Search Schools Network Widget 403 error

[Stewart Marshall]

I am using a search form which should display the search results on my website.  It works fine whe BPS is not activated, but when activated I get a 403 error.  The BPS log gives me the following:

>>>>>>>>>>> 403 GET or Other Request Error Logged - October 1, 2013 - 5:50 am <<<<<<<<<<<
REMOTE_ADDR: 209.118.252.231
Host Name: 209.118.252.231
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //widget.searchschoolsnetwork.com/widget.jsp?&sub=HEALTH-HEALTHCARE-NURSING&clr=red&box=0&wtpl=1&rsurl=http://abouthealthdegrees.com/resultspage/&PubWebSiteName=abouthealthdegrees.com
REQUEST_URI: /resultspage/?qual=all&search=search&ct=either&clr=red&rsurl=http://abouthealthdegrees.com/resultspage/&pc=30319&box=0&PubWebSiteName=abouthealthdegrees.com&wtpl=1&sub=HEALTH-HEALTHCARE-NURSING
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36

I’d be grateful to know how I can remove the BPS block to the search request.  Thanks.

[AITpro Admin]

This is being blocked by BPS because the URL is a simulated RFI hacking attempt against your website.  To whitelist/allow this do these steps below.  This is whitelisting the Referer domain and also the widget.jsp file.

1. Copy this .htaccess code below to this BPS Custom Code text box:  CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE.
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (widget\.jsp|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^(.*searchschoolsnetwork.com.*|.*abouthealthdegrees.com.*)
RewriteRule . - [S=1]

[Stewart Marshall]

Thanks.  I did all that but I still get the 403 error when using the search form.  However, now I don’t get an error report in Security Log file. Anything else I should be doing?

Thanks

[AITpro Admin]

When I look at the Source Code of your site I see another src link for this widget that contains this js file:  pubwidget.js.
widget.searchschoolsnetwork.com/imageserver/searchschoolsnetwork/js/pubwidget.js
Try whitelisting this file as well by adding it to whitelisted files in the code example as shown below.

RewriteCond %{REQUEST_URI} (pubwidget\.js|widget\.jsp|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

Also is this Widget a part of the Jetpack plugin or is it some other Widget from another plugin or is this a custom Widget that you have created?

[Stewart Marshall]

Thanks again.  Added the extra line – but same result – a 403 error when I use the search form.  And I still don’t get an error report in the Security Log file.  It’s a Widget from a plugin provided by an affiliate network.

[AITpro Admin]

Then you will probably need to create a skip/bypass rule for that plugin.

1. Add this skip/bypass rule below to this BPS Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES:
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
NOTE: If your WordPress installation is in a subfolder then add the WordPress subfolder name to the skip/bypass rule.  Example:  /MyWordPressFolderName/wp-content/plugins/plugin-folder-name/
Add the actual Plugin folder name in place of “plugin-folder-name” below.

# Plugin Name skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/plugin-folder-name/ [NC]
RewriteRule . - [S=13]

[Stewart Marshall]

Thanks.  Added the skip/bypass rule – but same result – a 403 error when I use the search form 🙁

 

[AITpro Admin]

I have split this Search Schools Network Widget issue to a new Forum Topic. Post the 403 error message.  This Widget uses an iframe to display search results so maybe the BPS security rules/filters for iframes are blocking this widget.  Do these troubleshooting steps below to isolate the security rules/filters that are causing this Widget to be blocked.

BPS Pro 11.6+ & BPS free .53.2+
You may see this code or the 11.5+/.53.1+ code in your root htaccess file.  The code does the same exact thing and is whitelisted in the same exact way.

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

BPS Pro 11.5+ & BPS free .53.1+

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ - [R=405,L]

BPS Pro 11.4|BPS free .53 and lower versions

Try this first:  Edit your root .htaccess file and remove HEAD| from this code/filter.

Example: (TRACE|DELETE|TRACK|DEBUG)

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and 
# remove/delete HEAD| from the Request Method filter.
# Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
# The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]

If the problem is still occurring then comment out all the BPS Query String code/rules by putting a pound sign # in front of each rule:

IMPORTANT!  Do not put a pound sign in front of this rule/filter:  RewriteCond %{QUERY_STRING} (sp_executesql) [NC] and leave it as is.  Do not put a pound sign in front of the RewriteRule:  RewriteRule ^(.*)$ – [F,L]

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
...
...
...
#RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
#RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[Stewart Marshall]

Great – thanks.  Commenting out all the BPS Query String code/rules did the trick.  So I then went through them uncommenting a few at a time until BPS blocked the  Search Schools Network Widget again.  In this way, I was able to determine that just four of the rules needed to be commented:

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]

[AITpro Admin]

Excellent job!

1. Copy the entire section of the BPS Query String Exploits code from your root .htaccess file and paste it into this BPS Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

Important Note:  Be sure to ONLY copy the BPS Query String Exploits code starting from # BEGIN BPSQSE BPS QUERY STRING EXPLOITS to # END BPSQSE BPS QUERY STRING EXPLOITS as shown below.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
.....
.....
.....
# END BPSQSE BPS QUERY STRING EXPLOITS

[Stewart Marshall]

Thanks.  I actually made the changes via BPS Custom Code each time so as to ensure that I kept a copy:-)

[AITpro Admin]

Well done!  Thanks for finding and confirming the solution.  Very much appreciated.  😉

[AITpro Admin]

[Forum Topic manually moved to this relevant Forum Topic]

I have a “school search” plugin on my wordpress site whereby someone fills some search parameter info into a form and submits it.  This search parameter info goes into a database at a 3rd party business, and the search results (should) get displayed on a page back on my site.  However, a 403 error results.  We replaced the BPS htaccess file with a standard wordpress htaccess file and the school search plugin works properly.  How do I setup a whitelist?

Thanks!  Will

Here is the security log from BPS:

[403 GET / HEAD Request: June 24, 2014 - 2:17 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 74.220.197.121
Host Name: 74-220-197-121.unifiedlayer.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://widget.searchschoolsnetwork.com/widget.jsp?&sub=VOCATIONAL-TRADE&clr=blue&box=0&wtpl=1&rsurl=http://www.eplumbingcourses.com/qsdynamiclistingpage/&PubWebSiteName=www.eplumbingcourses.com
REQUEST_URI: /qsdynamiclistingpage/?qual=all&search=search&ct=either&clr=blue&rsurl=http://www.eplumbingcourses.com/qsdynamiclistingpage/&pc=84043&box=0&PubWebSiteName=www.eplumbingcourses.com&wtpl=1&sub=VOCATIONAL-TRADE
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0

[Author]

Posts