Plugin Flipbook blocked – 403 error

Home Forums BulletProof Security Pro Plugin Flipbook blocked – 403 error

Tagged: 

This topic contains 12 replies, has 2 voices, and was last updated by  Jean-Guy 2 weeks ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #37725

    Jean-Guy
    Participant

    Good day, BPS Pro seems to block the new plugin “Flipbook” that  I just installed. How can I allow “Flipbook” to run with BPS PRO ?

    I get the “403 forbidden error page”

    [New DB Table Created - Cron Check Time Monday, July 22, 2019 - 8:43 am]
    New DB Table Created Name: wp_flipbook
    New DB Table Actual Create Time: 2019-07-22 08:32:16
    DB Monitor Guide: https://forum.ait-pro.com/forums/topic/database-monitor-dbm-guide/

    Thank you

    #37726

    AITpro Admin
    Keymaster

    You can ignore the DB Monitor log entry.  Go to the BPS Pro Security Log page, look for the Security Log entry regarding the Flipbook 403 log entry and post it in your forum reply so I can see what is being blocked.

    #37727

    Jean-Guy
    Participant
    [403 GET Request: mardi, 6 aout, 2019 - 1:23 ]
    
    BPS Pro: 13.4
    WP: ***
    Event Code: UAEGWR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
    REMOTE_ADDR: ***********
    Host Name: 77-93-55-206.static.cogecodata.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.golfdorval.com/wordpress/wp-admin/admin.php?page=flipbook_view_book&bookid=1
    REQUEST_URI: /wordpress/wp-content/uploads/flipbook/1/book.html
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
    #37728

    AITpro Admin
    Keymaster

    What is being blocked is the book.html file in the flipbook folder: /wordpress/wp-content/uploads/flipbook/ by BPS Pro Uploads Anti-Exploit Guard (UAEG).

    Go to the BPS Pro > htaccess File Editor tab page > click the “Your Current Uploads htaccess File” tab > copy the entire contents of your UAEG htaccess file and post it in your forum reply.  I will create a whitelist rule for you in your UAEG code so that you can copy and paste the modified code into the UAEG Custom Code text box.

    #37729

    Jean-Guy
    Participant
    # BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
    #
    # BPS mod_access_compat
    # Allow,Deny
    # First, all Allow directives are evaluated. At least one must match, or the request is rejected.
    # Next, all Deny directives are evaluated. If any matches, the request is rejected.
    # Last, any requests which do not match an Allow or a Deny directive are denied by default.
    #
    # Deny,Allow
    # First, all Deny directives are evaluated. If any match, the request is denied unless
    # it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
    #
    # *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
    # Match Allow only ----------- Request allowed ------------------------ Request allowed
    # Match Deny only ------------ Request denied ------------------------- Request denied
    # No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
    # Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed
    #
    # NOTE: The zip file extension can be added to block remote access or execution of zip files, several plugins create
    # create either temporary or permanent zip files in the uploads folder. This may block those plugins from being
    # able to create zip files in your uploads folder.
    #
    # BEGIN WHITELIST
    # Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
    # of the whitelist rule you want to use, add the actual filename or folder name you want to whitelist and also
    # delete the # sign in front of #Allow from env=whitelist.
    # Whitelist a specific js file in the uploads folder: example.js
    #SetEnvIf Request_URI "example.js$" whitelist
    # Whitelist an entire folder in the uploads folder: /uploads/example-folder/
    #SetEnvIf Request_URI "example-folder/.*$" whitelist
    # END WHITELIST
    #
    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    Order Allow,Deny
    #Allow from env=whitelist
    Deny from all
    </FilesMatch>
    
    # FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
    <FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
    Order Allow,Deny
    #Allow from env=whitelist
    Deny from all
    </FilesMatch>
    #37730

    AITpro Admin
    Keymaster

    1. Go to the BPS Pro > B-Core > Custom Code tab page.
    2. Click the UAEG htaccess File Custom Code accordion button/tab.
    3. Copy your modified UAEG htaccess code below into the CUSTOM CODE UAEG text box.
    4. Click the Save UAEG Custom Code button.
    5. Go to the Security Modes tab page > scroll down to the UAEG section and click the Activate button.

    # BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
    #
    # BPS mod_access_compat
    # Allow,Deny
    # First, all Allow directives are evaluated. At least one must match, or the request is rejected.
    # Next, all Deny directives are evaluated. If any matches, the request is rejected.
    # Last, any requests which do not match an Allow or a Deny directive are denied by default.
    #
    # Deny,Allow
    # First, all Deny directives are evaluated. If any match, the request is denied unless
    # it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
    #
    # *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
    # Match Allow only ----------- Request allowed ------------------------ Request allowed
    # Match Deny only ------------ Request denied ------------------------- Request denied
    # No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
    # Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed
    #
    # NOTE: The zip file extension can be added to block remote access or execution of zip files, several plugins create
    # create either temporary or permanent zip files in the uploads folder. This may block those plugins from being
    # able to create zip files in your uploads folder.
    #
    # BEGIN WHITELIST
    # Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
    # of the whitelist rule you want to use, add the actual filename or folder name you want to whitelist and also
    # delete the # sign in front of #Allow from env=whitelist.
    # Whitelist a specific js file in the uploads folder: example.js
    #SetEnvIf Request_URI "example.js$" whitelist
    # Whitelist an entire folder in the uploads folder: /uploads/example-folder/
    SetEnvIf Request_URI "flipbook/.*$" whitelist
    # END WHITELIST
    #
    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    Order Allow,Deny
    Allow from env=whitelist
    Deny from all
    </FilesMatch>
    
    # FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
    <FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
    Order Allow,Deny
    #Allow from env=whitelist
    Deny from all
    </FilesMatch>
    #37731

    Jean-Guy
    Participant

    ok I did the change but still the same problem, see the security log

    [403 GET Request: mardi, 6 aout, 2019 - 3:21 ]
    BPS Pro: 13.4
    WP: ****
    Event Code: UAEGWR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
    REMOTE_ADDR: **********
    Host Name: 77-93-55-206.static.cogecodata.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.golfdorval.com/wordpress/guide-du-terrain-de-golf/?preview_id=4404&preview_nonce=96a500deed&preview=true
    REQUEST_URI: /wordpress/wp-content/uploads/flipbook/2/book.html
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

    Thank you

    #37732

    AITpro Admin
    Keymaster

    Are you sure you did all of the steps above correctly?  I tried to check your server type and it appears your server type information is being blocked/protected.  If you did all the steps correctly then maybe your host server type does not support the SetEnvIf directive. Go to the BPS Pro System Info page (under the Logs & Info main menu) and copy and paste these 2 things below.

    Server Type: Apache
    Operating System: Linux

    #37733

    Jean-Guy
    Participant

    ok here is the two things from system info

    Server Type: Apache
    Operating System: Linux

    #37734

    AITpro Admin
    Keymaster

    Alright so there is not a problem with the SetEnvIf directive then.  If you want me to login to your website and figure out the problem then send a WordPress Administrator login user account to:  info at ait-pro dot com. Or you can choose to deactivate the BPS Pro UAEG feature.  It’s an extra security feature that is not that important.

    #37737

    Jean-Guy
    Participant

    Ok thank you for your help.  I deactivate the PBS Pro UAEG feature. Now i don’t have the 403 error but instead of the flipbook I get the front page of the web site instead (the index page ) so I guess i will survive without the flipbook.

    Thanks again for your support.

    #37738

    AITpro Admin
    Keymaster

    Yeah it seems like your French/English translation method is doing something odd with your website links.  Maybe that has something to do with it.  It does not look like you have the WPML language translation plugin installed.  At least I didn’t see any clues that WPML was installed on your site in your website’s Source Code.  Another possibility could be that you have Mod Security enabled in your web host control panel and Mod Security is also blocking the flipbook plugin (not likely though, but a possibility).

    #37739

    Jean-Guy
    Participant

    Ok I will check these two options, before I give up .

    Thanks again for your support. I rate you 5 stars

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.