BuddyPress Query String Network/Multisite groups 403 error

[Patrick]

well, thanksBut I have to remember that, the forums failure only occurs  by activating the Website Root Folder htaccess Security Mode and the Website wp-admin Folder htaccess Security Mode, When disabled the bug does not occur

[AITpro Admin]

Are you saying that the problem only occurs when you activate the wp-admin Folder BulletProof Mode?

[Patrick]

I have now disabled and the fault does not appear. Try it http: //susurros.info/grupos/de-prueba/forum/topic/probando-el-for-del-grupo-de-prueba/

[AITpro Admin]

Ok i think you are missing the point.

here is the point.  This query string is wrong and is very dangerous –  ?#post-22 and should look like this – /?topic_page=2&num=15#post-22 or this /#post-22.  This is a coding mistake in BuddyPress.  BPS is blocking this coding mistake because it is a very, very, very dangerous thing to allow.  If you want to allow this dangerous thing on your website you can by doing this below.

Comment out this BPS Security filter in your Root .htaccess file by putting a # sign in front of it as shown below and save your changes.

#RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

What i am trying to do is fix this coding mistake in BuddyPress so that the Query string is not this – ?#post-22 and is a safe Query string like /#post-22 or /?topic_page=2&num=15#post-22.

of course BPS is blocking this – it is very, very, very dangerous to allow.  I am not saying that your post reply itself is dangerous or even that ?#post-22 is dangerous by itself.  What i am saying is there is a known PHP exploit that uses these coding parameters that is very dangerous to your website.

https://bugs.php.net/bug.php?id=61910

This BPS security filter below protects against that vulnerability so it is now safe to comment out the security rule above

RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]

 

[Patrick]

Ok, thanks, re-enable the security mode and put out the forums waiting for the bug fix

[AITpro Admin]

Comment out the security filter that i said to comment out and you will not have a problem and yes when i have time i will write new code for BuddyPress.  Since this is not my software that i am fixing and i have other important things to work on on my software then i will get to this when i have a chance so just comment out the security filter for now until i can get to this.

[AITpro Admin]

I have thought of another way of handling the BuddyPress Query String reply coding issue/problem that would not require changing any coding in BuddyPress.  This idea has not been tested yet, but will be tested soon.

The Problem: BuddyPress is generating a malformed/broken Query String in replies ONLY in the Group forum area.  Additionally this appears to ONLY be happening on WordPress Network/Multisite installations with BuddyPress.

/?#post-22 – is a malformed / broken Query String.

Possible Solution:  Logically something like this below would work because .htaccess files are processed first before PHP code.  This has NOT been tested yet and is ONLY a general idea at this point.  It is NOT recommended that you try this code until we have thoroughly tested it and if it works we will perfect it if necessary.

RewriteCond %{REQUEST_URI} ^/grupos(.*)\?#$ [NC]
RewriteRule ^/grupos(.*)\?#(.*)$ /grupos(.*)#(.*) [R=301]

[Giorgos]

The “possible solution” didn’t work for me. I do experience the same issues with the /?#post-22 string, although I also have the latest versions installed.   But this one worked fine  #RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
So currently I have commented the above rule.

[AITpro Admin]

Yep for whatever reason that I somewhat understand this problem only occurs on a very low percentage of BuddyPress sites, but not on the majority of BuddyPress sites.  This problem does not occur on the BulletProof Security BuddyPress Forum.  I have not had time yet to look at modifying the BuddyPress plugin code.  Hopefully I can find some time to revisit this again in March.

[AITpro Admin]

Update: 6-4-2017:  This is very old issue that no longer exists in BuddyPress and the old BPS Query String security rule no longer exists in the Root htaccess file Query String Exploits code.  In other words, a fix is no longer needed.

Adding this fix/code to BPS Custom Code to save it permanently.

1. Copy the code below (see Note) to this BPS Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
Note: For good measure clear your Browser cache and if you are using a caching plugin clear your caching plugin cache.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[Author]

Posts