Plugin Flipbook blocked – 403 error

[Jean-Guy]

Good day, BPS Pro seems to block the new plugin “Flipbook” that  I just installed. How can I allow “Flipbook” to run with BPS PRO ?

I get the “403 forbidden error page”

[New DB Table Created - Cron Check Time Monday, July 22, 2019 - 8:43 am]
New DB Table Created Name: wp_flipbook
New DB Table Actual Create Time: 2019-07-22 08:32:16
DB Monitor Guide: https://forum.ait-pro.com/forums/topic/database-monitor-dbm-guide/

Thank you

[AITpro Admin]

You can ignore the DB Monitor log entry.  Go to the BPS Pro Security Log page, look for the Security Log entry regarding the Flipbook 403 log entry and post it in your forum reply so I can see what is being blocked.

[Jean-Guy]

[403 GET Request: mardi, 6 aout, 2019 - 1:23 ]

BPS Pro: 13.4
WP: ***
Event Code: UAEGWR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
REMOTE_ADDR: ***********
Host Name: 77-93-55-206.static.cogecodata.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.golfdorval.com/wordpress/wp-admin/admin.php?page=flipbook_view_book&bookid=1
REQUEST_URI: /wordpress/wp-content/uploads/flipbook/1/book.html
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

[AITpro Admin]

What is being blocked is the book.html file in the flipbook folder: /wordpress/wp-content/uploads/flipbook/ by BPS Pro Uploads Anti-Exploit Guard (UAEG).

Go to the BPS Pro > htaccess File Editor tab page > click the “Your Current Uploads htaccess File” tab > copy the entire contents of your UAEG htaccess file and post it in your forum reply.  I will create a whitelist rule for you in your UAEG code so that you can copy and paste the modified code into the UAEG Custom Code text box.

[Jean-Guy]

# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
#
# BPS mod_access_compat
# Allow,Deny
# First, all Allow directives are evaluated. At least one must match, or the request is rejected.
# Next, all Deny directives are evaluated. If any matches, the request is rejected.
# Last, any requests which do not match an Allow or a Deny directive are denied by default.
#
# Deny,Allow
# First, all Deny directives are evaluated. If any match, the request is denied unless
# it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
#
# *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
# Match Allow only ----------- Request allowed ------------------------ Request allowed
# Match Deny only ------------ Request denied ------------------------- Request denied
# No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
# Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed
#
# NOTE: The zip file extension can be added to block remote access or execution of zip files, several plugins create
# create either temporary or permanent zip files in the uploads folder. This may block those plugins from being
# able to create zip files in your uploads folder.
#
# BEGIN WHITELIST
# Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
# of the whitelist rule you want to use, add the actual filename or folder name you want to whitelist and also
# delete the # sign in front of #Allow from env=whitelist.
# Whitelist a specific js file in the uploads folder: example.js
#SetEnvIf Request_URI "example.js$" whitelist
# Whitelist an entire folder in the uploads folder: /uploads/example-folder/
#SetEnvIf Request_URI "example-folder/.*$" whitelist
# END WHITELIST
#
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
Order Allow,Deny
#Allow from env=whitelist
Deny from all
</FilesMatch>

# FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
<FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
Order Allow,Deny
#Allow from env=whitelist
Deny from all
</FilesMatch>

[AITpro Admin]

1. Go to the BPS Pro > B-Core > Custom Code tab page.
2. Click the UAEG htaccess File Custom Code accordion button/tab.
3. Copy your modified UAEG htaccess code below into the CUSTOM CODE UAEG text box.
4. Click the Save UAEG Custom Code button.
5. Go to the Security Modes tab page > scroll down to the UAEG section and click the Activate button.

# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
#
# BPS mod_access_compat
# Allow,Deny
# First, all Allow directives are evaluated. At least one must match, or the request is rejected.
# Next, all Deny directives are evaluated. If any matches, the request is rejected.
# Last, any requests which do not match an Allow or a Deny directive are denied by default.
#
# Deny,Allow
# First, all Deny directives are evaluated. If any match, the request is denied unless
# it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
#
# *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
# Match Allow only ----------- Request allowed ------------------------ Request allowed
# Match Deny only ------------ Request denied ------------------------- Request denied
# No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
# Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed
#
# NOTE: The zip file extension can be added to block remote access or execution of zip files, several plugins create
# create either temporary or permanent zip files in the uploads folder. This may block those plugins from being
# able to create zip files in your uploads folder.
#
# BEGIN WHITELIST
# Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
# of the whitelist rule you want to use, add the actual filename or folder name you want to whitelist and also
# delete the # sign in front of #Allow from env=whitelist.
# Whitelist a specific js file in the uploads folder: example.js
#SetEnvIf Request_URI "example.js$" whitelist
# Whitelist an entire folder in the uploads folder: /uploads/example-folder/
SetEnvIf Request_URI "flipbook/.*$" whitelist
# END WHITELIST
#
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
Order Allow,Deny
Allow from env=whitelist
Deny from all
</FilesMatch>

# FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
<FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
Order Allow,Deny
#Allow from env=whitelist
Deny from all
</FilesMatch>

[Jean-Guy]

ok I did the change but still the same problem, see the security log

[403 GET Request: mardi, 6 aout, 2019 - 3:21 ]
BPS Pro: 13.4
WP: ****
Event Code: UAEGWR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
REMOTE_ADDR: **********
Host Name: 77-93-55-206.static.cogecodata.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.golfdorval.com/wordpress/guide-du-terrain-de-golf/?preview_id=4404&preview_nonce=96a500deed&preview=true
REQUEST_URI: /wordpress/wp-content/uploads/flipbook/2/book.html
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

Thank you

[AITpro Admin]

Are you sure you did all of the steps above correctly?  I tried to check your server type and it appears your server type information is being blocked/protected.  If you did all the steps correctly then maybe your host server type does not support the SetEnvIf directive. Go to the BPS Pro System Info page (under the Logs & Info main menu) and copy and paste these 2 things below.

Server Type: Apache
Operating System: Linux

[Jean-Guy]

ok here is the two things from system info

Server Type: Apache
Operating System: Linux

[AITpro Admin]

Alright so there is not a problem with the SetEnvIf directive then.  If you want me to login to your website and figure out the problem then send a WordPress Administrator login user account to:  info at ait-pro dot com. Or you can choose to deactivate the BPS Pro UAEG feature.  It’s an extra security feature that is not that important.

[Jean-Guy]

Ok thank you for your help.  I deactivate the PBS Pro UAEG feature. Now i don’t have the 403 error but instead of the flipbook I get the front page of the web site instead (the index page ) so I guess i will survive without the flipbook.

Thanks again for your support.

[AITpro Admin]

Yeah it seems like your French/English translation method is doing something odd with your website links.  Maybe that has something to do with it.  It does not look like you have the WPML language translation plugin installed.  At least I didn’t see any clues that WPML was installed on your site in your website’s Source Code.  Another possibility could be that you have Mod Security enabled in your web host control panel and Mod Security is also blocking the flipbook plugin (not likely though, but a possibility).

[Jean-Guy]

Ok I will check these two options, before I give up .

Thanks again for your support. I rate you 5 stars

[Author]

Posts