Apostrophe – Single Quote Code Character 403 Error

Home Forums BulletProof Security Free Apostrophe – Single Quote Code Character 403 Error

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #6936
    James
    Participant

    Hi, For some reason I get this 403 error for most of my links, I thinks it’s due to the wired characters it has:

    >>>>>>>>>>> 403 GET or Other Request Error Logged - June 16, 2013 - 12:50 am <<<<<<<<<<<
    REMOTE_ADDR: 72.47.224.85
    Host Name: agaacqmame.c03.gridserver.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: [removed]
    REQUEST_URI: /download.php?authid=1515&id=3250&type=older_v2&movie=Greaser%27s+Palace
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

    I have a few 1000 of these error throught my error log…
    Can you please tell me what would I need to change in the .htaccess file to eliminate these 403 errors?

    #6939
    AITpro Admin
    Keymaster

    The Request URI Query string has a single quote code character/Apostrope in it and that is why it is generating a 403 error

    Greaser%27s+Palace = Greaser's Palace

    You can either remove the single quote character/Apostrophe from your website URL’s or you can copy the already modified BPS Query String Exploits htaccess code below to BPS Custom Code. Modifications made:  %27 is removed from these security filters below and the single quote coding character in the QUERY_STRING filter has been removed.

    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

    IMPORTANT NOTE: This code below is for the root .htaccess file. If you want to allow/whitelist apostrophe’s|single quote code characters in your wp-admin backend area then use this wp-admin .htaccess file Query String Exploits code in this link:  http://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372

    1. Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    Important Note: If you have existing htaccess code in this Custom Code text box then overwrite the existing htaccess code with this new htaccess code.
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS

    Impact to overall website security:  BPS has several overlapping security filters/rules. So by modifying these particular rules/filters your website is still protected against SQL Injection attacks. The SQL Injection security filter/rule below will still protect the site from all SQL Injection attacks. The single quote code character is used in most SQL Injection attacks.

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    #6946
    James
    Participant

    Thanks, it seems to be working great now.

    One last thing I wanted to ask, can you please remove my domain from my original post?

    #6949
    James
    Participant

    Hmm.. After a few hours of letting this run, I still seem to be getting 403 errors..

    BPS SECURITY / HTTP ERROR LOG
    ==============================
    ==============================
    >>>>>>>>>>> 403 GET or Other Request Error Logged - June 16, 2013 - 3:53 am <<<<<<<<<<<
    REMOTE_ADDR: 174.52.221.202
    Host Name: c-174-52-221-202.hsd1.ut.comcast.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; Genieo/1.0 http: //www.genieo.com/webfilter.html)
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - June 16, 2013 - 3:53 am <<<<<<<<<<<
    REMOTE_ADDR: 65.55.215.100
    Host Name: msnbot-65-55-215-100.search.msn.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/get-related-imdb-info/imdbimage.php?url=http://ia.media-imdb.com/images/M/MV5BMjE4MzE4MjcyMF5BMl5BanBnXkFtZTcwMjEzNDcyOQ@@._V1._SY0.jpg._V1_SX800_CR0,0.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: msnbot-media/1.1 (+http: //search.msn.com/msnbot.htm)
    #6960
    AITpro Admin
    Keymaster

    These are totally different issues than the single quote issue.

    1.  You DO want the Genio bot to be blocked so that is not an error, but is instead a blocked nuisance bot being logged.  If you do not want to see these security log entries in your security / http error log you can choose to ignore logging the Genio bot on the Security Log page.  Please read the Blue Read Me help button on the Security Log page for more information.

    2.  The second error is being logged because the get related imdb info plugin is simulating an RFI hacking attempt against your website.  You will need to whitelist both the imdbimage.php file and the media-imdb.com external domain name as shown below.

    1. You will need to copy this code to BPS Custom Code to the Timthumb Forbid RFI Custom Code Text box.
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
    Note: Add your actual domain name below where you see “add-your-domain-name-here.com” below….

    CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (imdbimage\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^(.*add-your-domain-name-here.com.*|.*media-imdb.com.*)
    RewriteRule . - [S=1]
    #6999
    AITpro Admin
    Keymaster

    FYI – the imdbimage.php file is a timthumb file/script that has been renamed to imdbimage.php.  Out of curiousity where did you get/buy this plugin?

    #7017
    James
    Participant

    Thanks, I just added the code above and now im waiting to see the log.

    As for the plugin, I have a personal programmer who I pay to make custom plugins and websites.

    #7018
    AITpro Admin
    Keymaster

    Yep, there are lots of IMDB scrapers out there that are very similar.  Was curious because I found several that had very similar coding to your specific plugin when I scanned your site, but the naming conventions were different.  😉

    #12009
    Deb
    Participant

    I followed the instructions above. Added the custom code. A notice appeared at the top – but no matter how many times I click “Save Root Custom Code” button and steps on Security Mode – it never disappears now:

    Notice: BPS Query String Exploits Code Changes
    Older BPS Query String Exploits code was found in BPS Custom Code. Several Query String Exploits rules were changed/added/modified in the root .htaccess file in BPS Pro 7.9.
    Copy the new Query String Exploits section of code from your root .htaccess file and paste it into this BPS Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS and click the Save Root Custom Code button.
    This Notice will go away once you have copied the new Query String Exploits code to BPS Custom Code and clicked the Save Root Custom Code button.

    Notice still there. Any thoughts? – mine are not working.

    I checked the code in the File Editor tab to the left and it’s not there, so it’s not saving.
    I’ll do it manually for the moment.

    Back: the code in that portion of BPS was identical upon comparison, so the code was as you have above in the BPSQSE BPS QUERY STRING EXPLOITS code area.

    #12012
    Deb
    Participant

    Okay. I found newer BPS Query String Exploits code at
    http://forum.ait-pro.com/forums/topic/backupbuddy-ping-waiting-for-server/  and pasted/saved etc. and now notice is gone.
    🙂

     

    #12014
    AITpro Admin
    Keymaster

    I just updated the BPS Query String Exploits code above with the new code.  I thought I had found all posts with the old code, but must have missed this Topic.

Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.