Search Schools Network Widget 403 error

Home Forums BulletProof Security Pro Search Schools Network Widget 403 error

This topic contains 12 replies, has 2 voices, and was last updated by  AITpro Admin 5 years, 5 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #10283

    Stewart Marshall
    Participant

    I am using a search form which should display the search results on my website.  It works fine whe BPS is not activated, but when activated I get a 403 error.  The BPS log gives me the following:

    >>>>>>>>>>> 403 GET or Other Request Error Logged - October 1, 2013 - 5:50 am <<<<<<<<<<<
    REMOTE_ADDR: 209.118.252.231
    Host Name: 209.118.252.231
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //widget.searchschoolsnetwork.com/widget.jsp?&sub=HEALTH-HEALTHCARE-NURSING&clr=red&box=0&wtpl=1&rsurl=http://abouthealthdegrees.com/resultspage/&PubWebSiteName=abouthealthdegrees.com
    REQUEST_URI: /resultspage/?qual=all&search=search&ct=either&clr=red&rsurl=http://abouthealthdegrees.com/resultspage/&pc=30319&box=0&PubWebSiteName=abouthealthdegrees.com&wtpl=1&sub=HEALTH-HEALTHCARE-NURSING
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36

    I’d be grateful to know how I can remove the BPS block to the search request.  Thanks.

    #10285

    AITpro Admin
    Keymaster

    This is being blocked by BPS because the URL is a simulated RFI hacking attempt against your website.  To whitelist/allow this do these steps below.  This is whitelisting the Referer domain and also the widget.jsp file.

    1. Copy this .htaccess code below to this BPS Custom Code text box:  CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE.
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (widget\.jsp|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^(.*searchschoolsnetwork.com.*|.*abouthealthdegrees.com.*)
    RewriteRule . - [S=1]
    #10286

    Stewart Marshall
    Participant

    Thanks.  I did all that but I still get the 403 error when using the search form.  However, now I don’t get an error report in Security Log file. Anything else I should be doing?

    Thanks

    #10287

    AITpro Admin
    Keymaster

    When I look at the Source Code of your site I see another src link for this widget that contains this js file:  pubwidget.js.
    widget.searchschoolsnetwork.com/imageserver/searchschoolsnetwork/js/pubwidget.js
    Try whitelisting this file as well by adding it to whitelisted files in the code example as shown below.

    RewriteCond %{REQUEST_URI} (pubwidget\.js|widget\.jsp|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

    Also is this Widget a part of the Jetpack plugin or is it some other Widget from another plugin or is this a custom Widget that you have created?

    #10291

    Stewart Marshall
    Participant

    Thanks again.  Added the extra line – but same result – a 403 error when I use the search form.  And I still don’t get an error report in the Security Log file.  It’s a Widget from a plugin provided by an affiliate network.

    #10292

    AITpro Admin
    Keymaster

    Then you will probably need to create a skip/bypass rule for that plugin.

    1. Add this skip/bypass rule below to this BPS Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES:
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
    NOTE: If your WordPress installation is in a subfolder then add the WordPress subfolder name to the skip/bypass rule.  Example:  /MyWordPressFolderName/wp-content/plugins/plugin-folder-name/
    Add the actual Plugin folder name in place of “plugin-folder-name” below.

    # Plugin Name skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/plugin-folder-name/ [NC]
    RewriteRule . - [S=13]
    #10294

    Stewart Marshall
    Participant

    Thanks.  Added the skip/bypass rule – but same result – a 403 error when I use the search form 🙁

     

    #10304

    AITpro Admin
    Keymaster

    I have split this Search Schools Network Widget issue to a new Forum Topic. Post the 403 error message.  This Widget uses an iframe to display search results so maybe the BPS security rules/filters for iframes are blocking this widget.  Do these troubleshooting steps below to isolate the security rules/filters that are causing this Widget to be blocked.

    BPS Pro 11.6+ & BPS free .53.2+
    You may see this code or the 11.5+/.53.1+ code in your root htaccess file.  The code does the same exact thing and is whitelisted in the same exact way.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    BPS Pro 11.5+ & BPS free .53.1+

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ - [R=405,L]

    BPS Pro 11.4|BPS free .53 and lower versions

    Try this first:  Edit your root .htaccess file and remove HEAD| from this code/filter.

    Example: (TRACE|DELETE|TRACK|DEBUG)

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and 
    # remove/delete HEAD| from the Request Method filter.
    # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]

    If the problem is still occurring then comment out all the BPS Query String code/rules by putting a pound sign # in front of each rule:

    IMPORTANT!  Do not put a pound sign in front of this rule/filter:  RewriteCond %{QUERY_STRING} (sp_executesql) [NC] and leave it as is.  Do not put a pound sign in front of the RewriteRule:  RewriteRule ^(.*)$ – [F,L]

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    #RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    #RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    #RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    ...
    ...
    ...
    #RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    #RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #10341

    Stewart Marshall
    Participant

    Great – thanks.  Commenting out all the BPS Query String code/rules did the trick.  So I then went through them uncommenting a few at a time until BPS blocked the  Search Schools Network Widget again.  In this way, I was able to determine that just four of the rules needed to be commented:

    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    #10342

    AITpro Admin
    Keymaster

    Excellent job!

    1. Copy the entire section of the BPS Query String Exploits code from your root .htaccess file and paste it into this BPS Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    Important Note:  Be sure to ONLY copy the BPS Query String Exploits code starting from # BEGIN BPSQSE BPS QUERY STRING EXPLOITS to # END BPSQSE BPS QUERY STRING EXPLOITS as shown below.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    .....
    .....
    .....
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #10345

    Stewart Marshall
    Participant

    Thanks.  I actually made the changes via BPS Custom Code each time so as to ensure that I kept a copy:-)

    #10346

    AITpro Admin
    Keymaster

    Well done!  Thanks for finding and confirming the solution.  Very much appreciated.  😉

    #15828

    AITpro Admin
    Keymaster

    [Forum Topic manually moved to this relevant Forum Topic]

    I have a “school search” plugin on my wordpress site whereby someone fills some search parameter info into a form and submits it.  This search parameter info goes into a database at a 3rd party business, and the search results (should) get displayed on a page back on my site.  However, a 403 error results.  We replaced the BPS htaccess file with a standard wordpress htaccess file and the school search plugin works properly.  How do I setup a whitelist?

    Thanks!  Will

    Here is the security log from BPS:

    [403 GET / HEAD Request: June 24, 2014 - 2:17 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 74.220.197.121
    Host Name: 74-220-197-121.unifiedlayer.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://widget.searchschoolsnetwork.com/widget.jsp?&sub=VOCATIONAL-TRADE&clr=blue&box=0&wtpl=1&rsurl=http://www.eplumbingcourses.com/qsdynamiclistingpage/&PubWebSiteName=www.eplumbingcourses.com
    REQUEST_URI: /qsdynamiclistingpage/?qual=all&search=search&ct=either&clr=blue&rsurl=http://www.eplumbingcourses.com/qsdynamiclistingpage/&pc=84043&box=0&PubWebSiteName=www.eplumbingcourses.com&wtpl=1&sub=VOCATIONAL-TRADE
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.