Home › Forums › BulletProof Security Pro › bbPress bulk user edit 403 error – user-edit.php 403 error
Tagged: Event Codes, Security Log
- This topic has 10 replies, 2 voices, and was last updated 9 years ago by AITpro Admin.
-
AuthorPosts
-
Bill JustesenParticipant
I’m getting the same error regarding the WPADMIN-SBR.
[403 GET|HEAD Request: November 9, 2015 - 6:24 pm] Event Code: WPADMIN-SBR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 24.32.[my.IP] Host Name: 24-32-[my.IP] SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 24.32.[my.IP] HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://www.sitename.com/wp-admin/user-edit.php?user_id=625&wp_http_referer=%2Fwp-admin%2Fusers.php%3Fs%3Dmelanie%26action%3D-1%26new_role%26bbp-new-role%26bbp-bulk-users-nonce%3Ddf340c5aca%26paged%3D1%26action2%3D-1 REQUEST_URI: /wp-admin/user-edit.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
And I’ve already made an .htaccess exception and verified that it is in the wp-admin folder, although I have the feeling this wasn’t the correct action. (And I also whitelisted/allowed apostrophe’s / single quote code characters from the post above.)
RewriteCond %{REQUEST_URI} (user-edit\.php) [NC] RewriteRule . - [S=2]
AITpro AdminKeymasterThe error is in the same ballpark generally, but is not the exact same error. I do not see anything in the Query String that would be blocked. Did whitelisting the user-edit\.php file work? Are you using the POST Request Attack Protection Bonus Custom Code? If so see this forum topic: http://forum.ait-pro.com/forums/topic/wpadmin-sbr-forbidden-403-accessing-admin/
Bill JustesenParticipantWhitelisting didn’t work, and I wasn’t using the POST Request Attack Protection Bonus Custom Code. I did, however, add the bonus code, but it didn’t help. I noticed a NONCE in there, and I also found that occurs on the front end as well with a BFHS event code instead.
I’m guessing it is an issue with the s2member plugin. I’ve disabled every other plugin except that one, as it is needed for the user edit. I’ll have to take it up with them unless you have any other ideas.
AITpro AdminKeymasterHave you done all the BPS or BPS Pro troubleshooting steps to confirm, eliminate or isolate what is causing the problem?
BPS Pro troubleshooting steps
http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshootingBPS free troubleshooting steps
http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshootingBill JustesenParticipantWhat’s weird is now I see this WPADMIN-SBR problem on another site, hosted on a different server (but same company), when I try to save a menu item. I’ve even disabled ALL plugins and reset the .htaccess file to the WordPress default. I don’t think this is a BPS issue anymore.
AITpro AdminKeymasterNot trying to point fingers, but ask your host support if they recently installed mod_security or added any new mod_security SecRules or SecFilters. Your host may have added some additional security measure on the server that is blocking this. BPS logs all 403 errors whether or not BPS is blocking something.
Bill JustesenParticipantFrom your comment, I was able to turn off the SecRuleEngine in the VPS for the one site, but still had the issue. Other sites that I host on the same VPS don’t have an issue with the menu. So there’s something there in that particular WordPress install.
AITpro AdminKeymasterAssuming you already did all of the BPS troubleshooting steps and have confirmed that BPS is not causing the problem. Reinstall WordPress on the Dashboard > Updates page > Re-Install Now.
AITpro AdminKeymasterLogged into this website:
I found several problems in Custom Code and fixed them, but your server itself is blocking this Query string below and causing the problem with bulk user edits. I believe BPS needed a whitelist rule created which I created, but your LiteSpeed server is also blocking the same thing since it looks dangerous to your server as well.After whitelisting “order” in the BPS root and wp-admin htaccess files the problem was still occurring. When I deactivate Root and wp-admin BulletProof Mode I see a LiteSpeed server 403 error displayed. That means your LiteSpeed server is probably also blocking this Query String below and most likely because “order” and “orderby” are being used in the Query String which is a very common hacking pattern/string/simulated SQL Injection hacking attempt. You will need to contact your host support and send them all of this information so that they know exactly what to look for to fix this issue. They will probably have to create a whitelist rule on the LiteSpeed server itself. Have your support folks look at the LiteSpeed server logs.
http://www.example.com/wp-admin/user-edit.php?user_id=625&wp_http_referer=%2Fwp-admin%2Fusers.php%3Fs%3DMelanie%2BMason%26action%3D-1%26new_role%26bbp-new-role%26bbp-bulk-users-nonce%3D0de8573cc5%26action2%3D-1%26orderby%3Dlogin%26order%3Dasc
[403 GET|HEAD Request: November 11, 2015 - 11:22 am] Event Code: WPADMIN-SBR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: xxx.xxx.xxx.xxx Host Name: [removed] SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: xxx.xxx.xxx.xxx HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://www.example.com/wp-admin/user-edit.php?user_id=625&wp_http_referer=%2Fwp-admin%2Fusers.php%3Fs%3DMelanie%2BMason%26action%3D-1%26new_role%26bbp-new-role%26bbp-bulk-users-nonce%3D0de8573cc5%26action2%3D-1%26orderby%3Dlogin%26order%3Dasc REQUEST_URI: /wp-admin/user-edit.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Bill JustesenParticipantYou were spot on about mod_security. Even though I had disabled it through the VPS, the site was somehow still running it until I added this to the .htaccess file:
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
Thanks!
AITpro AdminKeymasterYeah mod_security is pretty awesome, but just like BPS htaccess code there is always the possibility that something legitimate is going to get blocked somewhere. Since mod_security and BPS htaccess code match typical hacker patterns/strings then in order to allow a simulated hacker pattern/string in something, you have to create a whitelist rule for that special case. mod_security uses SecRules and SecFilters, which are the same concept as BPS htaccess security filters so if you wanted to continue to use mod_security then you would have to modify or remove the SecRule/SecFilter that is blocking SQL Injection attack patterns/strings.
-
AuthorPosts
- You must be logged in to reply to this topic.