Home › Forums › BulletProof Security Free › FV WordPress Flowplayer – Foliovision 403 error
Tagged: 403 error, Foliovision, FV WordPress Flowplayer
- This topic has 11 replies, 4 voices, and was last updated 9 years, 11 months ago by
AITpro Admin.
-
AuthorPosts
-
darkspeed.com
ParticipantI have one more problem with displaying videos on my site
Analysis of darkspeed.com/video/day-trading-software.mp4 (local):
Error: Server does not support HTTP range requests!
Error: Access to video forbidden (HTTP 403)!Format: mp4
Meta Data (moov) position: 28
Seek points: 60 (stts)
Audio: 1 stream, mp4 (ISO/IEC 14496-3 AAC) 48000Hz, 2 channels, 16bit, stereo
Video: avc1 (H.264 Encoder) codec, mp42 (MS-MPEG4 v2 Decoder) file type>>>>>>>>>>> 403 GET or Other Request Error Logged - June 15, 2013 - 6:25 pm <<<<<<<<<<< REMOTE_ADDR: 209.59.173.243 Host Name: darkspeed.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /video/day-trading-software.mp4 QUERY_STRING: HTTP_USER_AGENT: WordPress/3.5.1; http: //darkspeed.com
Anonymous
InactiveYour comment was spammed again of course. Testing posting with a user account using .com
AITpro Admin
KeymasterHmm ok the .com in your user account is not the issue. Will check the DB to see if BuddyPress or bbPress add some kind of usermeta.
AITpro Admin
KeymasterWhere is SERVER_PROTOCOL: HTTP/1.0 coming from? Are you using an outdated Proxy? Squid Proxy? HTTP/1.0 is used by spammers, scrapers and hackers. All legitimate apps, etc. use the new Server Protocol HTTP/1.1 as of 1997.
Try creating either a skip/bypass rule for the file: day-trading-software.mp4 by adding it to the Misc file skip/bypass rule above or you can try one of the 3rd Party App options in the link below.
AITpro Admin
KeymasterI checked your website and your HTTP Headers and Server Protocol are good so that is really odd that HTTP/1.0 is shown in the error. Unless of course this is someone who is scraping your site. Scrapers will show your host name and IP address during the mirror of your site.
GET / HTTP/1.1 Host: darkspeed.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 AlexaToolbar/alxf-2.18 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive
darkspeed.com
ParticipantThe 1.0 call was triggered when using foliovision.com WordPress Plugin Flowplayer to embed a video
AITpro Admin
KeymasterAh I see where it is coming from now on your website. How ironic that this uses a Server Protocol that is known to be used by spammers, scrapers and hackers and it has to do with security. Too funny.
OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is known as Certificate Revocation List
Host: ocsp.verisign.com HTTP/1.0 200 Ok Last-Modified: Fri, 14 Jun 2013 19:19:06 GMT Expires: Fri, 21 Jun 2013 19:19:06 GMT Content-Type: application/ocsp-response content-transfer-encoding: binary Content-Length: 1856 Cache-Control: max-age=512190, public, no-transform, must-revalidate Date: Sat, 15 Jun 2013 21:02:36 GMT nncoection: close Connection: Keep-Alive
AITpro Admin
KeymasterAnd just for the heck of it I checked to see if this is interfering with your mp4 and it is not so the OCSP thing is not a real big deal.
GET /video/day-trading-software.mp4 HTTP/1.1 Host: darkspeed.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 AlexaToolbar/alxf-2.18 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=31ec343d938d16dda8ca2d394a91d5f4; __atuvc=3%7C24 Connection: keep-alive Range: bytes=2626182- If-Range: "9d0e9-9d87d3-4de9b44b74040" HTTP/1.1 200 OK Date: Sat, 15 Jun 2013 21:27:18 GMT Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Last-Modified: Sat, 08 Jun 2013 02:26:01 GMT Etag: "9d0e9-9d87d3-4de9b44b74040" Accept-Ranges: bytes Content-Length: 10323923 Content-Type: video/mp4
darkspeed.com
ParticipantThank you for all of the help!
AITpro Admin
KeymasterSomeone else had a similar problem with FV WordPress Flowplayer – Foliovision 403 error. I installed and tested the FV WordPress Flowplayer plugin and the Server Protocol HTTP/1.0 is coming from this plugin. Everything works fine, but an Admin error is shown to administrators of the website and a 403 error is generated in the BPS Security Log. The 403 error is happening because a HEAD Request is being made and does NOT have to do with the Server Protocol issue. The Server Protocol issue is just a minor nick nack that I assume would just need to have a Host Header field added either in javascript or the php coding of this plugin to fix the Server Protocol HTTP/1.0 issue.
To stop the 403 error from occurring and being logged in the BPS Security log you would add this code to BPS Custom Code.
1. Copy this REQUEST METHODS FILTERED .htaccess code to this BPS Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED:
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.BPS Pro 11.6+ & BPS free .53.2+
You may see this code or the 11.5+/.53.1+ code in your root htaccess file. The code does the same exact thing and is whitelisted in the same exact way.# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and copy # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code # text box: CUSTOM CODE REQUEST METHODS FILTERED. # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
BPS Pro 11.5+ & BPS free .53.1+
# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and copy # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code # text box: CUSTOM CODE REQUEST METHODS FILTERED. # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] #RewriteRule ^(.*)$ - [R=405,L]
BPS Pro 11.4|BPS free .53 and lower versions
# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and # remove/delete HEAD| from the Request Method filter. # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F]
Foliovision
ParticipantHello darkspeed.com,
thank you for reporting the issue, although we have our own support forums: http://foliovision.com/support
We are using a standard WordPress function wp_remote_head() to perform the request when checking the video file. However I see that we can just skip this check of video file response headers, as the video gets downloaded for further analysis anyway.
So this will be fixed in a new release – coming out today or tomorrow.
Thanks,
MartinAITpro Admin
Keymaster@ Foliovision – your reply was spammed and has been unspammed. We did not see the reply until today. Thanks.
-
AuthorPosts
- You must be logged in to reply to this topic.