font-face 500 Internal Server Errors

[o6asan]

I noticed several 500 Internal Server Error errors about eot font files on my server log. I finaly found BPS always gave me the errors when URIs have ‘?’ at their end. For example, to access example.com/ gives no error but to access example.com/? gives a 500 Internal Server Error.

When it gives the 500 Error, it also gives the message “Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’ to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace.” So, I used ‘LogLevel debug’ and tried to get backtraces.

Then I understood. When 500 Error, 403 error loop always happens, reaches the redirect limit, and 500 error shows up. Why did the eot font file bring a 500 error? The reason I also found out. One of the latest css hacks has codes like the blow.

@font-face {
font-family: 'Example';
src: url("fonts/example.eot");
src: url("fonts/example.eot?#iefix") format("embedded-opentype"),
url("fonts/example.ttf") format("truetype"),
url("fonts/example.woff") format("woff"),
url("fonts/example.svg#example") format("svg");
font-weight: normal;
font-style: normal;
}

This “fonts/example.eot?#iefix” makes a 500 error. So, if someone, who is a malicious user or not, accesses my sites by MS IE, he leaves 500 errors on my server log. How can I fix them?

Thanks in advance.

[AITpro Admin]

First there was a problem with these old .htaccess security filters and they were changed in the last version of BPS and are going to be changed one last time.  So if you see any of these old security filters in either your root .htaccess file or wp-admin .htaccess file then replace them with the new security filter that is going to be released in .50.4 very soon.

Old security filters/rules
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]

Changed to this in .50.2 - had problems
RewriteCond %{THE_REQUEST} \?+(%20{1,}|[^\s])+HTTP+(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} \/+(\*|%2a)+(%20|\s){1,}+HTTP+(:/|/) [NC,OR]

Changed to this in .50.3 - has some problems
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\s+|%20+\s+|\s+%20+|\s+%20+\s+)HTTP(:/|/) [NC,OR]

Will be changed to this in .50.4
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR]

In general, ?# is not a good thing and is technically a malformed Query, but it is not really that dangerous to use.

There is a similar Forum Topic in the link below where another person discovered that the font-face declaration itself needed to be fixed and was causing errors due to the construct itself.  This was also occurring in only IE.

http://forum.ait-pro.com/forums/topic/security-log-file-size-exceeds-500kb-every-day/#post-3318

[o6asan]

@AITpro Admin

Thanks for your quick reply. Your new filter works very well. As I used version .50.3, I replaced

RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\s+|%20+\s+|\s+%20+|\s+%20+\s+)HTTP(:/|/) [NC,OR]
with
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR]

After that, 500 Errors have gone. Though I didn’t fix the font-face declaration itself, the errors by it have gone, too.

I read http://forum.ait-pro.com/forums/topic/security-log-file-size-exceeds-500kb-every-day/#post-3318. On the topic, he said the errors were given by IE8. In my case, they were by IE9, IE10 and IE11.

In general, ?# is not a good thing and is technically a malformed Query, but it is not really that dangerous to use.

Oh, really? I thought the behavior of your old filters was for blocking mal-QUERY_STRING. I don’t know about rewrite rules very well, so I was afraid of changing codes by myself. Then I came here.

I really appreciated your great plugin.

[AITpro Admin]

Great!  Thanks for confirming what the problem and solution are.

The old filters were for blocking certain types of Remote File Inclusion (RFI) attacks, but accidentally blocked a lot of “good” things since the filters were not defined well enough (too general).  The new filter does block another specific type of RFI attack and the filter is very well defined so that it will only block those specific RFI attacks and not block anything “good”.  There are also other RFI security filters in BPS.

?# is not dangerous and hackers would not use that in Query strings because it is very limiting.  It is basically “code slang” and not so much malformed.  😉

[o6asan]

The new filter does block another specific type of RFI attack and the filter is very well defined so that it will only block those specific RFI attacks and not block anything “good”.

I don’t know about RFI attacks very well. But, if you think about the new filter as above, I guess the followings are maybe a good news for you.

Before replacing, I had a 500 error probably because of the 403 loop happening.

xxx.xxx.xxx.xxx - - [14/Jul/2014:12:17:01 +0900] "GET / HTTP/1.0" 500 - "http://example.com/?p=10+[PLM=0]+GET+http://example.com/?p=10+[0,54893,64357]+-%3E+[N]+POST+http://example.com/wp-comments-post.php+[R=302][0,0,456]+-%3E+[N]+GET+http://example.com/?p=10+[0,0,64357]+-%3E+[N]+GET+http://example.com/?p=10+[0,0,64357]" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

And now I have a 403 Forbidden like this.

xxx.xxx.xxx.xxx - - [14/Jul/2014:20:15:41 +0900] "GET / HTTP/1.0" 403 - "http://example.com/?p=10+[PLM=0]+GET+http://example.com/?p=10+[0,54893,64357]+-%3E+[N]+POST+http://example.com/wp-comments-post.php+[R=302][0,0,456]+-%3E+[N]+GET+http://example.com/?p=10+[0,0,64357]+-%3E+[N]+GET+http://example.com/?p=10+[0,0,64357]" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

Thanks again for your great plugin!!

[Author]

Posts