Mime Sniffing, Data Sniffing, Content Sniffing, Drive-by Download Attack Protection

Home Forums BulletProof Security Pro Mime Sniffing, Data Sniffing, Content Sniffing, Drive-by Download Attack Protection

Tagged: , , , ,

Viewing 11 posts - 16 through 26 (of 26 total)
1 2
  • Author
    Posts
  • February 28, 2017 at 10:39 am #32541
    AITpro Admin
    Keymaster

    @ Qtwix – Sounds like maybe you put the Bonus Custom Code in a wp-admin Custom Code text box and not a Root Custom Code text box.  Did you put this Bonus Custom Code in the correct Root Custom Code text box?  Another possibility is this code just does not work on your particular server or you have some kind of iframe in the backend of your site?  Also double check that the Bonus Custom Code that you copied is correct.

    February 28, 2017 at 11:20 pm #32544
    Qtwix
    Participant

    Thanks for your reply! I’m on a hosting account running a Multisite installation. I just went back to a previous backup, deactivated all other plugins except of BPS Pro and the only theme I have installed is Twenty Seventeen. Like this, the only change in the root .htaccess was adding this “Mime Sniffing, Data Sniffing, Content Sniffing, Drive-by Download Attack Protection” code (just copy & paste) – of course at the right place. This causes the backend layout issue again. So I don’t see, what could cause the issue. You write about the server. Are there any requirements about the server configuration which I have to forward to my provider?

    Thanks

    March 1, 2017 at 7:35 am #32545
    AITpro Admin
    Keymaster

    @ Qtwix – Since this Bonus Custom code deals with Headers then it is not frontend/backend dependent and should work everywhere.  Try something simple like deleting your Browser Cache.  Which Browser are you using?  Maybe this has to do with a specific Browser or Browser add-on/extension?  Try using a different Browser and see if the same problem occurs.

    March 1, 2017 at 8:23 am #32546
    Qtwix
    Participant

    I’m on a Mac and generally using Firefox and Chrome. As I’m using several browser plugins, I deactivated them all and cleared the cache and cookies. It’s still the same. However, I also tried it with Safari where interestingly the issue is not present and the backend looks all fine. Can you confirm that the issue is not present in other users’s Firefox and/or Chrome or could it depend on specific browser settings?

    March 1, 2017 at 8:34 am #32547
    AITpro Admin
    Keymaster

    @ Qtwix – This Bonus Custom code should work fine in all Browsers.  Since the backend was Ok when you used the Safari Browser then that indicates that whatever is causing the problem has to do with some Local Browser or computer setting, add-on/extension or something else on your computer (firewall, security software, etc) or maybe a Proxy/VPN?  Are you using a Proxy/VPN when you are logged into the backend of your website?  If so, you should never use a Proxy/VPN when you are logged into your website.  Are you using anything that caches the wp-admin backend area?  I believe Cloudflare has that option, which will break the wp-admin backend area if you allow Cloudflare to cache the wp-admin backend area.

    March 1, 2017 at 11:19 pm #32550
    Qtwix
    Participant

    Thanks for your suggestions. I do not use a firewall or other security tools except of the virus scanner Sophos (private version), which I uninstalled now and the built-in OSX friewall, which I turned off. Also, I’m not using a proxy or VPN. Other ideas are of course very welcome 🙂 . Otherwise I will uninstall all apps one by one and if needed, I’ll setup my Mac from scratch and installing all the apps again one by one, checking if the issue appears again…

    Thanks!

    March 2, 2017 at 9:18 am #32551
    AITpro Admin
    Keymaster

    @ Qtwix – I don’t believe anything else on your computer that is not related to a Browser needs to be messed around with.  Try these things:  temporarily switch your Theme to one of the WordPress default themes, reinstall WordPress > Dashboard > Updates > Re-install Now button.  If neither of these things fix the problem then you should switch your PHP server version next.  There could be something wrong with your PHP server build/compile/installation.  Check your web host’s help pages for the specific/unique steps and requirements to switch your PHP server/version on your particular web host.

    March 6, 2017 at 8:30 am #32581
    Qtwix
    Participant

    To summarize:

    Issue:
    The issue of extracting the content of the BPS Pro “Read Me”-boxes into a huge backend page
    (see screenshots:
    https://www.dropbox.com/s/rofkqo1vfryyhx4/Screen%20Shot%202.png?dl=0
    https://www.dropbox.com/s/rw4hpn4c76ddnlt/Screen%20Shot%203.png?dl=0
    https://www.dropbox.com/s/xot25eu5cn3wpxx/Screen%20Shot%204.png?dl=0
    )
    …appears in most (but not all) networks/computers/browsers if I use the code:

    “Header set X-Content-Type-Options nosniff”

    (see screenshot: https://www.dropbox.com/s/2p4tugwaxiv5jd1/Screen%20Shot%201.png?dl=0)
    Any other backend and frontend pages except of the BPS Pro backendpage look correct. If I comment it out, the issue diapears.

    Network/computer/browser:
    Meanwhile I checked the issue on several computers (Mac and Windows) with different browsers (Firefox, Google Chrome and IE) within several networks. Unfortunately, I cannot make out a clear pattern. The issue is present in all kind of combinations. Hence, it seams to not be dependent on the OS, browser or network (no VPN was used).
    Also, I completely deactivated all the browser plugins, cleared the cache and even completely un- and reinstalled Firefox which did not solve the issue.

