HEAD request not disabled

[David Versteeg]

I have installed BPS Free a few months ago, and BPS Pro today. In the BulletProof Security Status screen everything was and is green, so I was under the impression BPS was active. I am using the out-of-the-box secure htaccess file, including the following entry:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

However, when I perform HEAD requests on the System Info page, I did not get a 403 error, but the following:

HTTP/1.1 200 OK
Date: Sun, 01 Jun 2014 19:50:08 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.28-1~dotdeb.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1062
Content-Type: text/html
Set-Cookie: PHPSESSID=520d762c0221fdebf74bc2803b3fb595; path=/

The Security Log does record the request:

[403 GET / HEAD Request: 01/06/2014 - 20:50]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 188.93.144.177
Host Name: blade142.mijndomein.nl
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: BPS Headers Check

When I dug a bit deeper, using an online web vulnerability scan, it showed TRACK and TRACE were not disabled either. I have searched the forum for a clue about what’s going on, but could not find any – hence this post. By the looks of it, these requests are not filtered out (although they are noticed by BPS), so I am wondering whether BPS is protecting my site altogether? I hope someone can shed some light on this for me.

[AITpro Admin]

I have no idea how you could get a 200 OK and a 403 Forbidden HTTP Status Response at the same time.  The HTTP Status Response should only be 1 response.  What URL did you use?  Make sure that both your root .htaccess file AND wp-admin .htaccess file have the # REQUEST METHODS FILTERED code in them AND that all Request methods are being filtered.  Double check BPS Pro Custom Code to make sure that these filters have NOT been removed.  Click the activate root folder and wp-admin folder BulletProof Modes again and then test performing a HEAD Request again.

[AITpro Admin]

Also make sure that your Root .htaccess file is locked.  You can lock your Root .htaccess file on the htaccess File Editor page or in F-Lock.  This will prevent anything else (another plugin, theme, cPanel, etc) from modifying or deleting your root .htaccess security code (with the exception of the Better WP Security plugin – if you have that plugin installed then all bets are off – that plugin is not compatible with BPS or BPS Pro and will break both BPS and BPS Pro).

[David Versteeg]

I don’t get it either. I just upgraded to the Pro version and did a clean install, so all htaccess files are the BPS standards. The # Request methods filtered are present in both files, and have not been removed in the custom code (again, this was a clean install so no changes were made at all):

# CUSTOM CODE REQUEST METHODS FILTERED
# REQUEST METHODS FILTERED
# This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
# HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
.....
.....
.....
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

I cannot lock the files, since my hosting provider uses DSO:

Server API: apache2handler – Your Host Server is using DSO

The URL is http://www.versteegmgt.com

[AITpro Admin]

I just made a HEAD Request to your website and got a 200 OK Response so if the # REQUEST METHODS FILTERED .htaccess code is in your root .htaccess file then something is overriding the Request Method filters.  But before looking at what that could possibly be I need for you to manually visually FTP to your website and look at the root .htaccess file to make sure the # REQUEST METHODS FILTERED .htaccess code really exists.

I did this test below on your website to see if your root .htaccess file security filters are working and they are working so the problem with whatever is overriding the Request Method filter is probably isolated to just Request Methods.  ie the only logical thing I can think of is something like a Cloud service or Proxy that is filtering Requests to your website.

http://www.versteegmgt.com/?sp_executesql

[David Versteeg]

I forgot to mention that – I already checked that, but just double-checked again – so straight from the root .htaccess through FTP:
It is a relief that the other filtering is active!
AITpro Admin Edit|Update – added newer REQUEST METHODS FILTERED htaccess code:

BPS Pro 11.6+ & BPS free .53.2+
You may see this code or the 11.5+/.53.1+ code in your root htaccess file.  The code does the same exact thing and is whitelisted in the same exact way.

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

BPS Pro 11.5+ & BPS free .53.1+

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ - [R=405,L]

BPS Pro 11.4|BPS free .53 and lower versions

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and 
# remove/delete HEAD| from the Request Method filter.
# Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
# The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]

[AITpro Admin]

Or maybe your web host is doing something in the Server’s httpd.conf file that is preventing this .htaccess directive from working?  Before going too deep at looking at things on your website you should ask your Host if they allow using this .htaccess directive in an .htaccess file on your website:

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]

[David Versteeg]

OK – I asked them the question. No doubt it will take some time for them to respond, as soon as they do I will post their reply. Thank you for now.

[AITpro Admin]

Yep, sure.  I have never heard of a Host doing something like this before, but if they were doing something like this then they would be using the AllowOverride directive in the Server’s httpd.conf file to Limit which directives are allowed to be used in .htaccess files and/or maybe limiting by the type of Request – ie GET, POST, HEAD, etc. Logically since Brute Force attacks are a regular event these days then maybe this is some kind of Brute Force attack protection on the Server in the httpd.conf file.  Logical guess any way.  😉

http://httpd.apache.org/docs/current/mod/core.html#allowoverride

[David Versteeg]

You were right. It is caused by the hosting provider; they confirmed today that method filtering in the .htaccess file is ignored for their standard hosting accounts. For your information: this concerns mijndomein.nl, a Dutch provider. Thanks for your help.

[AITpro Admin]

Wow I am kind of surprised since this is the first Host I have ever heard of that is doing this, but logically it makes sense for them to do something like this.  My guess it is some kind of Brute Force attack protection thing at the server.  Thanks for confirming what is going on.

[Author]

Posts