Web Librarian Plugin – 403 error

[Kristy]

Here is the code I am seeing in my Security Log:

[403 GET / HEAD Request: April 6, 2014 - 8:26 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: ...MY IP
Host Name: ...
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: MY DOMAIN/wp-admin/admin.php?page=weblib-add-item-collection
REQUEST_URI: /wp-admin/admin.php?page=weblib-add-item-collection&barcode=9780739905296&title=Building+Christian+English%3A++Building+Securely%2C+Grade+7+Teacher%27s+Manual&itemauthor=Rod+and+Staff+Publishers%2C+Inc.&subject=Language+Arts&description=Teacher%27s+manual+for+grade+7+grammar+and+writing+curriculum&itemcategory=Curriculum&media=Hardcover&publisher=Rod+and+Staff+Publishers%2C+Inc.&publocation=Crockett%2C+KY&pubdate=jan%2F1996&edition=2nd&isbn=0-7399-0529-5&type=School+Year&thumburl=http%3A%2F%2Fwww.milestonebooks.com%2Fimg%2F1-12797-3%2830%29.jpg&callnumber=&keywordlist=GRAMMAR%2C+WRITING%2C+CURRICULUM%2C+MIDDLE+SCHOOL%2C+TEACHER+MANUAL&newkeyword=&additem=Add+New+Item
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

As you can see the firewall is preventing me from adding items to our library plugin.  Thank you for  providing a custom code to allow this plugin to function correctly!

 

[AITpro Admin]

It looks like what is being blocked is the urlencoded single quote code character/apostrophe:  %27 by the wp-admin .htaccess file.

1.  Copy this modified wp-admin BPS Query String Exploits code below to this BPS wp-admin Custom Code text box:  CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS:  Modify Query String Exploit code here

IMPORTANT NOTE:  This is the wp-admin .htaccess file code and not the Root .htaccess file code.  There are slight differences between the root .htaccess file and wp-admin .htaccess file Query String Exploits code.

This Forum Topic link below shows the Root .htaccess file Query String Exploits code with apostrophe/single quote modifications made to the Root .htaccess file BPS Query String Exploits code.
http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

2.  Click the Save wp-admin Custom Code button.

3.  Go to the BPS Security Modes page and activate wp-admin BulletProof Mode.

[Kristy]

I  followed the instructions above, and it is still producing the forbidden error:

[403 GET / HEAD Request: April 7, 2014 - 1:03 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: My personal IP
Host Name: My personal IP.dhcp.aubn.al.charter.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://MY DOMAIN/wp-admin/admin.php?page=weblib-add-item-collection
REQUEST_URI: /wp-admin/admin.php?page=weblib-add-item-collection&barcode=9780739905296&title=Building+Christian+English%3A++Building+Securely%2C+Grade+7+Teacher%27s+Manual&itemauthor=Rod+and+Staff+Publishers%2C+Inc.&subject=Language+Arts&description=Teacher%27s+manual+for+grade+7+grammar+curriculum&itemcategory=Curriculum&media=Hardcover&publisher=Rod+and+Staff+Publishers%2C+Inc.&publocation=Crockett%2C+KY&pubdate=jan%2F1996&edition=2nd&isbn=0-7399-0529-5&type=School+Year&thumburl=http%3A%2F%2Fwww.milestonebooks.com%2Fimg%2F1-12797-3%2830%29.jpg&callnumber=&keywordlist=GRAMMAR%2C+WRITING%2C+CURRICULUM%2C+MIDDLE+SCHOOL%2C+TEACHER+MANUAL&newkeyword=&additem=Add+New+Item
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

Going to try inputting without apostrophes to see if it resolves.  We are trying out this plugin, and it looks like it is fairly finicky….hmm…

[Kristy]

Ok, I took away the apostrophes inside the entry’s text boxes, and it worked.  Not sure why the custom code did not resolve the problem, but at least I know what’s causing the error now.  Thank you for your assistance!

[AITpro Admin]

Actually that is the smartest thing to do – not use the single quote code character – it is the #1 MOST dangerous coding character when used maliciously by hackers.  Probably you saved the custom code to the Root Custom Code Query String Exploits text box instead of the wp-admin Custom Code Query String Exploits text box.  In any case, delete the custom code wherever you added it since you are doing the smart thing – not using single quote coding characters in query strings/URL’s.

[Kristy]

Ok…I’m not sure what to do. It works then it doesn’t…it’s driving me crazy!  Here is the error page text:  ”
Forbidden
You don’t have permission to access /wp-admin/admin.php on this server.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.”

Any ideas? Is there another way to change permissions?

There is no log of this in the Security Log…is this a plugin issue then?

[AITpro Admin]

BPS takes over security and error handling to log events/errors in the Security Log file so yes it is possible that the root cause of this problem is something else and not BPS.  Typically an intermittent problem indicates a cache, ISP connection or Host Server problem.  If BPS is blocking something then it will be consistently blocked until you create a whitelist rule so it does not sound like the problem is being caused by BPS.

To completely eliminate BPS do these steps:

http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.  See Custom Code Note if doing this step works.

[AITpro Admin]

I will install and test this plugin and see if I can figure out this issue.  Will post back here in a little bit.

[AITpro Admin]

Actually I will not be able to test this plugin.  I got as far as…

Your AWS account credentials have been created, but in order to begin using any of the services, you will need to provide your payment information and continue. There is no fee to sign up and you only pay for what you use.

…I don’t do hostage signups out of principle.  😉

[Author]

Posts