Digital Access Pass DAP 403 error

[darkspeed.com]

I use Digital Access Pass and on installing Bulletproof Security I was no longer able to use the membership signup form as it returned a 403 error. I was able to track down the problem if anyone else is having the same issue. Just wanted you to know that if you have any members who use the http://wordpress.org/plugins/bulletproof-security/ Plugin, it places a line in secure.htaccess by default that brakes DAP’s ability to sign up users and returns a 403. The lines of htaccess code are:

RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]

had to comment them out with a # and now everything works well
Thanks
Todd

[AITpro Admin]

Not sure why your post was spammed.  I unspammed it.  Many years ago someone asked about DAP and I vaguely remember something had to do with how the DAP iFrame loads within the WordPress Dashboard.  I will look around and see if there is any old info about DAP somewhere.

[darkspeed.com]

I am back to having problems..I get this when someone tries to fill out a subscribe on my site. The subscribe goes through but rather than the sucess page i get a 403 error. any ideas??

>>>>>>>>>>> 403 GET or Other Request Error Logged - June 14, 2013 - 2:24 pm <<<<<<<<<<<
REMOTE_ADDR: 108.9.107.210
Host Name: pool-108-9-107-210.tampfl.fios.verizon.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //darkspeed.com/free-trial-join-now/
REQUEST_URI: /dap/authenticate.php?email=bobo1%40darkspeed.com&password=KW3JS&submitted=Y&request=http://darkspeed.com/member-login/?msg=SUCCESS_CREATION&daplistbuildercredits=
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

Edit|Update:  Create a skip/bypass for the authenticate.php and signup_submit.php files as shown below.

1. Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

IMPORTANT!!!: Edit the code below after copying it to BPS Custom Code and replace “example.com” with your actual website domain name.

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (authenticate\.php|signup_submit\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*example.com.*
RewriteRule . - [S=1]

Additional solution for 403 error instead of being redirected to a Thank You page or other page
1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
#RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[darkspeed.com]

Thank you! That solved my problem!

[JimmyD]

[Topic has been merged into this relevant Topic]

BPS was causing my DAP member site plugin to not process new members so I had it uninstalled. Unfortunately, the tech did not uninstall properly. Now I have the custom BPS .htaccess remaining on my server in root as well as in wp-admin. Therefore, my DAP member site plugin problems remain. How do I get rid of these .htaccess files without breaking my site. I do not have a backup of the .htaccess file that was there before BPS was installed.

[AITpro Admin]

@ JimmyD – you can either use the whitelisting method in this Forum Topic to whitelist what is being blocked in DAP or if you want to uninstall BPS you would use the uninstall steps here:  http://forum.ait-pro.com/forums/topic/read-me-first-free/

[JimmyD]

OK. When BPS was installed, was a backup of my original .htaccess file created. If so, where can I find that on my server?

[AITpro Admin]

If you backed up your .htaccess files using BPS Backup & Restore then you can restore your old .htaccess file using the Restore feature.  Or if you did not make a backup of your .htaccess file then you can restore it using your web host control panel file manager and restore an older root .htaccess file.

By default I do not believe that DAP comes with any .htaccess code.  If DAP does come with .htaccess code then you should be able to deactivate and activate DAP and it should add any .htaccess code that it uses (if it does use .htaccess code) to your root .htaccess file.

Or you would go to DAP settings and resave your DAP .htaccess settings if DAP comes with any .htaccess code, which I do not believe that DAP has by default.

[JimmyD]

Thanks, deactivating and reactivating DAP Livelinks did the trick by adding the required code to .htaccess!

[coen]

I also use Digital Access Pass on my websites and so far it worked fine without problems. But now on installing Bulletproof Security at cocreatie013.nl I was no longer able to use the membership signup form as it returned a 403 error. I can not find the why it works on my other websites and doesn’t on this one. What can I do to solve this problem?

[AITpro Admin]

Starting at zero.  Are you saying that the problem that is occurring is similar to the problem and solution in this forum topic or are you saying that something has changed with DAP and either none of the issues in this forum topic are relevant or this could be some new issue due to something new that DAP is doing? A BPS security log entry will tell me if something is being blocked by BPS and what is being blocked.  Please post a BPS Security Log entry.

[coen]

BPS Security Log entry:

[403 GET / HEAD Request: 30 March 2015 - 17:19]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 84.24.184.204
Host Name: 5418B8CC.cm-5-1c.dynamic.ziggo.nl
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 84.24.184.204
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://cocreatie013.nl/wat/aanmelden-test/
REQUEST_URI: /dap/authenticate.php?email=info%40webcoach.nl&password=8HCZN&submitted=Y&request=http://cocreatie013.nl/members/aanmelden/dap/?msg=SUCCESS_CREATION&daplistbuildercredits=
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0

[coen]

[modified content as it exposed private information that should probably not be posted publicly]

[AITpro Admin]

I modified/deleted your post content since it exposed some things publicly that should probably not be exposed.  Please send me an email so that we can do this directly: edward at ait-pro dot com.  Thanks.

[Author]

Posts