Search By Category WordPress Plugin – 403 Error, Forbidden Error

Home Forums BulletProof Security Free Search By Category WordPress Plugin – 403 Error, Forbidden Error

This topic contains 9 replies, has 2 voices, and was last updated by  Jan Wessels 6 years, 10 months ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #933

    Jan Wessels
    Participant

    Hi, The Bulletproof plugin blocks the plugin: Search by Category – http://wordpress.org/extend/plugins/search-by-category/ . When I do a search without a search string, I get the 403 forbidden message in the browser.After deactivating the bulletproof plugin the error message disappears. Is there a fix for this? Thanks!

    #934

    AITpro Admin
    Keymaster

    I will test this plugin.  What exactly does this mean – “When I do a search without a search string…”  so that i can test that condition/scenario.  Thanks.

    #936

    Jan Wessels
    Participant

    I mean without putting any search word/sentence in the search field. And then clicking on the search button.
    Thanks for checking it!

    #942

    AITpro Admin
    Keymaster

    So you are saying that searching for nothing causes the error.  Ok then the plugin must have some coding condition that needs to be fixed/corrected.  I will isolate the source of the coding problem in that plugin and notify the plugin author if necessary.

    #948

    Jan Wessels
    Participant

    Yes that is correct!
    I posted the issue on the wordpress forum for this plugin. But still got no reply after 1 month from the developer. 

    #949

    AITpro Admin
    Keymaster

    Ok well then this plugin author will probably not fix the coding problem then. I am testing the plugin and will have a solution shortly.

    #950

    AITpro Admin
    Keymaster

    Ok i have tested this plugin and the BPS .htaccess security rule that is blocking this unsafe action in a search string is this security rule because this is a dangerous condition that could be used in exploits/hacks.

    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
    

    The Query string that is generated when searching for nothing is this – ?s=Search+For…&cat=0

    What i recommend that you do is modify the plugin’s code and NOT comment out the BPS .htaccess security filter. Go to code line 83 in this file – /search-by-category/search-by-category.php and change the the code to remove the 3 dots after “Search For”.  You will need to deativate and then reactivate the plugin to remove the option that was saved to your database.  When you reactivate the plugin again the new option value of “Search For” without the 3 dots will be saved to your database.

    //$SBC_settings['search_text']			= 'Search For...';
    $SBC_settings['search_text']			= 'Search For';
    
    #951

    Jan Wessels
    Participant

    Hi,
    Tested it and the error has gone.
    Thanks for providing such a fast solution! Top support! 
     

    #952

    AITpro Admin
    Keymaster

    Yep no problem.  And ideally what should really be happening with that plugin’s coding is this.  it is fine to display “Search For…” before someone searches, but when a search for nothing actually occurs/is processed then the Query String should automatically be changed to something else that is safe like creating a string replace to strip out the dots from the actual search query when it is processed.  I was easily able to perform an SQL Injection hack by exploiting this plugin when I removed the BPS .htaccess security filter.  😉

    #956

    Jan Wessels
    Participant

    Interesting and this shows how powerful the Bulletproof  plugin is.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.