Open Web Analytics – 403 error

Home Forums BulletProof Security Pro Open Web Analytics – 403 error

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #30356
    Bea
    Participant

    Hi am getting logs for a plugin that records site activity
    Event Code: WPADMIN-SBR
    Really appreciate your advice:

    HTTP_REFERER: http://Siting.com/wp-admin/index.php?page=owa&owa_siteId=cacc5b68e1fabdc7f92ac7d34efd9053&owa_period=last_seven_days&owa_startDate=20160717&owa_endDate=20160724&owa_do=base.reportDomstreams
    REQUEST_URI: /wp-admin/index.php?page=owa&owa_do=base.overlayLauncher&owa_document_id=3873866798&owa_overlay_params=siteId%3D%3Ecacc5b68e1fabdc7f92ac7d34efd9053%7C%7C%7Cperiod%3D%3Elast_seven_days%7C%7C%7CstartDate%3D%3E20160717%7C%7C%7CendDate%3D%3E20160724%7C%7C%7Caction%3D%3EloadPlayer%7C%7C%7Capi_url%3D%3Ehttp%3A%2F%2Fconstructtesting.co.nz%2Findex.php%3Fowa_apiAction%7C%7C%7Cdomstream_guid%3D%3E1469423172155985145
    #30361
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    There is an url encoded angle bracket code character: %3E is > in the Query String that is being blocked by the BPS wp-admin htaccess file security filters.  The angle bracket code character looks like a coding mistake to me, but if you think it is supposed to be there in the Query String then to allow/whitelist the > angle bracket code character in Query Strings do the steps below.

    1. Copy the modified wp-admin htaccess file Query String Exploits code below to this BPS wp-admin Custom Code text box: CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and click the wp-admin Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    # WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
    # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    #RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    #RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    #RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    #30362
    Bea
    Participant

    Thank you so much again. Will do and let the plugin dev know (possible typo )
    Appreciate your help again

    #30472
    Bea
    Participant

    Can I please follow up since placing this code the admins of the site are being redirected to a 403
    Am unsure if it relates because if I test and turn off root RBM they can access
    using site access – http://site/wp-admin results in this link http://site/wp-login.php?redirect_to=http%3A%2F%2Fsite%2Fwp-admin%2F&reauth=1

    with BPS 403 message|
    403 Forbidden
    site 403 Forbidden Error Page

    If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you. and IP Have attempted a work around by adding allow their IP to custom code Brute force but they remain 403

    #30473
    AITpro Admin
    Keymaster

    This sounds like a new/different problem.  Maybe the BPS Query String Exploits code was not copied correctly or this is just a completely different problem.  Go to the B-Core > htaccess File Editor tab page > click the secure.htaccess tab > copy the entire file contents and post it in your reply.  Go to the BPS Security Log page and post any Security Log entries that relate to your Login page and this problem.

     

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.