Home › Forums › BulletProof Security Free › UserPro – User Profiles with Social Login – 403 error
- This topic has 7 replies, 3 voices, and was last updated 1 week, 6 days ago by Abbas Khan.
-
AuthorPosts
-
Aaron MickelsonParticipant
Hello,
Thanks for this amazing plugin! I recently installed a plugin called UserPro http://userproplugin.com/userpro/, which provides front-end user setup – including social login. Twitter and Facebook work great, but both the LinkedIn and Instagram logins give me 403 Forbidden errors (using the Bulletproof 403 error template).
Here are the two addresses:
https://alocato.com/wp-content/plugins/userpro/lib/linkedin-auth/linkedinAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=75j4velb7u4egq&s=i4k39oXcTzafVBlg
https://alocato.com/wp-content/plugins/userpro/lib/instagram-auth/instagramAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=b64acd5d7adf45f1ba445d214ac6df7c&s=cac654b4d8bf4e38b92a9a3d8ff4fb81I’m guessing there are .htaccess rewrite rules I should be putting in place to avoid this problem, but I also have no idea what they are. Can you help me?
Thanks so much!
A–AITpro AdminKeymasterThe URL/Query string is simulating a typical RFI hacking attempt so that is most likely what is being blocked. Go to your BPS Security Log and post one of each of the LinkedIn and Instagram log entries.
BPS Troubleshooting steps
http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshootingAaron MickelsonParticipantThanks for the quick reply! Here are the logs you requested:
LinkedIn:
[403 GET / HEAD Request: October 31, 2014 - 9:37 am] Event Code: PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 75.146.124.33 Host Name: 75-146-124-33-Illinnois.hfc.comcastbusiness.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://alocato.com/profile/login/?redirect_to=https%3A%2F%2Falocato.com%2Fwp-admin%2F REQUEST_URI: /wp-content/plugins/userpro/lib/linkedin-auth/linkedinAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=75j4velb7u4egq&s=i4k39oXcTzafVBlg QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
Instagram:
[403 GET / HEAD Request: October 31, 2014 - 9:38 am] Event Code: PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 75.146.124.33 Host Name: 75-146-124-33-Illinnois.hfc.comcastbusiness.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://alocato.com/profile/login/?redirect_to=https%3A%2F%2Falocato.com%2Fwp-admin%2F REQUEST_URI: /wp-content/plugins/userpro/lib/instagram-auth/instagramAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=b64acd5d7adf45f1ba445d214ac6df7c&s=cac654b4d8bf4e38b92a9a3d8ff4fb81 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
AITpro AdminKeymasterUPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.
Ok try this first below. Since this also involves a a login page redirect then additional whitelisting may or may not be needed.
1. Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.IMPORTANT!!!: Edit the code below after copying it to the BPS Custom Code text box and replace “example.com” with your actual website domain name.
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE # Use BPS Custom Code to modify/edit/change this code and to save it permanently. # Remote File Inclusion (RFI) security rules # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F] # # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php) RewriteCond %{REQUEST_URI} (instagramAuth\.php|linkedinAuth\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).* RewriteCond %{HTTP_REFERER} ^.*example.com.* RewriteRule . - [S=1]
Aaron MickelsonParticipantThanks for your help! This worked perfectly for the Instagram login, but no change for LinkedIn. Here’s the error:
[403 GET / HEAD Request: October 31, 2014 - 10:13 am] Event Code: PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 75.146.124.33 Host Name: 75-146-124-33-Illinnois.hfc.comcastbusiness.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://alocato.com/profile/login/?redirect_to=https%3A%2F%2Falocato.com%2Fwp-admin%2F REQUEST_URI: /wp-content/plugins/userpro/lib/linkedin-auth/linkedinAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=75j4velb7u4egq&s=i4k39oXcTzafVBlg QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
AITpro AdminKeymasterOops yeah there are 2 different files involved instead of just the one file. Add the additional linkedinAuth.php file name to this line of code below in your Custom Code code (code above has updated with this new filename). Click the Save Root Custom Code button, Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
RewriteCond %{REQUEST_URI} (instagramAuth\.php|linkedinAuth\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
Aaron MickelsonParticipantPerfect! Thanks so much for your help!
Abbas KhanParticipantHey!
My spam link is not ligging in. What is the reason and how can I solve it quickly. -
AuthorPosts
- You must be logged in to reply to this topic.