Home › Forums › BulletProof Security Pro › Watermark plugin – 403 error
- This topic has 3 replies, 2 voices, and was last updated 5 years, 4 months ago by
AITpro Admin.
-
AuthorPosts
-
bbmedia
ParticipantWe are getting intermittent 403 errors from a custom watermark plugin which serialises an image from a base image and their WPUserID. Can’t replicate it ourselves, but some users are experiencing this issue. One of the admins also gets this error (even though he is whitelisted). 2 separate security log entries have been supplied.
Can you provide a workaround pls?
[403 GET Request: December 6, 2018 - 11:38 am] BPS Pro: 13.7 WP: 4.9.8 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 49.180.52.171 Host Name: pa49-180-52-171.pa.nsw.optusnet.com.au SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 49.180.52.171 HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://thewhiskyclub.com.au/my-account/ REQUEST_URI: /wp-content/plugins/f711-watermark/watermark.php?src=https://thewhiskyclub.com.au/wp-content/uploads/TWC-Digital-Member-Card-V4-1.jpg&embednumber=107486 QUERY_STRING: src=https://thewhiskyclub.com.au/wp-content/uploads/TWC-Digital-Member-Card-V4-1.jpg&embednumber=107486 HTTP_USER_AGENT: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 [403 GET Request: December 6, 2018 - 9:14 am] BPS Pro: 13.7 WP: 4.9.8 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 110.145.219.218 Host Name: uni2896076.lnk.telstra.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 110.145.219.218 HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://thewhiskyclub.com.au/my-account/ REQUEST_URI: /wp-content/plugins/f711-watermark/watermark.php?src=https://thewhiskyclub.com.au/wp-content/uploads/TWC-Digital-Member-Card-V4-1.jpg&embednumber=107486 QUERY_STRING: src=https://thewhiskyclub.com.au/wp-content/uploads/TWC-Digital-Member-Card-V4-1.jpg&embednumber=107486 HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36
AITpro Admin
KeymasterThere are 2 possible causes for the 403 error and it is very possible that both things below are being blocked.
#1. The Plugin Firewall is blocking external/remote access to this file: /wp-content/plugins/f711-watermark/watermark.php
#2. The URL with the Query String redirect is simulating an RFI hacking attempt against your website.Manually create (copy and paste) this plugin script path: /f711-watermark/watermark.php into the Plugins Script|File Whitelist Text Area. Click the Save Whitelist Options button. Click the Activate button.
If the error is still occurring then do the steps below to whitelist the URL that is simulating an RFI hacking attempt.
1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Run the Pre-Installation Wizard and Setup Wizard again.# BEGIN BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. # Use BPS Custom Code to add or remove user agents temporarily or permanently from the # User Agent filters directly below or to modify/edit/change any of the other security code rules below. RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F] # END BPSQSE BPS QUERY STRING EXPLOITSTo test if the error is still occurring use this URL: https://thewhiskyclub.com.au/wp-content/plugins/f711-watermark/watermark.php?src=https://thewhiskyclub.com.au/wp-content/uploads/TWC-Digital-Member-Card-V4-1.jpg
ParticipantThanks for the very quick reply. Will apply this – interestingly, after adding that to the plugins whitelist it told me that the the auto-whitelist wasn’t activated, so I have turned that back on – possibly would have avoided this issue. Have applied the BPQSE workarounds as well, since I need this to be resolved immediately.
Hopefully this resolves it.
KeymasterI just tested the test URL that I posted above and I can now see the image and not a 403 error message. So it looks like that fixed the issue.
-
AuthorPosts
- You must be logged in to reply to this topic.