Panopress – uploads folder 403 error

[Matt Zahy]

Hi,

BPS Pro is somehow blocking panopress plugin to work and/or iframe on my site.
B-core security log:

[403 GET Request: January 10, 2016 3:03 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 79.169.4.197
Host Name: a79-169-4-197.cpe.netcabo.pt
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 79.169.4.197
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://xxxxxxx/360-test/
REQUEST_URI: /wp-content/uploads/panoramas/%E2%80%9Dhttp://www.xxxxxxx/wp-content/uploads/panoramas/test1/test1.html%E2%80%9D?base=http://xxxxxx/wp-content/uploads/panoramas/%E2%80%9Dhttp://www.xxxxxx/wp-content/uploads/panoramas/test1/&
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

I am having problem similar to this topic but solution doesn t worked for me: http://forum.ait-pro.com/forums/topic/panopress-360-degree-panoramic-map-403-error/ can you help me?

thank you
Matt

[AITpro Admin]

The Security Log entry shows that what is being blocked is the /panoramas/ URI|Query string in the /uploads folder by BPS Pro UAEG.  Do this BPS Pro troubleshooting step below and test things and let me know if that works.  If that works then I will post the UAEG whitelist rule that you need to allow/whitelist this.  It is possible that you may need to add an additional whitelisting rule in the root htaccess file too because the Query String is simulating a common RFI hacking attempt against your website:

http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.

[Matt Zahy]

Hi,

thank you for the quick answer.  I deactivated UAEG and iframe link started to work: iframe src=”https://www.xxxxx.xx/wp-content/uploads/panoramas/test1/test1.html” width=”800″ height=”650″ allowfullscreen=”allowfullscreen”

the second one that works for panopress is still blocked:
pano file=”https://www.xxxxx.xx/wp-content/uploads/panoramas/test1/test1.html”

I would like to get panopress working but if you can please write me what to do, to get work at least ifreme.. thank you for help

matt

[AITpro Admin]

Ok now do this additional BPS Pro troubleshooting step below and test things and let me know if everything works.  Keep UAEG deactivated too for now and do this additional troubleshooting step.  I am thinking that both UAEG and something in the root htaccess file are blocking the simulated RFI attack made by the panopress Query String.

http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.

[Matt Zahy]

hi,

now the second (panopress) is not showing 403 error anymore, but panorama is not working and i am still getting this in Security log:

[403 GET Request: January 10, 2016 11:52 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 79.169.4.197
Host Name: a79-169-4-197.cpe.netcabo.pt
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 79.169.4.197
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://xxxxxx/360-test/
REQUEST_URI: /wp-content/uploads/panoramas/%E2%80%9Dhttp://www.xxxxxxx/wp-content/uploads/panoramas/test1/test1.html%E2%80%9D?base=http://xxxxxx/wp-content/uploads/panoramas/%E2%80%9Dhttp://www.xxxxxx/wp-content/uploads/panoramas/test1/&
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

[AITpro Admin]

Is UAEG still deactivated/turned off?

[Matt Zahy]

yes they were both deactivated

m.

[AITpro Admin]

Also are you using any BPS Bonus Custom Code that would block iFrames?  If you want me to login to this site and figure out the solution then send a WordPress Administrator login to info at ait-pro dot com.

[Matt Zahy]

no i dont use any custome code.  ok i am sending login data, if you wont be able to get panopress working , please just enable iframe

[AITpro Admin]

The solution requires both root htaccess code customization/whitelisting and UAEG htaccess code customization/whitelisting:

Root htaccess file customizations/edits: The Request URI and Query String simulate an RFI hacking attempt against your website.  Solution is to comment out the Secondary RFI security filters in the BPS Query String Exploits.

1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
#RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

UAEG htaccess file customizations/edits: html and js file extensions need to be deleted/removed from the FilesMatch file types security filter. The panoramas folder needs to be whitelisted.  Note: In this particular case html files are used to display the iFrame so if other file types are used, such as swf or php files then those file types would need to be removed/deleted from the FilesMatch code instead of the html file type.

1. Copy and paste your entire Uploads .htaccess file code from the “Your Current Uploads htaccess File” tab on the htaccess File Editor page into the CUSTOM CODE UAEG text box.
2. Edit/modify/customize your UAEG htaccess code.
3. Click the Save UAEG Custom Code button to save your UAEG custom code.
4. Go to the BPS Security Modes page and click the UAEG BulletProof Mode Activate button.

UAEG Custom Code edits/customizations:

mod_access_compat UAEG htaccess file type:

# Whitelist the panoramas folder in the uploads folder: /uploads/panoramas/
SetEnvIf Request_URI "panoramas/.*$" whitelist
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
Order Allow,Deny
Allow from env=whitelist
Deny from all
</FilesMatch>

mod_authz_core IfModule BC UAEG htaccess file type:

# Whitelist the panoramas folder in the uploads folder: /uploads/panoramas/
SetEnvIf Request_URI "panoramas/.*$" whitelist
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
<IfModule mod_authz_core.c>
Require env whitelist
Require all denied
</IfModule>

<IfModule !mod_authz_core.c>
<IfModule mod_access_compat.c>
Order Allow,Deny
Allow from env=whitelist
Deny from all
</IfModule>
</IfModule>
</FilesMatch>

[Matt Zahy]

hi,

thanks for the great help. I am still getting problem to load second panorama and getting this log:
doest it mean i need to whitelist also xml file in UAEG?

[403 GET Request: January 11, 2016 11:03 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 79.169.4.197
Host Name: a79-169-4-197.cpe.netcabo.pt
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 79.169.4.197
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.xxxxxx/wp-content/uploads/panoramas/test1/test1.html
REQUEST_URI: /wp-content/uploads/panoramas/test1/test1data/test1.xml
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 4.4.2; SM-T310 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Safari/537.36

thank you

[AITpro Admin]

Yep, logically you would also need to remove/delete the xml file type from the FilesMatch section of code by doing the steps below:

1. Go to Custom Code
2. Click the UAEG htaccess File Custom Code accordion tab.
3. Edit/modify/customize your UAEG htaccess code in the CUSTOM CODE UAEG text box and delete |xml (be sure to delete the pipe operator “|” as well as “xml”) from the FilesMatch section of code.
4. Click the Save UAEG Custom Code button.
5. Go to the BPS Security Modes page and click the UAEG BulletProof Mode Activate button.

[Matt Zahy]

THANKS .)

Matt

[Author]

Posts