    .htaccess:
    It’s not dependent on other htaccess code either, as the issue is present even if this piece is the only custom code.

    Firewall:
    The issue seams not to be dependent on a firewall. However, most networks use a router containing kind of a basic gateway firewall, which I’m not able to completely turn off, except of the direct use of my mobile using internet tethering, where the issue was present too. The software firewall on the computer was excluded as the cause by turning it off.

    WordPress, plugins and themes:
    I used a clean WPMU Network installation with the WordPress standard theme “Twenty Seventeen” and deactivated all other plugins. The only plugin is BPS Pro. This did not solve the issue too.

    Switching php-installation to an older version using another php handler does not solve it too. Currently I’m using php 7.

    Is it possible that my provider has some specific server configuration which causes this layout issue and if yes what could it be?

    March 6, 2017 at 8:41 am #32583
    AITpro Admin
    Keymaster

    @ Qtwix – Excellent troubleshooting work and information.  The next most logical thing that should happen is that I need to login to this site or your test site to see if this problem is also occurring for me/my Browser, etc.  That will eliminate and confirm things.  ie server config issue or local issue.  Create a temporary WordPress Administrator user account and send it to me at:  info at ait-pro dot com.

    March 7, 2017 at 12:38 pm #32593
    AITpro Admin
    Keymaster

    @ Qtwix – When I logged into your site I saw the same problem.

    The Root cause of the problem is this:
    The MIME Type is not configured correctly on your Server for javascript. So to fix this you need to change your server configuration so it outputs the right MIME type for javascript. You need to edit your Server’s httpd.conf file if you have access to your server’s httpd.conf file if you have a Dedicated or VPS host server. If you do not have access to your server’s httpd.conf file then you will need to contact your web host and ask them to fix this server configuration mistake.

    Correct Mime Type for javascript: Content-Type:application/javascript
    Incorrect Mime Type for javascript: Content-Type:text/x-js

    When I use the Google Chrome Developer Tools > Console to view the Source Code of BPS Pro plugin pages I see these errors:

    Refused to execute script from 'https://xxx.org/wp-content/plugins/wordfence/js/admin.ajaxWatcher.js?ver=6.3.2' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.
/wp-admin/admin.php?page=bulletproof-security/admin/core/core.php:1
Refused to execute script from 'https://xxx.org/wp-content/plugins/wordfence/js/wfdashboard.js?ver=6.3.2' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.
/wp-admin/admin.php?page=bulletproof-security/admin/core/core.php:1
Refused to execute script from 'https://xxx.org/wp-content/plugins/wordfence/js/wfpopover.js?ver=6.3.2' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.
admin.php:1
Refused to execute script from 'https://xxx.org/wp-includes/js/wp-emoji-release.min.js?ver=4df9498a4ae93ec6ff8a75dd5cb9b275' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.
admin.php:1
Refused to execute script from 'https://xxx.org/wp-content/plugins/bulletproof-security/admin/js/bps-arq-ajax.js?ver=12.7' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.
admin.php:1
Refused to execute script from 'https://xxx.org/wp-content/plugins/bulletproof-security/admin/js/bps-ui-tabs.js?ver=12.7' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.
admin.php:1
Refused to execute script from 'https://xxx.org/wp-content/plugins/bulletproof-security/admin/js/bps-ui-dialog.js?ver=12.7' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.
admin.php:1
Refused to execute script from 'https://xxx.org/wp-content/plugins/bulletproof-security/admin/js/bps-ui-accordion.js?ver=12.7' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.
admin.php:1
Refused to execute script from 'https://xxx.org/wp-content/plugins/wp-security-audit-log/js/common.js?ver=1487834826' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.

    Response Headers for the bps-ui-dialog.js jQuery UI Read Me help buttons on your site:

    Accept-Ranges:bytes
Cache-Control:max-age=172800, public
Content-Encoding:gzip
Content-Length:1292
Content-Type:text/x-js
Date:Tue, 07 Mar 2017 19:27:59 GMT
Expires:Thu, 09 Mar 2017 19:27:59 GMT
Last-Modified:Thu, 23 Feb 2017 15:51:43 GMT
Server:Apache
Vary:Accept-Encoding,User-Agent
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block

    Response Headers for the bps-ui-dialog.js jQuery UI Read Me help buttons on my sites:

    Accept-Ranges:bytes
Cache-Control:max-age=4838400, public, public
Content-Encoding:gzip
Content-Length:1292
Content-Type:application/javascript
Date:Mon, 20 Feb 2017 17:50:12 GMT
Expires:Mon, 17 Apr 2017 17:50:12 GMT
Last-Modified:Thu, 16 Feb 2017 12:17:58 GMT
Server:Apache
Vary:Accept-Encoding,User-Agent
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN, SAMEORIGIN
    March 11, 2017 at 12:46 am #32633
    Qtwix
    Participant

    To anyone who followed the topic: the issue got solved by adding

     AddType application/javascript .js

    to the root .htaccess file, which forces the correct MIME type in the header for .js files.

  • Author
    Posts
Viewing 11 posts - 16 through 26 (of 26 total)
1 2
  • You must be logged in to reply to this topic.