Home › Forums › BulletProof Security Free › Discourse forum – 403 error
Tagged: 403 error, Discourse forum
- This topic has 8 replies, 2 voices, and was last updated 9 years, 5 months ago by Steven.
-
AuthorPosts
-
StevenParticipant
I have a VPS host on Digital Ocean with WordPress 4.0 and a Discourse Forum in a docker instance. So basically two separate sites on the same server. My Discouse forum uses WordPress for SSO (Single-sign on). I am having an issue configuring the root .htacces file to allow the discourse site to call a page on my wordpress site. Which has some php scripting and passes back session info.
I tried following this guide here http://forum.ait-pro.com/forums/topic/custom-applications-outside-of-wordpress-3rd-party-apps/#post-13664
But i am not sure if i am setting it up right or if this is the correct way to go. I get the following when i click on the login button on my discourse site.Not Found
The requested URL /sso/ was not found on this server.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.Thanks
AITpro AdminKeymasterPost the 403 error from your Security Log so I can see what is being blocked.
StevenParticipantThere is nothing in the log. Logging is turned on. and it says the file is writable.
AITpro AdminKeymasterOk then you will need to explain everything in specific technical detail and provide actual URL’s so that I can see the exact scenario/issue/problem. If you do not want to post things publicly in this forum you can send all of that information to info [at] ait-pro [dot] com.
StevenParticipantOk here we go.
Site details:
Wordpress Site: http://104.131.65.236
Discourse Site: forums.grimreapergamers.com
When you go to the forum site and try to login it will produce the error. If i use the default .htaccess file it works as it should.
Here is what is happening in the background.- When you click login the forum looks for a wordpress page called “sso”.
- This page has a special template file assigned to it which calls another php helper class.
- Both the template file and helper class are located in the top level of the active wordpres theme folder.
- these files will check whether the user is logged in or not
- If not redirect to the wordpress login page when logged in pass the user info to the discourse forum
- If already logged in on the wordpress site just passes the user info over
Let me know if there are any other questions and thanks for the quick responses.
AITpro AdminKeymasterI believe what is being blocked is that you are using a Line Feed
%0A
in the Query String and BPS explicity blocks Line Feeds in Query Strings because that is a very bad practice and also is a common hacking method used by hackers.%0A
should never be used in Query Strings. Also%3D
is the URL Encoded equal sign (=) and that should not be URL encoded.http://104.131.65.236/sso/?sso=bm9uY2U9YzNjYTEyMjEyYTc5MTFjMjQ3OWI1MjY4NTlkZWYyYTA%3D%0A&sig=40e17305406a247bfbed1ecd35aab17cd249f64948c32f3fd5aa80a9f14415ad
To confirm that is what is being blocked you can comment out the BPS security rule in your root htaccess file shown below:
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
You may also need to comment out these additional security rules:
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
Once you have confirmed this is what is being blocked you can either allow it by copying your modified BPS Query String Exploits code from your root htaccess file to BPS Custom Code and doing ALL of the Custom Code steps (not recommended) or you can change your Query String to not use
%0A
in the Query String (recommended).StevenParticipantYes commenting out all of the lines you suggested allowed it to work. I did not write the code so i will need to go back to the developer to see what can be done with it.
Thanks for your help.
AITpro AdminKeymasterWhat you may want to point out to the Discourse folks (gently so as not to ruffle feathers and cause a defensive reaction) is that instead of doing whatever the intended purpose of using the Line Feed in the Query String does, it would be safer/better to do whatever that is AFTER the Query String is sent to wherever it is sent. ie take the data passed in the Query String and process it on the receiving end/code. ie got the Query String now do the Line Feed/break. Typically
%0A
is used in SQL Injection hacking methods and some Email Injection hacking methods.And the most important thing/benefit to them is that a hacker does not exploit this and hack someone’s website. Better to fix things like this now as opposed to later when folks websites are getting hacked because of this.
StevenParticipantthanks for the explanation.
-
AuthorPosts
- You must be logged in to reply to this topic.