NextGen Gallery Pro – POST request blocked

[Claudia Wiznerxcode777]

Hello,

I have NextGEN Gallery Pro and the ecommerce section is conflicting with BPS security.  The NextGEN support staff have indicated the POST option is being blocked.  Their response is listed below.  Will you please help me whitelist the link?

My guessing is that it could be because of BulletProof Security and it may require you to whitelist that link.
Please contact the “BulletProof Security” support and ask them to help you whitelist the following page to allow sending POST requests to it: http://currentfocus.com/wordpress/wp-admin/admin.php?page=ngg_ecommerce_options

Regards,

Claudia

[AITpro Admin]

Are you using the BPS POST Attack Protection Bonus Custom Code? Go to your BPS Security Log and copy and paste the Security Log entry that shows what is being blocked in NextGen Pro.

[Claudia Wiznerxcode777]

These are the security modes active:
htaccess File Security Modes ~ RBM, WBM, HPF, MBM & BBM BulletProof Modes
I’m getting a 404 error when I try to save the ecommerce options in NextGEN.  The log says malformed code:

Event Code: The request could not be understood by the server due to malformed syntax.
Solution: N/A - Malformed Request - Not an Attack
REMOTE_ADDR: 188.237.255.241
Host Name: host-static-188-237-255-241.moldtelecom.md
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://currentfocus.com/wordpress/wp-admin/admin.php?page=ngg_ecommerce_options
REQUEST_URI: /wordpress/wp-admin/admin.php?page=ngg_ecommerce_options
QUERY_STRING: page=ngg_ecommerce_options
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

[400 GET Bad Request: April 9, 2018 10:24 am]
BPS:
WP: 4.9.5
Event Code: The request could not be understood by the server due to malformed syntax.
Solution: N/A - Malformed Request - Not an Attack
REMOTE_ADDR: 188.237.255.241
Host Name: host-static-188-237-255-241.moldtelecom.md
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://currentfocus.com/wordpress/wp-admin/admin.php?page=ngg_ecommerce_options
REQUEST_URI: /wordpress/wp-admin/admin.php?page=ngg_ecommerce_options
QUERY_STRING: page=ngg_ecommerce_options
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

[AITpro Admin]

Ok do these BPS troubleshooting steps and let me know if the error and problem are still occurring.  At this point we are trying to isolate and find the root cause of the problem.

https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button.
After doing step #1, test NextGen functionality to see if the problem is still occurring.  If the problem is still occurring do step #2 below.  If the problem is not occurring, stop here.
2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.

[AITpro Admin]

Oops I misread the Security Log entry.  It clearly shows that the wp-admin htaccess file is causing the problem.  Do these steps below and let me know if the problem is fixed.

1. Copy the wp-admin htaccess code below into this BPS wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the save wp-admin Custom Code button.
3. Go to the Security Modes page and click the wp-admin folder BulletProof Mode Activate button.

# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=3]

# NextGEN Gallery Pro Query String skip/bypass rule
RewriteCond %{QUERY_STRING} page=ngg_ecommerce_options(.*) [NC]
RewriteRule . - [S=2]

[Claudia Wiznerxcode777]

When I attempt to save the code (step 2)  I get the error below.

currentfocus.com 400 Bad Request Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.

There is already custom code listed in that box.  I have pasted yours after that.  Should your code come before this or does it make no difference?

The code that is there already is this:

# NextGen Gallery Query String skip/bypass rule
RewriteCond %{QUERY_STRING} page=nggallery-manage-gallery(.*) [NC]
RewriteRule . - [S=2]

[AITpro Admin]

Ok well it sounds like you may have Mod Security enabled on your hosting account.  You can check if Mod Security is enabled on the BPS System Info page under the “Website|Server|Opcode Cache|Accelerators|IP Info|Apache Modules|Directives” table.  Or there is another problem with your server that is causing both the NextGEN and BPS Custom Code problems.  For now you can use FTP or your web host control panel file manager and manually edit the BPS root htaccess file and add this new custom htaccess code.

The custom code I posted should go above the existing NextGen Gallery custom code.  So use this code below (I have updated the S numbers to 3 and 4).

# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=4]

# NextGEN Gallery Pro Query String skip/bypass rule
RewriteCond %{QUERY_STRING} page=ngg_ecommerce_options(.*) [NC]
RewriteRule . - [S=3]

[Claudia Wiznerxcode777]

200: mod_security Module is not Loaded|Enabled

I used FTP to download the .htaccess file from the wp-admin directory and added the lines you provided above the existing nextGEN code.  I renamed the existing file and uploaded my modified file. I deactivated and reactivated the wp-admin BP folder.  I still get the same error.  None of the code I added to the .htaccess file is showing in the custom code window.  Shouldn’t it show?  I added it between the #Begin custom code  #End custome code  and above the # Nextgen code that was already there.  Did I screw up something?

[AITpro Admin]

Hmm does not sound like BPS is causing the NextGEN Pro 400 error, but there is a Security log entry being logged by BPS.  BPS logs all 400, 403, 404, 405 and 410 errors whether or not BPS is causing the error.  Ok so at this point deactivate both Root and wp-admin BulletProof Modes.  If the 400 error is still occurring then BPS is not causing it.

If BPS is not causing the 400 error then I think the best thing to do would be to contact your web host.  A 400 error could mean there is something fubar with your PHP server.  You can try this quick thing that will tell you whether or not your PHP server is fubar.  Check your web host’s site help pages and look/search for:  “switch php version”.  When you switch your PHP version you are literally switching to a different PHP server.  Switching PHP servers/versions is very quick and simple to do.  It should only take you about 15 minutes to do that.

Another thing that can cause 400 errors is caching plugins/CDN’s/Cloudflare, etc.  If you are using a caching plugin or CDN, etc. then make sure you are not caching whatever page it is where you have the “NextGEN Gallery Pro and the ecommerce section”.

[Claudia Wiznerxcode777]

I deactivated the 2 security modes and retried.  Still the same error.   Can you tell me why the custom code I entered and uploaded via FTP is not showing?  Shouldn’t it?  Where do I go from here?

I have no caching plugins.  I don’t know if any of the few other plugins I have installed would be causing a caching problem

[AITpro Admin]

Custom Code are text boxes are where you enter htaccess code.  That htaccess code is saved to your WordPress Database.  When you activate BulletProof Modes any Custom Code saved to your WP Database is written to your htaccess file.  If you are manually editing your htaccess files that does not have anything to do with BPS Custom Code.

I gave you your next directions to go in:  switch your php server version.  If that does not work then you need to contact your web host support folks.  I don’t think NextGEN support is going to be able to help you either with whatever is causing this problem.  The problem is either something is fubar about your website or your host server.

[Claudia Wiznerxcode777]

Thank you for your help.

[Claudia Wiznerxcode777]

Hi,

I just finished a chat with my web host.  They asked what level of PHP you require.  They didn’t find anything wrong with the setup and I’m on the highest PHP version they have.

[AITpro Admin]

Have them check the server log files for 400 errors so they can see the problem. What this info below does not mention is that if there is something fubar with the server itself than a valid request with valid syntax sent by a client will not be processed correctly by the PHP server. A 400 error generated when a known valid request with valid syntax sent by a client is a clue that the server may not be processing requests correctly. Switching to any different PHP version switches the PHP server. It does not matter what version that is. You are attempting to find out if there is a problem with your current PHP server.

400 Bad Request Error is an HTTP response status code that indicates that the server was unable to process the request sent by the client due to invalid syntax.

[Author]

Posts