UserPro – User Profiles with Social Login – 403 error

Home Forums BulletProof Security Free UserPro – User Profiles with Social Login – 403 error

Tagged: ,

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • October 31, 2014 at 7:40 am #18811
    Aaron Mickelson
    Participant

    Hello,

    Thanks for this amazing plugin! I recently installed a plugin called UserPro http://userproplugin.com/userpro/, which provides front-end user setup – including social login. Twitter and Facebook work great, but both the LinkedIn and Instagram logins give me 403 Forbidden errors (using the Bulletproof 403 error template).

    Here are the two addresses:
    https://alocato.com/wp-content/plugins/userpro/lib/linkedin-auth/linkedinAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=75j4velb7u4egq&s=i4k39oXcTzafVBlg
    https://alocato.com/wp-content/plugins/userpro/lib/instagram-auth/instagramAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=b64acd5d7adf45f1ba445d214ac6df7c&s=cac654b4d8bf4e38b92a9a3d8ff4fb81

    I’m guessing there are .htaccess rewrite rules I should be putting in place to avoid this problem, but I also have no idea what they are. Can you help me?

    Thanks so much!
    A–

    October 31, 2014 at 7:52 am #18816
    AITpro Admin
    Keymaster

    The URL/Query string is simulating a typical RFI hacking attempt so that is most likely what is being blocked.  Go to your BPS Security Log and post one of each of the LinkedIn and Instagram log entries.

    BPS Troubleshooting steps
    http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    October 31, 2014 at 7:55 am #18817
    Aaron Mickelson
    Participant

    Thanks for the quick reply! Here are the logs you requested:

    LinkedIn:

    [403 GET / HEAD Request: October 31, 2014 - 9:37 am]
Event Code: PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 75.146.124.33
Host Name: 75-146-124-33-Illinnois.hfc.comcastbusiness.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://alocato.com/profile/login/?redirect_to=https%3A%2F%2Falocato.com%2Fwp-admin%2F
REQUEST_URI: /wp-content/plugins/userpro/lib/linkedin-auth/linkedinAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=75j4velb7u4egq&s=i4k39oXcTzafVBlg
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36

    Instagram:

    [403 GET / HEAD Request: October 31, 2014 - 9:38 am]
Event Code: PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 75.146.124.33
Host Name: 75-146-124-33-Illinnois.hfc.comcastbusiness.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://alocato.com/profile/login/?redirect_to=https%3A%2F%2Falocato.com%2Fwp-admin%2F
REQUEST_URI: /wp-content/plugins/userpro/lib/instagram-auth/instagramAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=b64acd5d7adf45f1ba445d214ac6df7c&s=cac654b4d8bf4e38b92a9a3d8ff4fb81
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
    October 31, 2014 at 8:09 am #18821
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    Ok try this first below.  Since this also involves a a login page redirect then additional whitelisting may or may not be needed.

    1.  Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box:  CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    2.  Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    IMPORTANT!!!:  Edit the code below after copying it to the BPS Custom Code text box and replace “example.com” with your actual website domain name.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (instagramAuth\.php|linkedinAuth\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*example.com.*
RewriteRule . - [S=1]
    October 31, 2014 at 8:15 am #18822
    Aaron Mickelson
    Participant

    Thanks for your help! This worked perfectly for the Instagram login, but no change for LinkedIn. Here’s the error:

    [403 GET / HEAD Request: October 31, 2014 - 10:13 am]
Event Code: PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 75.146.124.33
Host Name: 75-146-124-33-Illinnois.hfc.comcastbusiness.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://alocato.com/profile/login/?redirect_to=https%3A%2F%2Falocato.com%2Fwp-admin%2F
REQUEST_URI: /wp-content/plugins/userpro/lib/linkedin-auth/linkedinAuth.php?plugin_url=https://alocato.com/wp-content/plugins/&k=75j4velb7u4egq&s=i4k39oXcTzafVBlg
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
    October 31, 2014 at 8:45 am #18823
    AITpro Admin
    Keymaster

    Oops yeah there are 2 different files involved instead of just the one file.  Add the additional linkedinAuth.php file name to this line of code below in your Custom Code code (code above has updated with this new filename).  Click the Save Root Custom Code button, Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    RewriteCond %{REQUEST_URI} (instagramAuth\.php|linkedinAuth\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    October 31, 2014 at 8:47 am #18824
    Aaron Mickelson
    Participant

    Perfect! Thanks so much for your help!

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.