bbPress bulk user edit 403 error – user-edit.php 403 error

Home Forums BulletProof Security Pro bbPress bulk user edit 403 error – user-edit.php 403 error

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #26091
    Bill Justesen
    Participant

    I’m getting the same error regarding the WPADMIN-SBR.

    [403 GET|HEAD Request: November 9, 2015 - 6:24 pm]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 24.32.[my.IP]
    Host Name: 24-32-[my.IP]
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 24.32.[my.IP]
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: http://www.sitename.com/wp-admin/user-edit.php?user_id=625&wp_http_referer=%2Fwp-admin%2Fusers.php%3Fs%3Dmelanie%26action%3D-1%26new_role%26bbp-new-role%26bbp-bulk-users-nonce%3Ddf340c5aca%26paged%3D1%26action2%3D-1
    REQUEST_URI: /wp-admin/user-edit.php
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36

    And I’ve already made an .htaccess exception and verified that it is in the wp-admin folder, although I have the feeling this wasn’t the correct action. (And I also whitelisted/allowed apostrophe’s / single quote code characters from the post above.)

    RewriteCond %{REQUEST_URI} (user-edit\.php) [NC]
    RewriteRule . - [S=2]
    #26093
    AITpro Admin
    Keymaster

    The error is in the same ballpark generally, but is not the exact same error.  I do not see anything in the Query String that would be blocked.  Did whitelisting the user-edit\.php file work?  Are you using the POST Request Attack Protection Bonus Custom Code?  If so see this forum topic:  http://forum.ait-pro.com/forums/topic/wpadmin-sbr-forbidden-403-accessing-admin/

    #26095
    Bill Justesen
    Participant

    Whitelisting didn’t work, and I wasn’t using the POST Request Attack Protection Bonus Custom Code. I did, however, add the bonus code, but it didn’t help. I noticed a NONCE in there, and I also found that occurs on the front end as well with a BFHS event code instead.

    I’m guessing it is an issue with the s2member plugin. I’ve disabled every other plugin except that one, as it is needed for the user edit. I’ll have to take it up with them unless you have any other ideas.

    #26096
    AITpro Admin
    Keymaster

    Have you done all the BPS or BPS Pro troubleshooting steps to confirm, eliminate or isolate what is causing the problem?

    BPS Pro troubleshooting steps
    http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    BPS free troubleshooting steps
    http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    #26138
    Bill Justesen
    Participant

    What’s weird is now I see this WPADMIN-SBR problem on another site, hosted on a different server (but same company), when I try to save a menu item. I’ve even disabled ALL plugins and reset the .htaccess file to the WordPress default. I don’t think this is a BPS issue anymore.

    #26139
    AITpro Admin
    Keymaster

    Not trying to point fingers, but ask your host support if they recently installed mod_security or added any new mod_security SecRules or SecFilters.  Your host may have added some additional security measure on the server that is blocking this.  BPS logs all 403 errors whether or not BPS is blocking something.

    #26140
    Bill Justesen
    Participant

    From your comment, I was able to turn off the SecRuleEngine in the VPS for the one site, but still had the issue. Other sites that I host on the same VPS don’t have an issue with the menu. So there’s something there in that particular WordPress install.

    #26141
    AITpro Admin
    Keymaster

    Assuming you already did all of the BPS troubleshooting steps and have confirmed that BPS is not causing the problem.  Reinstall WordPress on the Dashboard > Updates page > Re-Install Now.

    #26179
    AITpro Admin
    Keymaster

    Logged into this website:
    I found several problems in Custom Code and fixed them, but your server itself is blocking this Query string below and causing the problem with bulk user edits. I believe BPS needed a whitelist rule created which I created, but your LiteSpeed server is also blocking the same thing since it looks dangerous to your server as well.

    After whitelisting “order” in the BPS root and wp-admin htaccess files the problem was still occurring.  When I deactivate Root and wp-admin BulletProof Mode I see a LiteSpeed server 403 error displayed.  That means your LiteSpeed server is probably also blocking this Query String below and most likely because “order” and “orderby” are being used in the Query String which is a very common hacking pattern/string/simulated SQL Injection hacking attempt.  You will need to contact your host support and send them all of this information so that they know exactly what to look for to fix this issue.  They will probably have to create a whitelist rule on the LiteSpeed server itself. Have your support folks look at the LiteSpeed server logs.

    http://www.example.com/wp-admin/user-edit.php?user_id=625&wp_http_referer=%2Fwp-admin%2Fusers.php%3Fs%3DMelanie%2BMason%26action%3D-1%26new_role%26bbp-new-role%26bbp-bulk-users-nonce%3D0de8573cc5%26action2%3D-1%26orderby%3Dlogin%26order%3Dasc
    [403 GET|HEAD Request: November 11, 2015 - 11:22 am] 
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: [removed]
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: xxx.xxx.xxx.xxx
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://www.example.com/wp-admin/user-edit.php?user_id=625&wp_http_referer=%2Fwp-admin%2Fusers.php%3Fs%3DMelanie%2BMason%26action%3D-1%26new_role%26bbp-new-role%26bbp-bulk-users-nonce%3D0de8573cc5%26action2%3D-1%26orderby%3Dlogin%26order%3Dasc
    REQUEST_URI: /wp-admin/user-edit.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
    #26194
    Bill Justesen
    Participant

    You were spot on about mod_security. Even though I had disabled it through the VPS, the site was somehow still running it until I added this to the .htaccess file:

    <IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </IfModule>

    Thanks!

    #26195
    AITpro Admin
    Keymaster

    Yeah mod_security is pretty awesome, but just like BPS htaccess code there is always the possibility that something legitimate is going to get blocked somewhere.  Since mod_security and BPS htaccess code match typical hacker patterns/strings then in order to allow a simulated hacker pattern/string in something, you have to create a whitelist rule for that special case.  mod_security uses SecRules and SecFilters, which are the same concept as BPS htaccess security filters so if you wanted to continue to use mod_security then you would have to modify or remove the SecRule/SecFilter that is blocking SQL Injection attack patterns/strings.

Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.