Panopress – uploads folder 403 error

Home Forums BulletProof Security Pro Panopress – uploads folder 403 error

This topic contains 12 replies, has 2 voices, and was last updated by  Matt Zahy 2 years, 4 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #27763

    Matt Zahy
    Participant

    Hi,

    BPS Pro is somehow blocking panopress plugin to work and/or iframe on my site.
    B-core security log:

    [403 GET Request: January 10, 2016 3:03 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 79.169.4.197
    Host Name: a79-169-4-197.cpe.netcabo.pt
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 79.169.4.197
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://xxxxxxx/360-test/
    REQUEST_URI: /wp-content/uploads/panoramas/%E2%80%9Dhttp://www.xxxxxxx/wp-content/uploads/panoramas/test1/test1.html%E2%80%9D?base=http://xxxxxx/wp-content/uploads/panoramas/%E2%80%9Dhttp://www.xxxxxx/wp-content/uploads/panoramas/test1/&
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

    I am having problem similar to this topic but solution doesn t worked for me: http://forum.ait-pro.com/forums/topic/panopress-360-degree-panoramic-map-403-error/ can you help me?

    thank you
    Matt

    #27769

    AITpro Admin
    Keymaster

    The Security Log entry shows that what is being blocked is the /panoramas/ URI|Query string in the /uploads folder by BPS Pro UAEG.  Do this BPS Pro troubleshooting step below and test things and let me know if that works.  If that works then I will post the UAEG whitelist rule that you need to allow/whitelist this.  It is possible that you may need to add an additional whitelisting rule in the root htaccess file too because the Query String is simulating a common RFI hacking attempt against your website:

    http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.

    #27770

    Matt Zahy
    Participant

    Hi,

    thank you for the quick answer.  I deactivated UAEG and iframe link started to work: iframe src=”https://www.xxxxx.xx/wp-content/uploads/panoramas/test1/test1.html” width=”800″ height=”650″ allowfullscreen=”allowfullscreen”

    the second one that works for panopress is still blocked:
    pano file=”https://www.xxxxx.xx/wp-content/uploads/panoramas/test1/test1.html”

    I would like to get panopress working but if you can please write me what to do, to get work at least ifreme.. thank you for help

    matt

    #27771

    AITpro Admin
    Keymaster

    Ok now do this additional BPS Pro troubleshooting step below and test things and let me know if everything works.  Keep UAEG deactivated too for now and do this additional troubleshooting step.  I am thinking that both UAEG and something in the root htaccess file are blocking the simulated RFI attack made by the panopress Query String.

    http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.

    #27774

    Matt Zahy
    Participant

    hi,

    now the second (panopress) is not showing 403 error anymore, but panorama is not working and i am still getting this in Security log:

    [403 GET Request: January 10, 2016 11:52 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 79.169.4.197
    Host Name: a79-169-4-197.cpe.netcabo.pt
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 79.169.4.197
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://xxxxxx/360-test/
    REQUEST_URI: /wp-content/uploads/panoramas/%E2%80%9Dhttp://www.xxxxxxx/wp-content/uploads/panoramas/test1/test1.html%E2%80%9D?base=http://xxxxxx/wp-content/uploads/panoramas/%E2%80%9Dhttp://www.xxxxxx/wp-content/uploads/panoramas/test1/&
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
    #27776

    AITpro Admin
    Keymaster

    Is UAEG still deactivated/turned off?

    #27777

    Matt Zahy
    Participant

    yes they were both deactivated

    m.

    #27778

    AITpro Admin
    Keymaster

    Also are you using any BPS Bonus Custom Code that would block iFrames?  If you want me to login to this site and figure out the solution then send a WordPress Administrator login to info at ait-pro dot com.

    #27782

    Matt Zahy
    Participant

    no i dont use any custome code.  ok i am sending login data, if you wont be able to get panopress working , please just enable iframe

    #27786

    AITpro Admin
    Keymaster

    The solution requires both root htaccess code customization/whitelisting and UAEG htaccess code customization/whitelisting:

    Root htaccess file customizations/edits: The Request URI and Query String simulate an RFI hacking attempt against your website.  Solution is to comment out the Secondary RFI security filters in the BPS Query String Exploits.

    1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS

    UAEG htaccess file customizations/edits: html and js file extensions need to be deleted/removed from the FilesMatch file types security filter. The panoramas folder needs to be whitelisted.  Note: In this particular case html files are used to display the iFrame so if other file types are used, such as swf or php files then those file types would need to be removed/deleted from the FilesMatch code instead of the html file type.

    1. Copy and paste your entire Uploads .htaccess file code from the “Your Current Uploads htaccess File” tab on the htaccess File Editor page into the CUSTOM CODE UAEG text box.
    2. Edit/modify/customize your UAEG htaccess code.
    3. Click the Save UAEG Custom Code button to save your UAEG custom code.
    4. Go to the BPS Security Modes page and click the UAEG BulletProof Mode Activate button.

    UAEG Custom Code edits/customizations:

    mod_access_compat UAEG htaccess file type:

    # Whitelist the panoramas folder in the uploads folder: /uploads/panoramas/
    SetEnvIf Request_URI "panoramas/.*$" whitelist
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    Order Allow,Deny
    Allow from env=whitelist
    Deny from all
    </FilesMatch>

    mod_authz_core IfModule BC UAEG htaccess file type:

    # Whitelist the panoramas folder in the uploads folder: /uploads/panoramas/
    SetEnvIf Request_URI "panoramas/.*$" whitelist
    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    <IfModule mod_authz_core.c>
    Require env whitelist
    Require all denied
    </IfModule>
    
    <IfModule !mod_authz_core.c>
    <IfModule mod_access_compat.c>
    Order Allow,Deny
    Allow from env=whitelist
    Deny from all
    </IfModule>
    </IfModule>
    </FilesMatch>
    #27789

    Matt Zahy
    Participant

    hi,

    thanks for the great help. I am still getting problem to load second panorama and getting this log:
    doest it mean i need to whitelist also xml file in UAEG?

    [403 GET Request: January 11, 2016 11:03 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 79.169.4.197
    Host Name: a79-169-4-197.cpe.netcabo.pt
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 79.169.4.197
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.xxxxxx/wp-content/uploads/panoramas/test1/test1.html
    REQUEST_URI: /wp-content/uploads/panoramas/test1/test1data/test1.xml
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 4.4.2; SM-T310 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Safari/537.36

    thank you

    #27791

    AITpro Admin
    Keymaster

    Yep, logically you would also need to remove/delete the xml file type from the FilesMatch section of code by doing the steps below:

    1. Go to Custom Code
    2. Click the UAEG htaccess File Custom Code accordion tab.
    3. Edit/modify/customize your UAEG htaccess code in the CUSTOM CODE UAEG text box and delete |xml (be sure to delete the pipe operator “|” as well as “xml”) from the FilesMatch section of code.
    4. Click the Save UAEG Custom Code button.
    5. Go to the BPS Security Modes page and click the UAEG BulletProof Mode Activate button.

    #27935

    Matt Zahy
    Participant

    THANKS .)

    Matt

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.