PDF Embedder – 403 error

[AITpro Admin]

Email Question:

[403 GET Request: October 25, 2017 3:33 am]
BPS: 2.8
WP: 4.8.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: xxx.xxx.xxx.xxx
Host Name: xxx.xxx.xxx.xxx
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: xxx.xxx.xxx.xxx
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://example.com/test-embed-pdf/
REQUEST_URI: /?pdfemb-serveurl=https%3A%2F%2Fexample.com%2Fwp-content%2Fuploads%2Fsecurepdfs%2F2017%2F10%2FPDFTEST1.pdf
QUERY_STRING: pdfemb-serveurl=https%3A%2F%2Fexample.com%2Fwp-content%2Fuploads%2Fsecurepdfs%2F2017%2F10%2FPDFTEST1.pdf
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; rv:51.0) Gecko/20100101 Firefox/51.0

Would you be able to guide me in the correct direction in as to what white-listing rule would be best.
The plugin uploads PDF automatically to a uploads/securepdfs/ area so it cannot be downloaded.

[AITpro Admin]

PDF Embedder error message:  Failed to load and decrypt PDF

The Request is simulating and RFI hacking attempt, but whitelisting RFI htaccess security rules in the Root htaccess file did not work.  I do not see anything else in the BPS root htaccess file that would block the Request URI and Query.  At this point it still not clear whether or not deactivating Root Folder BulletProof Mode allowed the PDF Embedder plugin to successfully do whatever it does.  Pending user confirmation.

[Gerard McNulty]

I tried deactivating Root Folder BulletProof Mode but that didn’t work. The only thing that did work was taking out the following line from the end of Root htaccess File CUSTOM CODE BOTTOM  HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here

The line I took out was

RewriteRule ^(.*)$ - [F]

Then I pressed activate “Root Folder BulletProof Mode” and PDF Embedder Secure displayed the embedded PDF

[AITpro Admin]

Oh I finally understand what were saying.  You are removing that line of code from the POST Attack Protection Bonus Custom Code.  Ok so that means the PDF Embedder plugin is making a GET Request and is also making a POST Request in the process, which I have seen before.  So the whitelist rule you sent to me looks correct unless the Security Log entry is only displaying the part of the Request that is the GET Request:  RewriteCond %{QUERY_STRING} !^pdfemb-serveurl=(.*) [NC]

This whitelist rule may or may not work, but it is worth a try: RewriteCond %{REQUEST_URI} !^.*/test-embed-pdf/ [NC]

If neither of these whitelist rules work then you will not be able to use the POST Attack Protection Bonus Custom Code and will need to delete it.  We will test the PDF Embedder free plugin either today or tomorrow to see if we can reproduce this problem.  Also another thing to check would be if you have an .htaccess file in your WordPress /uploads folder.  BPS logs all 403 errors whether or not BPS is blocking something.

[Gerard McNulty]

Oh just to save you the bother, the free version always works. It’s just the premium secure version that encrypts the pdf and puts in into a secure folder in uploads that has this problem

[AITpro Admin]

Ok then either you would need to figure out how and where the PDF Embedder pro version is doing a POST Request or just delete the BPS POST Attack Protection Bonus Custom Code since it is blocking a secondary POST Request in that plugin.

[Gerard McNulty]

It works, I can confirm that adding the following code to “CUSTOM CODE BOTTOM / HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here” fixes the problem with PDF Embedder Secure (Failed to load and decrypt PDF)

RewriteCond %{QUERY_STRING} !^pdfemb-serveurl=(.*) [NC]

Thanks for your assistance!

[AITpro Admin]

Well thank yourself since you already figured out the whitelist rule that was needed.  Sorry that I misunderstood which code you were referring to in your email.  I would not be surprised if you need both the Query String Exploits RFI whitelisting method and your POST Attack Protection whitelist rule.  ie probably 2 separate things are being blocked.

[Gerard McNulty]

Is that this one?

RewriteCond %{REQUEST_URI} !^.*/test-embed-pdf/ [NC]

[AITpro Admin]

Nope, the RFI whitelisting method is what you have already done in the BPS Query String Exploits code. These 3 security rules below all protect against RFI attack strings. It is completely safe to comment these security rules out since they are general RFI security rules and there is another RFI security rule that is the primary RFI security rule in a different section of htaccess code in the BPS root htaccess file.

#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
#RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]

[Gerard McNulty]

Ok, Thanks

[Gerard McNulty]

The locations of the above lines are

“CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS” (where they are commented out)

and

“CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS” (where they are NOT commented out)

Should I still comment them out in “CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS”?

[AITpro Admin]

Nope, you do not need to do anything else with the wp-admin htaccess code/file.

[Author]

Posts