WP Residence Real Estate WordPress Theme Advanced Search 403 error

[Tom]

Hi.

when BulletProof Security htaccess Files is Activated and when I do search on site

oup.com/advanced-search/?filter_search_action[]=&filter_search_type[]=&advanced_city=&advanced_area=&advanced_rooms=&advanced_bath=&price_low=50000>&price_max=5500000>&submit=SEARCH

I get this error. 403 Forbidden Error Page. If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you. what to do? thank you for doing good job! Tom

[AITpro Admin]

What I recommend is that you create a skip/bypass RewriteRule for the advanced-search URI.  By only allowing dangerous code characters in your advanced-search feature you would not have to remove/modify/change any BPS security filters site-wide.  Hopefully the advanced-search feature you are using has security protection.

1.  Go to the BPS htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down in your Root .htaccess file code until you see this .htaccess code below.

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

2.  Copy your # WP REWRITE LOOP START code to this BPS Root Custom Code text box:  CUSTOM CODE WP REWRITE LOOP START
3.  After you have copied your WP Rewrite Loop Start .htaccess code then add the skip/bypass RewriteRule code for the advanced-search URI.  Your code should look like this example below.
4.  Click the Save Root Custom Code button.
5. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# RewriteRule for advanced search
RewriteRule ^advanced-search/$ - [L]

Similar Topics:
http://forum.ait-pro.com/forums/topic/403-error-while-performing-a-search/
http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939
http://forum.ait-pro.com/forums/topic/search-schools-network-widget-403-error/
http://forum.ait-pro.com/forums/topic/search-string-403-error/
http://forum.ait-pro.com/forums/topic/plugin-search-by-category-issue/

[Tom]

Thank you for very quick answer. in field “CUSTOM CODE WP REWRITE LOOP START” I have written:

# CUSTOM CODE WP REWRITE LOOP START
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# RewriteRule for advanced search
RewriteRule ^advanced-search/$ - [L]

I saved: Root Custom Code,
I have  activated Root folder BulletProof Mode
but when I click  on my page “search button” I get blank page and firefox is loading the page for very long time, returning no results…. did I miss something thank you for your help!

… it returns blank page or sometimes page without styling…

[AITpro Admin]

Is this a custom advanced search script that you have added or created yourself or is this a plugin that has an advanced search feature?  If it is a custom script then send the script to info at ait-pro dot com.  If this is a plugin then post the name of the plugin.  I could post the code that would allow dangerous coding characters sitewide, but that could leave your website vulnerable.  So I would prefer to limit the potential vulnerability by looking at the advanced search code to see what it is doing so a limited whitelisting solution can be provided.

[AITpro Admin]

Actually try a Query String skip/bypass rule first and see if this works.  The same formatting problem may occur due to however the Advanced Search script is returning search results. Remove/delete the RewriteRule skip/bypass code from Custom Code first.

1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# Advanced Search Query String skip/bypass
RewriteCond %{QUERY_STRING} filter_search_action(.*) [NC]
RewriteRule . - [S=13]

[Tom]

Thanks for your answer again. this is a plugin, or better it is a theme: wpresidence: http://wpresidence.net/ and also, you can see the search button “SEARCH PROPERTIES” that is working the same as on my server… so if you click “SEARCH PROPERTIES” the script brings you here: http://wpresidence.net/advanced-search/?filter_search_action%5B%5D=&filter_search_type%5B%5D=&advanced_city=&advanced_area=&min-bedrooms=&available-from=&price_low=0&price_max=1500000&submit=SEARCH+PROPERTIES I hope it is possible to secure this “search action” Many thanks.

[AITpro Admin]

See my previous reply.  Let me know if a Query String skip/bypass rule works or not.

[Tom]

I have put in box” Saved Root Custom Code and Activated Root Folder BulletProof and results: sometimes search is done correctly, but mostly formatting is bad again… when search is returning correct results, other pages are not accesible…and it all takes very long time…

# Advanced Search Query String skip/bypass
RewriteCond %{QUERY_STRING} filter_search_action(.*) [NC]
RewriteRule . - [S=13]

and microsoft explorer (unlike firefox) gives me error 500 in I click on pages and I tried both options with and without “#” both

# DO NOT SHOW DIRECTORY LISTING
#Options -Indexes and
Options -Indexes
#DirectoryIndex index.php index.html /index.php
DirectoryIndex index.php index.html /index.php

[AITpro Admin]

The site slowness problems look like they are related to your map and other problems on your website, which is something that is not related to BPS so we do not offer support for anything that is not directly related to BPS.  Ok just do this below then.

1.  Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here 
2.  Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[Tom]

yes, I think that the modified BPS Query String Exploits has done the job! I have quick tested the site and is working correctly now on all devices! Now, do I have to ask the theme developer if advanced-search feature has security protection? Many many thanks for incredibly quick support!

[AITpro Admin]

I would ask the Theme developer if the search forms are sanitized and protected against SQL Injection, XSS, LFI, RFI, etc etc etc.

[Tom]

I will ask about that. and what it it isn’t protected the way it should be?

[AITpro Admin]

If you are asking for advice about what to change in the WP Residence Real Estate WordPress Theme then we cannot offer any advice.  We only support things directly related to BPS.

[Tom]

Ok, I understand. Would your pro version cover that optional issue?

[AITpro Admin]

What optional issue?  We only support things directly related to BPS or BPS Pro so if an issue or problem is directly related to BPS or BPS Pro then we provide a solution.

[Author]

Posts