important Note: Do not forget to remove/delete the pound signs (highlighted in yellow) from these lines of code in the UAEG htaccess file:

    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    <IfModule mod_authz_core.c>
    #Require env whitelist
    Require all denied
    </IfModule>
    
    <IfModule !mod_authz_core.c>
    <IfModule mod_access_compat.c>
    Order Allow,Deny
    #Allow from env=whitelist
    Deny from all
    </IfModule>
    </IfModule>
    </FilesMatch>

    Another method that you can use is to whitelist all .js files in the WordPress /uploads folder, which is very safe to do.

    Alternative Method: Whitelist all .js files by removing js from the FilesMatch line of code (|js has been deleted in the code below):

    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">

    Or you can just deactivate UAEG on the B-Core Security Modes page.

    #35577

    Nik
    Participant

    Thanks, AIT for your suggestions.

    Regretfully, taking all the suggested steps did not work, including deactivating UAEG on the B-Core Security Modes page. Note that this site is a subdirectory of the main site. The slider does not work, in the “Photo” Tab, there’s no “pop up” image in the lightbox and the map near the bottom of the right bar does not appear.

    I also deactivated UAEG on the main site, but the issue remains. Thanks so much for taking a look at it.

    Nik

    #35579

    AITpro Admin
    Keymaster

    Ok I’ll login to this site with the WordPress login information you sent to me.  I’ll post the solution back here once the problem is fixed.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.