Covert Messenger Pro – 403 error

[guy te watson]

BPS is preventing some audio files for a plugin from playing in a popup window that the plugin generates. Why are audio files blocked as a security risk? I need these files to play. How do I stop BPS from blocking these certain audio files from running? Some security logs are below that show for some reason it is saying the files are a security issue, Why? Please Help! Thanks!

In Christ
guy te

[403 GET / HEAD Request: November 11, 2014 8:57 am]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REQUEST_URI: /wp-content/plugins/XXXXXXXXXXXXXXX/assets/JFPlayIt.swf?repeat=y&url=http://demos.webyellowpages.tv/wp-content/plugins/xxxxxxxxxxxxxxxxxxxxx/assets/scall_hangup.mp3
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

[403 GET / HEAD Request: November 11, 2014 9:02 am]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REQUEST_URI: /wp-content/plugins/XXXXXXXXXXXXXX/assets/JFPlayIt.swf?repeat=y&url=http://demos.webyellowpages.tv/wp-content/plugins/XXXXXXXXXXXXXXXXXXXX/assets/scall_ringin.mp3
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

[AITpro Admin]

The Request URL/URI is simulating a typical RFI hacking attempt.

1.  Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box:  CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2.  Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

IMPORTANT!!!:  Edit the code below after copying it to the BPS Custom Code text box and replace “example.com” with your actual website domain name.
IMPORTANT!!!:  If the Referer website domain name in the URL is different then your website domain name then add the additional Referer domain name. Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (JFPlayIt\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*example.com.*
RewriteRule . - [S=1]

[guy te watson]

You directions are leaving me confused.  I see places where there is the word example. Do I leave the word example or replace that with something? Also you said “If the Referer website domain name in the URL is different…”  In what URL. Please explain.

Thanks!
In Christ
guy te

[AITpro Admin]

Post an entire Security Log entry and I can give you the exact code.  Or if you do not want to post a Security Log entry publicly in the Forum you can email it to me. info at ait-pro dot com.

[guy te watson]

I emailed the Security Logs.  Thanks for doing up the exact code for me as offered above.

[AITpro Admin]

Yep sent you the exact specific code and also posted it below.  Just a reminder.  Even though you are allowing something very dangerous on your website the way the whitelist rule works is that it limits allowing something this dangerous on your website to only your Referer domain name and that file.  In other words, your website will not get hacked by using this very specific whitlisting rule/code below.

Also just an FYI – this has nothing to do with mp3 files.  An RFI hacking pattern/attack is this:  http://example.com/somefile.php?hack-this-website=http://hackers-website.com/hacker-file.php that will hack your website using an RFI attack string.  The RFI Security rule protects against all RFI hacking attacks on your website.  The plugin you are using is using the same hacking attack method and pattern that a hacker would use to hack your website.  The attack pattern is what is being blocked and not the mp3 files.  By whitelisting the file used in the simulated hacking attack on your website and by whitelisting your domain as the Referer you are only allowing that file to be executed on your website instead of Remotely (Remote File Inclusion Attack).

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
#
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (JFPlayIt\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.* demos.webyellowpages.tv.*
RewriteRule . - [S=1]

[guy te watson]

The code is not working to solve the issue. I know it is BPS that is blocking the audio files from running because when I deactivated Root Folder BulletProof Mode and the audio ran perfectly. Also when I first put in the code there was a space in front of the “demos” in * demos.webyellowpages.tv* and after saving it would revert back to *example.com.*  But when I got rid of the space it stayed *demos.webyellowpages.tv.*

In the commented out examples there are parentheses around the domain names so I even tried putting parentheses around my domain name and still not working. Something in the code is not right or something else needs to be done in addition to the code.

Please Help!

Also for a little while there I was getting the below error/warning and could not get back into my wordpress back office/control area. How to I whitelist my IP address so that I don’t be blocked from logging in by BPS when I am having troubles like that and have to log in and out alot, etc….?

WHoops! here is the error message below
Not Acceptable!
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security

[AITpro Admin]

Sigh you completely misunderstood my explanation.  BPS Pro is blocking something dangerous because it is dangerous.  BPS Pro is not blocking the mp3 files specifically – BPS Pro is blocking horrible/dangerous code that is being used to call the mp3.  You can whitelist that horrible/dangerous code safely by whitelisting that horrible/dangerous code to allow the dangerous thing that plugin is doing without risking your website being hacked.  Create a temporary Administrator login to this website and send it to info at ait-pro dot com.

mod_security is something totally different that is installed on your Server.  BPS Pro does not have anything to do with mod_security.  If mod_security is blocking something then you will need to contact your host support to fix that mod_security problem on their server.

[guy te watson]

I sent you the temp admin user.  When you get this working please further explain what you did so maybe I can do it myself next time and not have to do a ticket to get something unblocked.

that Mod_Security error is over

Thanks!

[AITpro Admin]

Logged in.  You just forgot to do Custom Code Step 3: Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.  Did Step 3 and everything is working.  Logged out.

[guy te watson]

Oh.  Are you talking about the Read Me file step 3.   I did not know there were steps to go through besides what was described here but after you said that I looked into the Read Me button under Custom Code and saw the steps below. Is this what you are talking about?

Root htaccess File Custom Code Setup Steps
1. Enter your custom code in the appropriate Root Custom Code text box.
2. Click the Save Root Custom Code button to save your Root custom code.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

Yep it is working now, except on the Internet Explorer browser on my computers. Guess the plugin creator did not get it properly working for IE. That would not be an issue with BPS just blocking it working on IE right?

[AITpro Admin]

Those are the standard Custom Code steps, but I was referring to Step 3 in this forum topic above:  http://forum.ait-pro.com/forums/topic/audio-mp3-files-are-being-blocked-as-security-risk/?view=all#post-19069

Nope BPS Pro does not do anything based on Browsers so that is just a bug with IE.

[guy te watson]

Ok Got it Thanks!

[Author]

Posts