UAEG – Uploads Anti-Exploit Guard, Uploads BulletProof Mode

[Benny Maisa]

Hi. I just wanna ask one question. How to activate UAEG? I feel unsafe when see “off” notification in BPS. Thanks. 🙂

[AITpro Admin]

Update:  A new Uploads Anti-Exploit Guard (UAEG) Read Me First Sticky Topic has been created in the link below.

http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

The Uploads Anti-Exploit Guard can be turned on by going to the B-Core Security Modes page and scrolling down too…

Activate Uploads Folder htaccess Security Mode

Click the Uploads Anti-Exploit Guard Activate button.

[impart]

Second is the problem we last had with the UAEG and caching in uploads folder which completely broke my site.
I did this with setEnvIF on Apache and got it working then.  On LiteSpeed we discussed a few days ago to use .htaccess files with just RewriteEngineOff in it in the directories.  Again my site is broken now because this did not work out , I have the htaccess everywhere in /uploads/xxx, /uploads/xxx/cache, /uploads/yyy, /uploads/yyy/cache. Does also not work. without them in the cache dirs itÄs also not workin at all This is really a pity, please help me, thanks!

REQUEST_URI: /wp-content/uploads/xxx/cache/responsive-grid-js-abdeff879689.js
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
etc
etc
etc

________________________________
As I told you last time / sadly you deleted it, you have a big bug in your custom UAEG handling. This time I DID first copy all of the standard UAEG htaccess in the custom code field. Everything ok, but if you want to revert to standard and delete the Custom UAEG field then nothing happens. After activating/deactvating, if you want 20 times, still the one you entried manually stays in htaccess. You told me it will be my server or anything else. I am on a completely new server with different infrastructure, litespeed instad apache and fresh bps pro and this is still the same, the only thing that remains me now is to delete this thing and start from scratch. I hope you can give me a solution that works on litespeed for whitelisting dirs in UAEG, otherwise this is lost.
Thanks
Thomas

[AITpro Admin]

BPS only creates 1 UAEG htaccess file in the root /uploads folder.  If other htaccess files are being created in other /uploads folders then either something else you have installed is doing that or there is some kind of specific server problem or setting problem occurring on your server/website that is causing that problem.  If you would like for me to figure out what that server or setting problem could be then send a WordPress Administrator login to this website to:  info at ait-pro dot com.

For a LiteSpeed Server you will need to use this alternative UAEG htaccess code instead of the standard UAEG htaccess code. We will probably create a separate UAEG htaccess file for LiteSpeed Servers in BPS Pro 11.6.  A Reset button has been added in BPS Pro 11.6 to restore the default UAEG htaccess file, which handles/resolves the other issues with UAEG.

# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
#
# BPS LiteSpeed
#
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
# Example: whitelist all js files in a particular folder.
RewriteRule ^folder-name/(.*).js - [L]
# Example: whitelist an individual file anywhere in the /uploads folder.
RewriteRule ^file-name.js - [L]
RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$ [NC]
RewriteRule ^(.*)$ - [F]

# FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
<FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
Order Allow,Deny
Deny from all
</FilesMatch>

[impart]

No one and nothing else what I have installed did that nor a server, I did exactly what you told me what we talked a few days ago.
And this does not work. RewriteEngine Off .htaccess File Method (if you have several files in a subfolder in the uploads folder. Example: /wp-content/uploads/my-subfolder/) All files in the /my-subfolder/ folder will no longer be checked or blocked by UAEG.
1. Open Notepad or Notepad++ (NOT Word or WordPad) on your computer.
2. Add this one line of text in your new Notepad text file: RewriteEngine Off.
3. Save the text file with this name: securityoff.htaccess.
4. Upload the securityoff.htaccess file to the folder/directory where you want to turn security Off/prevent the parent .htaccess file from applying its security rules/directives in this folder. In this example case the folder would be: /wp-content/uploads/my-subfolder/.
5. Rename the securityoff.htaccess file to .htaccess (removing securityoff from the file name). /wp-content/uploads/my-subfolder/.htaccess

[AITpro Admin]

Ok remove those htaccess files that you created, copy the LiteSpeed UAEG htaccess file I posted in my previous reply to UAEG Custom Code, add your whitelist rule (in your case I believe you need to whitelist an entire folder), save your changes and activate UAEG BulletProof Mode.

[impart]

Yes the problem for me is how do I whitelist an entire folder= Just all files in it like this?
RewriteRule ^folder-name/(.*).(.*) – [L]

[AITpro Admin]

You would add the actual folder name you want to whitelist in the example code that is posted above after copying the LiteSpeed UAEG code to BPS Custom Code.

# Example: whitelist all js files in a particular folder.
RewriteRule ^folder-name/(.*).js - [L]

[impart]

Hmmm, we are not talking same language I am afraid. The code you posted above and now once again whitelists all js files, I need a whole folder whitelisted or I would have to make one line for every file type. Which one should I take then here?

[AITpro Admin]

In order for the whitelist rule to work you MUST have at least 1 file extension in the whitelist rule.  So if you need to whitelist all js files and any other file types then you would do something like this:

# Example: whitelist all js,css, png, jpg and swf files in a particular folder.
RewriteRule ^folder-name/(.*)\.(js|php|css|png|jpg|swf) - [L]

[impart]

Ok, and this mod_authz_core should also not be there anymore becasue that’s what’s now in it??!?
[mod_authz_core code example deleted]

[AITpro Admin]

Correct do not use the mod_authz_core code.  Replace your entire UAEG htaccess code in BPS UAEG Custom Code with the LiteSpeed UAEG code I posted above, add your whitelist rule, etc.

[impart]

Finally this seemed to work now, thanks.

[AITpro Admin]

Great!  And yeah I think LiteSpeed may also have an issue/problem with processing IfModule directive conditions code and/or mod_authz_core code so I should have had you use mod_access_compat code ONLY from the very beginning.  The whole fModule directive conditional code and mod_authz_core code also has problems on a lot of different web hosts including 1 of the top 5 biggest web hosts in the world.  It is a train wreck waiting to happen so hopefully we are ahead of that trainwreck.  The big picture is that Apache is phasing out mod_access_compat and using the new mod_authz_core directives, but a lot of hosts are going to have transitional problems with this Apache change.  We are seeing the first signs of that train wreck now and I imagine it will become a real mess in the next 2 years. 😉

[impart]

Yah, the future doesn’t look good generally, why not also in this world 😉

[Author]

Posts