Topic: Root folder BulletProof Mode (RBM) issue

Root folder BulletProof Mode (RBM) issue

This topic has 4 replies, 2 voices, and was last updated 2 months, 3 weeks ago by Richard.

Viewing 5 posts - 1 through 5 (of 5 total)

Author

Posts

January 26, 2024 at 10:53 am #43461

Participant

On one of our websites, anytime we enable the Root folder BulletProof Mode (RBM) issue, the front end goes blank without any debug or critical error reports.

I suspect it’s because the site used to be multi-site before we took it on, and whatever the root folder access does seems to block the front end from loading. I read somewhere about it determining if it’s multi-site or not, and perhaps something hasn’t been disabled properly when they changed it from multi-site, so it’s not determining if it’s the right kind of set-up for the access.

Could anyone point me in the right direction of where in the root htaccess I might find this multi-site section as I’ve not been able to work it out?

Many thanks in advance

January 26, 2024 at 3:54 pm #43467

AITpro Admin

Keymaster

More likely is that you are missing php.ini handler htaccess code in your Root htaccess file or you need to remove old php.ini handler htaccess code in your Root htaccess file. Running the Setup Wizards would fix the problem you mentioned, but running the Setup Wizard would not fix a php.ini handler htaccess code issue. Check this BPS Root Custom Code text box for code that looks similar to this > AddHandler application/x-httpd-ea-php72 .php .php7 .phtml and comment that code out with a # sign, save your changes and activate Root folder BulletProof Mode again.

January 28, 2024 at 3:26 am #43473

Richard

Participant

I’ve checked for any add handler code and none exists.

I’ve re-run setup both with and without Root folder htaccess enabled and still all I see on the front-end is a blank page.

In the console ar numerous 4o3 errors:

GET https://www.proinso.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1%27%20defer%20onload=%27 net::ERR_ABORTED 403 (Forbidden)

Something seems to be forcing all main theme and soem core files to be blocked, any ideas why this might be? We have BPS running loads of other sites without any issues.

Many thanks

January 28, 2024 at 4:55 am #43474

AITpro Admin

Keymaster

Your web host is Vultr Cloud hosting. I did not find anything about whether php handlers are used on Vultr servers, which usually means the PHP server does not require php handler htaccess code. Either a plugin or your theme is adding this additional code to all .js script URL’s on your site: %27%20defer%20onload=%27, which may be what is being blocked.

For testing to confirm or eliminate that js defer code is causing the problem > copy this testing code below to this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS. Overwrite any htaccess code that is currently in that text box.
Click the Save Root Custom Code button.
Activate Root folder BulletProof Mode.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
#RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
#RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
#RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

February 3, 2024 at 1:50 am #43512

Richard

Participant

Sorry for the delayed reponse. This has solved it, thank you very much!

Author

Posts

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

BulletProof Security Forum

Root folder BulletProof Mode (RBM) issue

Search Forums

Topic Tags