Nextgen Gallery 403 error

Home Forums BulletProof Security Pro Nextgen Gallery 403 error

This topic contains 37 replies, has 4 voices, and was last updated by  Alex Laxton 2 weeks, 4 days ago.

Viewing 15 posts - 16 through 30 (of 38 total)
  • Author
    Posts
  • #17726

    Glasairmell
    Participant

    Will this take care of it?

     /tinymce-advanced/mce/(.*).js
    #17730

    AITpro Admin
    Keymaster

    Are you talking about this plugin:  https://wordpress.org/plugins/tinymce-advanced/

    TinyMCE Advanced does not have any frontloading plugin scripts that need to be whitelisted in the Plugin Firewall. Are you seeing Security Log entries for the TinyMCE Advanced plugin?

    Run/Use the BPS Pro Pro-Tools cURL Scan tool on this website to get your Plugin Firewall whitelist rules or you can rerun the Wizards.

    #17743

    Glasairmell
    Participant

    Yes TinyMce Advanced. This is on the XXXxair.com site and the problem showed up on the security log.

    When I run your curl scrip I get this.

    /nice-login-register-widget/js/pw-login-widget.js, /nice-login-register-widget/js/ajax-authentication.js

    Yet an admin on the site can not see any edit buttons or copy on the editor. I added this:

    /tinymce-advanced/mce/nonbreaking/(.*).js, /plugins/tinymce-advanced/mce/anchor/(.*).js, /tinymce-advanced/mce/print/(.*).js, /tinymce-advanced/mce/insertdatetime/(.*).js, /tinymce-advanced/mce/searchreplace/(.*).js, /tinymce-advanced/mce/code/(.*).js, /tinymce-advanced/mce/table/(.*).js, /tinymce-advanced/mce/advlist/(.*).js, /tinymce-advanced/mce/emoticons/(.*).js, /tinymce-advanced/mce/visualblocks/(.*).js, /tinymce-advanced/mce/visualchars/(.*).js, /tinymce-advanced/mce/wptadv/(.*).js

    and it fixed the problem.

    I am switching to TinyMce Advanced on my WP sites and need to avoid this problem hence my question about the shortened code

    /tinymce-advanced/mce/(.*).js

    By the way when I was running Ultimate TinyMCE on this site it was exibiting the same problem where curl was not picking it up.

    #17745

    AITpro Admin
    Keymaster

    This is not a valid plugin whitelist rule below because it contains the /plugins/ folder name in the path:

    Invalid
    /plugins/tinymce-advanced/mce/anchor/(.*).js
    
    Valid
    /tinymce-advanced/mce/anchor/(.*).js
    

    I use TinyMCE Advanced on some of my websites and I have not seen the problem you are describing.  What is probably occurring is the Plugin Firewall htaccess file needs to be flushed on this site like your other site.  Remove the tinymce advanced plugin whitelist rules and then do the same flush steps on this site.  Also for good measure go to the Security Modes page and activate both Root folder and wp-admin folder BulletProof Modes again.

    I just retested both TinyMCE Advanced and Ultimate TinyMCE and they work without fine any issues and without requiring any Plugin Firewall whitelist rules.

    #17749

    Glasairmell
    Participant

    Sorry for the typo.

    When I was using the editor I did not have the problem however when client did from his IP he did.  The Nextgen behavior was similar and I was thinking my IP was stored and white listed on the firewall.  I will look at your suggestions.

    #17750

    AITpro Admin
    Keymaster

    I checked the site and I do not see that the TinyMCE Advanced plugin is being used on the frontside of the website.  In this forum site we are using the standard WordPress TinyMCE editor for forum topic posts and replies and NOT using the TinyMCE Advanced plugin since that exposes too much frontend capability that would require lots of customization to prevent serious vulnerabilities.

    So the question is how did a visitor to this website get to the TinyMCE Advanced editor?  Does he have Administrator, Author or Editor permissions to the backend of the website?

    #17751

    AITpro Admin
    Keymaster

    Oh I see that he is the client and I assume he has Administrator permissions to the site.  The problem is going to be on his end.  It is going to be something like he is not clicking the “Show Kitchen Sink” toolbar/menu button or his IP address is not automatically being updated in the Plugin Firewall.  That problem can occur if someone is using a VPN/Proxy (either web based or on their computer) where their IP address is hidden or forced to use X-Forwarded-for in a non-conventional way or is behind an internal network firewall that also breaks the IP address retrieval.

    To get around problems with non-conventional VPN’s/Proxies you can try and use the Plugin Firewall >>> Additional Whitelist Tools accordion tab >>> Additional Roles IP Whitelist tool to see if that works.  Whether that works or not is just going to depend on how bad the VPN/Proxy or internal network firewall is mangling things.

    #17756

    Glasairmell
    Participant

    As I said above it is an Admin.  Here is the security log after changing the white list.  Please remove it after you read it as I do not have time to edit out my ip info.

    [Security Log entries deleted]

    #17758

    AITpro Admin
    Keymaster

    Ok but in this particular case the Security Log entries are actually a symptom of another problem.  The root problem is that the user’s ip address is not being whitelisted in the backend of the site.  Or another way to phrase this is normally you would not see these Security Log entries unless there is a problem with the user’s ip address being retrieved correctly.  Since TinyMCE Advanced is working for you correctly since your ip address is being retrieved successfully then the problem is isolated to the user.  What you need to ask this user is if they are using a VPN/Proxy (web based or computer application installed on the user’s computer) or internal network firewall when logging into the site.

    #17759

    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    Oh hold on I just looked at the Security Log entries a little closer.  I think what is happening is this user is doing some sort of “remote posting”.  Do these steps below to whitelist the /wp-admin/post.php & admin-ajax.php files. Also since this user is doing “remote posting” then the BPS XML-RPC Bonus Custom Code should NOT be used on this website.

    1. Add the admin-ajax.php & post.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

    Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

    # admin-ajax.php & post.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (admin-ajax\.php|post\.php) [NC]
    RewriteRule . - [S=2]
    #17766

    Glasairmell
    Participant

    Grrr I have him set as an Author. My bad.

    ADDED: Fix did not work since I guess he is Author status.

    #17769

    AITpro Admin
    Keymaster

    No problem, but you may also need to add that post.php skip/bypass rule too. 50/50 chance of that so once you make him an Admin then have him test things.  If the problem is still occurring then add the skip/bypass rule.

    He would need to be an Administrator for that “fix” whitelist rule to work.  So the process would be make him an Admin, have him check things, if things do not work after he is an Admin then add the skip/bypass rule.

    #17773

    Glasairmell
    Participant

    Sigh, ok will make him an admin been putting that off for simplicity.

    #17775

    AITpro Admin
    Keymaster

    That is why you setup automated backups for customers.  😉  So when they break their website, which they will do, then you just restore the last backup – been there and done that for many years.

    #17776

    Glasairmell
    Participant

    Now it works when I make him an Admin.

Viewing 15 posts - 16 through 30 (of 38 total)

You must be logged in to reply to this topic.