url params not allowed to pass

Home Forums BulletProof Security Free url params not allowed to pass

This topic contains 17 replies, has 2 voices, and was last updated by  AITpro Admin 6 years, 8 months ago.

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #2103

    Patrick
    Member

    I’ve just started using BPS and so far am really impressed. However one function it has “broken” on my site is the ability to pass url parameters in php using  GET (maybe POST too–not sure yet). I have verified this is the cause because with BPS off, it functions normally again.Can anyone suggest what part of the htaccess file(s) would be disallowing this? And can I get around it?Thanks in advance.

    #2106

    AITpro Admin
    Keymaster

    Please post specific details of the problem.  Does it involve another plugin?  What exactly are you doing that is not working?  Please post step by step details of what is not working and any specific URL’s, Query strings, etc.  Thanks. 

    #2109

    Patrick
    Member

    The issue does not involve another plugin.
    Essentially, this is a web form and its associated pages. It is  for creation of an account to then allow for  management and creation of  list items that are displayed on web pages. Upon account creation, it takes the user to a login page for verification. Upon successful login, a list of items is presented and new records can be added or any can be edited. The record ID’s, etc., may be passed in the url for presenting an edit page or other options, thus my question about url params (just a hunch).
    I can’t provide a url because it is not for public consumption (plus account creation is only selectively unlocked). However I am happy to provide anything that won’t compromise its security.
    My web host suggested it was the BPS suggested permissions I changed. I changed them back but it did not help. I thought about commenting out an entire section of the htaccess file but I am not sure which parts I could do without for the sake of isolating this. BTW, if I leave everything alone but only turn off the secure htaccess file, everything works again. So I believe the problem is there.
    You’re very kind to help. Thanks again.

    #2110

    Patrick
    Member

    Clarification: I meant to say if I turn off only the roothtacess file, everything works again.

    #2112

    AITpro Admin
    Keymaster

    Without any details of what the problem is i cannot troubleshoot this.  Please check your BPS Security Log and post ONLY logged errors that would be directly related to this issue.  If you want to maintain privacy then edit the log entry to not expose your domain or IP address.

    #2113

    AITpro Admin
    Keymaster

    My hunch is that there are unsafe coding characters being used in the URL and that is what is being blocked.

    #2128

    Patrick
    Member

    I will try to retrieve and prepare the logs as prescribed, then post them. Regarding characters, I did try commenting, selectively, a number of items in the root htaccess file to no avail. I then tried basically taking all the “add-ons” to the htaccess file  (from PLUGINS AND VARIOUS EXPLOIT… through the full BPSQSE BPS… section) to see if that might show me the way but had no luck with that either. I verified it has the correct php handler info for my host. I also commented out the three lines for REQUEST METHODS FILTERED and it did not help.
    Thanks.

    #2129

    Patrick
    Member

    Interesting: I checked the log file and was going to do a couple of transactions I knew would absolutely register there. I did them, then checked so I could prepare and send them, and there were no entries for the transactions. There were others for this morning, however. I went ahead and clicked  “Turn On Error Logging” even though it is already, somewhat. I then got an ironic warning message that I have to give write permissions for the root htaccess before that will work. Yet your recommendations are 0400 for the file’s permissions (and it IS logging to some extent). What do you think about this?

    #2131

    Patrick
    Member

    0404 permissions, rather. That is what I am using for the htaccess file.

    #2134

    AITpro Admin
    Keymaster

    Yes, that is correct you would need to unlock your root .htaccess first before being able to turn Error Logging back On if it was actually turned off.  For several functions within BPS, BPS will automatically lock and unlock the root .htaccess file, but turning error logging on or off does not have this automated feature.  It probably should have this so I will add this in the next version of BPS.

    Ok so at this point can you post Query strings or anything else that I can look at?  I need to know what is being sent or what is actually happening.  Thanks.

    #2135

    Patrick
    Member

    I am confused as hell, now. Before I went in a changed permissions for the htaccess file in order to ensure that logfile writing is available (even though, as I said before, it was in fact writing to some extent), I could turn off, then back on the logging and I would get the warning in red text at the top of the page about the file needing to be writable. However if I scrolled down, in green it would indicate the read/write test was successful and there would of course be log info.
    I then went ahead and changed the permissions to 0644 as well as trying 0664 and in neither case did my activities produce any logfile information. The errors I got on the two activities I was using to assuredly produce entries did (and do) get 403 errors so they ought to be logging there. Right? I refreshed and updated but they did not show up.

    #2138

    AITpro Admin
    Keymaster

    There is a condition/situation where if you are using javascript or jQuery or thickbox or some other form of pop up display then what happens is that in some cases error messages will NOT be logged.  I believe this is because the pop up itself creates some sort of isolated condition/situation and is not tied directly somehow to a direct error on the site.  I have been meaning to look into the exact technical details of why this occurs so that I can understand this better myself.

    Post the URL or Query string or the error message in your Browser/page so that I can look at it.  Thanks.

    #2149

    Patrick
    Member

    I can’t, except for the forbidden message and a hypothetical example.
     
    Basically, anything in this subdirectory (which I noticed has its own htaccess file since adding BPS, although it seems innocuous and I can rename or delete  it and get the same results) of the site ../xxx/file1(2…3…4…5…etc).php will not generate an error unless or until the “?” is added and there’s an attempt to pass a parameter (or interact with the database?). Whether or not the problem is ONLY in this directory, I don’t know, because this is the only place where this kind of application is used. An example:
     
    ../xxx/file2.php works
    ../xxx/file2.php?recordid=9  or ../xxx/file3.php?anyparameter=value   would not work. Either would return the 403 forbidden error: 
    Forbidden
    You don’t have permission to access /xxx/file2.php on this server.
    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    #2150

    AITpro Admin
    Keymaster

    It is not a hypothetical guess.  I have documented this as fact.  What I have not had time to look at is why this issue occurs.  Logically since a new window is spawned then this creates some sort of condition where the window is no longer directly tied into the site directly.  This is scheduled to be investigated further.

    I don’t see anything in that query string that would be blocked so it is not an issue with unsafe coding characters being used in the query string itself.  If file2.php works then logically something about the query string parameters that are being requested is going to be the issue.  How about trying a basic skip/bypass rule.

    I still do not know enough about the exact scenario to give you an exact answer, but these are some logical things to try based on the information you have provided.

    Skip/bypass rules for 3rd Party Apps or RewriteEngine Off htaccess file:  http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPress

    A basic skip/bypass rule based on a Query string in the root .htaccess file.  This skip/bypass rule would go above skip/bypass rule #12:

    # Query string skip/bypass rule
    RewriteCond %{QUERY_STRING} some-variable=some-value(.*) [NC]
    RewriteRule . - [S=13]
    #2151

    Patrick
    Member

    Okay. I couldn’t find any documentation–I guess I wasn’t searching for the right answers (keywords). I will do as you suggest and post back. Thanks again for your responsiveness. BTW I also wondered about it being a referrer issue but my commenting out stuff didn’t affect that part of it, either.

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.