BPS is blocking referrer with 403 Error

[Jake]

Hi.  BPS (Free) recently started blocking an external referrer with a 403 error.

This referrer transfers physical files to my server (the server keeps them in the root directory temporaily before doing stuff with them).

The error I’m getting is:

[403 POST Request: July 17, 2019 - 10:57]
BPS Pro: 14
WP: 5.2.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 46.243.xx.xx
Host Name: 46.243.xx.xx
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: https://referrer.com/stuff/morestuff.html
REQUEST_URI: /creator
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
REQUEST BODY: gpx=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cgpx+version%3D%221.1%22+%3D%22+with+%22+xsi%3AschemaLocation%3D%22http%3A%2F%2Fwww..com%2FGPX%2F1%2F1+http%3A%2F%2Fwww..com%2FGPX%2F1%2F1%2Fgpx.xsd%22+xmlns%3D%22http%3A%2F

I decided to switch off BPS Root Folder mode (RBM) and things started working again – not sure if this has been caused by a recent update.

Anyway, I then decided to purchase BP Pro so I could whitelist this specific referrer/string within the request body.

Turns out I have to craft some custom code uisng regex syntax I’m not familiar with.

How can I let a specific referrer/originator POST to my site (root folders) while still having RBM activated?

Thanks.

[AITpro Admin]

Based on the Security Log entry it looks like you are using the BPS POST Attack Protection Bonus Custom Code.  Try these steps below as a temporary test to isolate the cause of the problem.  Let me know if the POST Request is still being blocked or if it is no longer being blocked.

1. Go to BPS Root Custom Code.
2. Cut (not copy) the BPS POST Attack Protection Bonus Custom Code out of whichever BPS Custom Code text box it is saved in and save your BPS POST Attack Protection Bonus Custom Code to a Notepad or Notepad++ text file (do not use Word or Wordpad).
3. Click the Save Root Custom Code button.
4. Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.

[Jake]

Hi, I checked my custom code sections and I didn’t have anything relating to POST attack / BPS POST Attack Protection Bonus Custom Code.

I’ve hadn’t set up any custom code myself, and as far as I’m aware, the configuration was pretty much default.  Section 14 of custom code tab was empty.

I’ve since created a custom entry to try and whitelist these blocked POSTs:

# Custom Code - Referrer Post Whitelist
RewriteCond %{REQUEST_URI} !^.*/creator.php [NC]
RewriteCond %{REQUEST_URI} !^.*/gpx* [NC]
RewriteCond %{REQUEST_URI} !^.*/GPX* [NC]
RewriteCond %{HTTP_REFERER} !^.*referrer* [NC]

And again, this is blocking with a 403 when RBM is activated.

[AITpro Admin]

Ok let me do some testing on a test site.  I’ll post a solution once I figure out the issue.

I have a question about this – “This referrer transfers physical files to my server (the server keeps them in the root directory temporarily before doing stuff with them).”  When you say root directory do you literally mean your hosting account root folder (/public_html/ or /htdocs/, etc.) or a folder in your hosting account root folder (/public_html/example-folder/, or /htdocs/example-folder/, etc.).  The reason I am asking that is because BPS Pro AutoRestore|Quarantine will probably see the files as hacker files and quarantine them, unless temporarily means only seconds before the files are moved somewhere else or whatever else is done with them.  If the files are being transferred to a folder such as /public_html/example-folder/, or /htdocs/example-folder/, etc. then the /example-folder/ can be excluded from being checked by AutoRestore|Quarantine.

[Jake]

The referrer posts a file to a folder under docroot (or at least I have a PHP function which handles this).  Docroot would be for example /var/www/html   and the folder would  /var/www/html/gpx

It’s strange as I’ve been using with no problems for nearly 2 years!  I don’t know if a recent update (whether that WP itself or BPS) has tightened up security,

[AITpro Admin]

Since deactivating Root BulletProof Mode allowed the file transfer to work then something in the root htaccess file is causing the block. I assume something changed about how the file transfer is being done and that is what changed that is now being blocked.  So give me about 15 minutes to test this and post a solution for you.  The POST Request must also be seen as a GET Request by your server or the POST Request does additional things that include a GET Request after/during the POST Request.

Great on the files being transferred to a folder instead of just the literal hosting account root folder.  If you run into a problem with AutoRestore|Quarantine quarantining files that are transferred to your /gpx folder then you can create an AutoRestore|Quarantine exclude rule to not check the /gpx folder.  You don’t need to do anything now if files are not being quarantined by AutoRestore|Quarantine.

[AITpro Admin]

Test Results:
On my test site the BPS POST Attack Protection Bonus Custom Code blocks the POST Request. When I removed the POST Attack Protection code from the test site and forced a GET Request instead of a POST Request there are 2 BPS Query String Exploits security rules that block the GET Request. So what I think will work is the modified BPS Query String Exploits code below.

1. Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
Note: You may see a Setup Wizard message that says the Setup Wizard needs to be run again. If so, then run the Setup Wizard again.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
#RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
#RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[403 POST Request: July 18, 2019 - 8:59 am]
BPS Pro: 14
WP: 5.2.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 127.0.0.1
Host Name: DESKTOP-8TQEKNH
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: http://demo5.local/post-form.php
REQUEST_URI: /buddypress-code-mods/
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
REQUEST BODY: blah4=gpx%3D%253C%253Fxml%2Bversion%253D%25221.0%2522%2Bencoding%253D%2522UTF-8%2522%253F%253E%253Cgpx%2Bversion%253D%25221.1%2522%2B%253D%2522%2Bwith%2B%2522%2Bxsi%253AschemaLocation%253D%2522http%253A%252F%252Fwww..com%252FGPX%252F1%252F1%2Bhttp%253A%252F%252Fwww..com%252FGPX%252F1%252F1%252Fgpx.xsd%2522%2Bxmlns%253D%2522http%253A%252F&Submit-test4=Submit4

[403 GET Request: July 18, 2019 - 9:03 am]
BPS Pro: 14
WP: 5.2.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 127.0.0.1
Host Name: DESKTOP-8TQEKNH
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /?gpx=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cgpx+version%3D%221.1%22+%3D%22+with+%22+xsi%3AschemaLocation%3D%22http%3A%2F%2Fwww..com%2FGPX%2F1%2F1+http%3A%2F%2Fwww..com%2FGPX%2F1%2F1%2Fgpx.xsd%22+xmlns%3D%22http%3A%2F
QUERY_STRING: gpx=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cgpx+version%3D%221.1%22+%3D%22+with+%22+xsi%3AschemaLocation%3D%22http%3A%2F%2Fwww..com%2FGPX%2F1%2F1+http%3A%2F%2Fwww..com%2FGPX%2F1%2F1%2Fgpx.xsd%22+xmlns%3D%22http%3A%2F
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36

[Jake]

Thank you, this seems to have worked!

The only thing is now that I’ve added that custom code, executed the preinstallation and setup wizards, I keep getting the BPM setup autofix wizard notification:

BPS Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Notice
One or more of your plugins or your theme requires a BPS Custom Code whitelist rule to be automatically created by the Setup Wizard.
Click this Setup Wizard link and click the Pre-Installation Wizard and Setup Wizard buttons to automatically create BPS Custom Code whitelist rules.
This BPS AutoFix check can be turned Off on the Setup Wizard Options page if you do not want BPS to check for any plugin or theme whitelist rules.

Here’s an extract from my security log – a customer was making a purchase at the time – it all appeared to have been processed successfully and I’ve not be contacted by them to say there was anything wrong with the transaction.  However, a lot of 403 errors appear to be getting generated.

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/mailchimp-for-woocommerce/public/js/mailchimp-woocommerce-public.min.js?ver=2.1.17
QUERY_STRING: ver=2.1.17
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/woocommerce/assets/js/jquery-tiptip/jquery.tipTip.min.js?ver=3.6.5
QUERY_STRING: ver=3.6.5
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/woocommerce/assets/js/selectWoo/selectWoo.full.min.js?ver=1.0.6
QUERY_STRING: ver=1.0.6
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/wp-gdpr-compliance/assets/js/front.js?ver=1559644983
QUERY_STRING: ver=1559644983
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/woocommerce/assets/js/frontend/password-strength-meter.min.js?ver=3.6.5
QUERY_STRING: ver=3.6.5
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

[AITpro Admin]

While checking your site to test these Security Log errors I came across what I am pretty sure is a security vulnerability in your GPX Creator.  At bare minimum what I found allows me to bypass the Protected: GPX Creator password protected page and upload .gpx and .xml files to your website.  The GPX upload form did not allow me to upload a test hacker file (not an actual real hacker file and just a simulated non-dangerous test hacker file for testing).  So the security vulnerability is a technicality vulnerability and not a serious threat to your website security.  I don’t want to post any information publicly regarding this issue.  Contact me directly via email:  info at ait-pro dot com so that I can fill you in on exactly what I found.

Regarding the BPS Setup Wizard AutoFix issue and the original problem:  What must be happening is the modified BPS Query String Exploits code that I posted above is probably confusing the BPS Setup Wizard AutoFix feature.  Do these steps below.

1. Go to BPS Custom Code and delete the BPS Query String Exploits code from the 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS text box.
2. Click the Save Root Custom Code button.
3. Run the BPS Pro Pre-Installation Wizard and Setup Wizard again.
4. Go to BPS Custom Code and copy the new BPS Query String Exploits code that you should see in Custom Code text box:  12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS (see steps #5 and #6 below).
5. If you do NOT see any new BPS Query String Exploits code in the Custom Code text box:  12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS then stop here and let me know that.
6. If you DO see new BPS Query String Exploits code in the Custom Code text box:  12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS then copy the new BPS Query String Exploits code and post that code in your forum reply so that I can see what the issue is and modify the code you post to include the new fix for the original gpx file transfer problem.

[Author]

Posts