BuddyPress Query String Network/Multisite groups 403 error

Home Forums BulletProof Security Pro BuddyPress Query String Network/Multisite groups 403 error

This topic contains 24 replies, has 3 voices, and was last updated by  AITpro Admin 5 years, 11 months ago.

Viewing 10 posts - 16 through 25 (of 25 total)
  • Author
    Posts
  • #720

    Patrick
    Participant

    well, thanksBut I have to remember that, the forums failure only occurs  by activating the Website Root Folder htaccess Security Mode and the Website wp-admin Folder htaccess Security Mode, When disabled the bug does not occur

    #721

    AITpro Admin
    Keymaster

    Are you saying that the problem only occurs when you activate the wp-admin Folder BulletProof Mode?

    #722

    Patrick
    Participant

    I have now disabled and the fault does not appear. Try it http: //susurros.info/grupos/de-prueba/forum/topic/probando-el-for-del-grupo-de-prueba/

    #723

    AITpro Admin
    Keymaster

    Ok i think you are missing the point.

    here is the point.  This query string is wrong and is very dangerous –  ?#post-22 and should look like this – /?topic_page=2&num=15#post-22 or this /#post-22.  This is a coding mistake in BuddyPress.  BPS is blocking this coding mistake because it is a very, very, very dangerous thing to allow.  If you want to allow this dangerous thing on your website you can by doing this below.

    Comment out this BPS Security filter in your Root .htaccess file by putting a # sign in front of it as shown below and save your changes.

    #RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

    What i am trying to do is fix this coding mistake in BuddyPress so that the Query string is not this – ?#post-22 and is a safe Query string like /#post-22 or /?topic_page=2&num=15#post-22.

    of course BPS is blocking this – it is very, very, very dangerous to allow.  I am not saying that your post reply itself is dangerous or even that ?#post-22 is dangerous by itself.  What i am saying is there is a known PHP exploit that uses these coding parameters that is very dangerous to your website.

    https://bugs.php.net/bug.php?id=61910

    This BPS security filter below protects against that vulnerability so it is now safe to comment out the security rule above

    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]

     

    #724

    Patrick
    Participant

    Ok, thanks, re-enable the security mode and put out the forums waiting for the bug fix

    #726

    AITpro Admin
    Keymaster

    Comment out the security filter that i said to comment out and you will not have a problem and yes when i have time i will write new code for BuddyPress.  Since this is not my software that i am fixing and i have other important things to work on on my software then i will get to this when i have a chance so just comment out the security filter for now until i can get to this.

    #835

    AITpro Admin
    Keymaster

    I have thought of another way of handling the BuddyPress Query String reply coding issue/problem that would not require changing any coding in BuddyPress.  This idea has not been tested yet, but will be tested soon.

    The Problem: BuddyPress is generating a malformed/broken Query String in replies ONLY in the Group forum area.  Additionally this appears to ONLY be happening on WordPress Network/Multisite installations with BuddyPress.

    /?#post-22 – is a malformed / broken Query String.

    Possible Solution:  Logically something like this below would work because .htaccess files are processed first before PHP code.  This has NOT been tested yet and is ONLY a general idea at this point.  It is NOT recommended that you try this code until we have thoroughly tested it and if it works we will perfect it if necessary.

    RewriteCond %{REQUEST_URI} ^/grupos(.*)\?#$ [NC]
    RewriteRule ^/grupos(.*)\?#(.*)$ /grupos(.*)#(.*) [R=301]
    #1590

    Giorgos
    Member

    The “possible solution” didn’t work for me. I do experience the same issues with the /?#post-22 string, although I also have the latest versions installed.   But this one worked fine  #RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    So currently I have commented the above rule.

    #1591

    AITpro Admin
    Keymaster

    Yep for whatever reason that I somewhat understand this problem only occurs on a very low percentage of BuddyPress sites, but not on the majority of BuddyPress sites.  This problem does not occur on the BulletProof Security BuddyPress Forum.  I have not had time yet to look at modifying the BuddyPress plugin code.  Hopefully I can find some time to revisit this again in March.

    #10282

    AITpro Admin
    Keymaster

    Update: 6-4-2017:  This is very old issue that no longer exists in BuddyPress and the old BPS Query String security rule no longer exists in the Root htaccess file Query String Exploits code.  In other words, a fix is no longer needed.

    Adding this fix/code to BPS Custom Code to save it permanently.

    1. Copy the code below (see Note) to this BPS Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
    Note: For good measure clear your Browser cache and if you are using a caching plugin clear your caching plugin cache.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
Viewing 10 posts - 16 through 25 (of 25 total)

You must be logged in to reply to this topic.