FV WordPress Flowplayer – Foliovision 403 error

Home Forums BulletProof Security Free FV WordPress Flowplayer – Foliovision 403 error

This topic contains 11 replies, has 4 voices, and was last updated by  AITpro Admin 5 years, 12 months ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #6919

    darkspeed.com
    Participant

    I have one more problem with displaying videos on my site

    Analysis of darkspeed.com/video/day-trading-software.mp4 (local):
    Error: Server does not support HTTP range requests!
    Error: Access to video forbidden (HTTP 403)!

    Format: mp4
    Meta Data (moov) position: 28
    Seek points: 60 (stts)
    Audio: 1 stream, mp4 (ISO/IEC 14496-3 AAC) 48000Hz, 2 channels, 16bit, stereo
    Video: avc1 (H.264 Encoder) codec, mp42 (MS-MPEG4 v2 Decoder) file type

    >>>>>>>>>>> 403 GET or Other Request Error Logged - June 15, 2013 - 6:25 pm <<<<<<<<<<<
    REMOTE_ADDR: 209.59.173.243
    Host Name: darkspeed.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /video/day-trading-software.mp4
    QUERY_STRING:
    HTTP_USER_AGENT: WordPress/3.5.1; http: //darkspeed.com
    #6920

    Anonymous

    Your comment was spammed again of course.  Testing posting with a user account using .com

    #6921

    AITpro Admin
    Keymaster

    Hmm ok the .com in your user account is not the issue.  Will check the DB to see if BuddyPress or bbPress add some kind of usermeta.

    #6924

    AITpro Admin
    Keymaster

    Where is SERVER_PROTOCOL: HTTP/1.0 coming from?  Are you using an outdated Proxy?  Squid Proxy?  HTTP/1.0 is used by spammers, scrapers and hackers.  All legitimate apps, etc. use the new Server Protocol HTTP/1.1 as of 1997.

    Try creating either a skip/bypass rule for the file: day-trading-software.mp4 by adding it to the Misc file skip/bypass rule above or you can try one of the 3rd Party App options in the link below.

    http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPress

    #6926

    AITpro Admin
    Keymaster

    I checked your website and your HTTP Headers and Server Protocol are good so that is really odd that HTTP/1.0 is shown in the error.  Unless of course this is someone who is scraping your site.  Scrapers will show your host name and IP address during the mirror of your site.

    GET / HTTP/1.1
    Host: darkspeed.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 AlexaToolbar/alxf-2.18
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: keep-alive
    #6929

    darkspeed.com
    Participant

    The 1.0 call was triggered when using foliovision.com WordPress Plugin Flowplayer to embed a video

    #6930

    AITpro Admin
    Keymaster

    Ah I see where it is coming from now on your website.  How ironic that this uses a Server Protocol that is known to be used by spammers, scrapers and hackers and it has to do with security.  Too funny.

    OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is known as Certificate Revocation List

    Host: ocsp.verisign.com
    
    HTTP/1.0 200 Ok
    Last-Modified: Fri, 14 Jun 2013 19:19:06 GMT
    Expires: Fri, 21 Jun 2013 19:19:06 GMT
    Content-Type: application/ocsp-response
    content-transfer-encoding: binary
    Content-Length: 1856
    Cache-Control: max-age=512190, public, no-transform, must-revalidate
    Date: Sat, 15 Jun 2013 21:02:36 GMT
    nncoection: close
    Connection: Keep-Alive
    #6932

    AITpro Admin
    Keymaster

    And just for the heck of it I checked to see if this is interfering with your mp4 and it is not so the OCSP thing is not a real big deal.

    GET /video/day-trading-software.mp4 HTTP/1.1
    Host: darkspeed.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 AlexaToolbar/alxf-2.18
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Cookie: PHPSESSID=31ec343d938d16dda8ca2d394a91d5f4; __atuvc=3%7C24
    Connection: keep-alive
    Range: bytes=2626182-
    If-Range: "9d0e9-9d87d3-4de9b44b74040"
    
    HTTP/1.1 200 OK
    Date: Sat, 15 Jun 2013 21:27:18 GMT
    Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    Last-Modified: Sat, 08 Jun 2013 02:26:01 GMT
    Etag: "9d0e9-9d87d3-4de9b44b74040"
    Accept-Ranges: bytes
    Content-Length: 10323923
    Content-Type: video/mp4
    #6934

    darkspeed.com
    Participant

    Thank you for all of the help!

    #7694

    AITpro Admin
    Keymaster

    Someone else had a similar problem with FV WordPress Flowplayer – Foliovision 403 error.  I installed and tested the FV WordPress Flowplayer plugin and the Server Protocol HTTP/1.0 is coming from this plugin.  Everything works fine, but an Admin error is shown to administrators of the website and a 403 error is generated in the BPS Security Log.  The 403 error is happening because a HEAD Request is being made and does NOT have to do with the Server Protocol issue.  The Server Protocol issue is just a minor nick nack that I assume would just need to have a Host Header field added either in javascript or the php coding of this plugin to fix the Server Protocol HTTP/1.0 issue.

    To stop the 403 error from occurring and being logged in the BPS Security log you would add this code to BPS Custom Code.

    1. Copy this REQUEST METHODS FILTERED .htaccess code to this BPS Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED: 
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    BPS Pro 11.6+ & BPS free .53.2+
    You may see this code or the 11.5+/.53.1+ code in your root htaccess file.  The code does the same exact thing and is whitelisted in the same exact way.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    BPS Pro 11.5+ & BPS free .53.1+

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ - [R=405,L]

    BPS Pro 11.4|BPS free .53 and lower versions

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and 
    # remove/delete HEAD| from the Request Method filter.
    # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #10399

    Foliovision
    Participant

    Hello darkspeed.com,

    thank you for reporting the issue, although we have our own support forums: http://foliovision.com/support

    We are using a standard WordPress function wp_remote_head() to perform the request when checking the video file. However I see that we can just skip this check of video file response headers, as the video gets downloaded for further analysis anyway.

    So this will be fixed in a new release – coming out today or tomorrow.

    Thanks,
    Martin

    #10661

    AITpro Admin
    Keymaster

    @ Foliovision – your reply was spammed and has been unspammed.  We did not see the reply until today.  Thanks.

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.