WP Residence Real Estate WordPress Theme Advanced Search 403 error

Home Forums BulletProof Security Free WP Residence Real Estate WordPress Theme Advanced Search 403 error

This topic contains 14 replies, has 2 voices, and was last updated by  AITpro Admin 2 years, 9 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #25314

    Tom
    Participant

    Hi.

    when BulletProof Security htaccess Files is Activated and when I do search on site

    oup.com/advanced-search/?filter_search_action[]=&filter_search_type[]=&advanced_city=&advanced_area=&advanced_rooms=&advanced_bath=&price_low=50000>&price_max=5500000>&submit=SEARCH

    I get this error. 403 Forbidden Error Page. If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you. what to do? thank you for doing good job! Tom

    #25325

    AITpro Admin
    Keymaster

    What I recommend is that you create a skip/bypass RewriteRule for the advanced-search URI.  By only allowing dangerous code characters in your advanced-search feature you would not have to remove/modify/change any BPS security filters site-wide.  Hopefully the advanced-search feature you are using has security protection.

    1.  Go to the BPS htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down in your Root .htaccess file code until you see this .htaccess code below.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    2.  Copy your # WP REWRITE LOOP START code to this BPS Root Custom Code text box:  CUSTOM CODE WP REWRITE LOOP START
    3.  After you have copied your WP Rewrite Loop Start .htaccess code then add the skip/bypass RewriteRule code for the advanced-search URI.  Your code should look like this example below.
    4.  Click the Save Root Custom Code button.
    5. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # RewriteRule for advanced search
    RewriteRule ^advanced-search/$ - [L]

    Similar Topics:
    http://forum.ait-pro.com/forums/topic/403-error-while-performing-a-search/
    http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939
    http://forum.ait-pro.com/forums/topic/search-schools-network-widget-403-error/
    http://forum.ait-pro.com/forums/topic/search-string-403-error/
    http://forum.ait-pro.com/forums/topic/plugin-search-by-category-issue/

    #25329

    Tom
    Participant

    Thank you for very quick answer. in field “CUSTOM CODE WP REWRITE LOOP START” I have written:

    # CUSTOM CODE WP REWRITE LOOP START
    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    # RewriteRule for advanced search
    RewriteRule ^advanced-search/$ - [L]

    I saved: Root Custom Code,
    I have  activated Root folder BulletProof Mode
    but when I click  on my page “search button” I get blank page and firefox is loading the page for very long time, returning no results…. did I miss something thank you for your help!

    … it returns blank page or sometimes page without styling…

    #25334

    AITpro Admin
    Keymaster

    Is this a custom advanced search script that you have added or created yourself or is this a plugin that has an advanced search feature?  If it is a custom script then send the script to info at ait-pro dot com.  If this is a plugin then post the name of the plugin.  I could post the code that would allow dangerous coding characters sitewide, but that could leave your website vulnerable.  So I would prefer to limit the potential vulnerability by looking at the advanced search code to see what it is doing so a limited whitelisting solution can be provided.

    #25336

    AITpro Admin
    Keymaster

    Actually try a Query String skip/bypass rule first and see if this works.  The same formatting problem may occur due to however the Advanced Search script is returning search results. Remove/delete the RewriteRule skip/bypass code from Custom Code first.

    1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # Advanced Search Query String skip/bypass
    RewriteCond %{QUERY_STRING} filter_search_action(.*) [NC]
    RewriteRule . - [S=13]
    #25338

    Tom
    Participant

    Thanks for your answer again. this is a plugin, or better it is a theme: wpresidence: http://wpresidence.net/ and also, you can see the search button “SEARCH PROPERTIES” that is working the same as on my server… so if you click “SEARCH PROPERTIES” the script brings you here: http://wpresidence.net/advanced-search/?filter_search_action%5B%5D=&filter_search_type%5B%5D=&advanced_city=&advanced_area=&min-bedrooms=&available-from=&price_low=0&price_max=1500000&submit=SEARCH+PROPERTIES I hope it is possible to secure this “search action” Many thanks.

    #25340

    AITpro Admin
    Keymaster

    See my previous reply.  Let me know if a Query String skip/bypass rule works or not.

    #25345

    Tom
    Participant

    I have put in box” Saved Root Custom Code and Activated Root Folder BulletProof and results: sometimes search is done correctly, but mostly formatting is bad again… when search is returning correct results, other pages are not accesible…and it all takes very long time…

    # Advanced Search Query String skip/bypass
    RewriteCond %{QUERY_STRING} filter_search_action(.*) [NC]
    RewriteRule . - [S=13]

    and microsoft explorer (unlike firefox) gives me error 500 in I click on pages and I tried both options with and without “#” both

    # DO NOT SHOW DIRECTORY LISTING
    #Options -Indexes and
    Options -Indexes
    #DirectoryIndex index.php index.html /index.php
    DirectoryIndex index.php index.html /index.php
    #25349

    AITpro Admin
    Keymaster

    The site slowness problems look like they are related to your map and other problems on your website, which is something that is not related to BPS so we do not offer support for anything that is not directly related to BPS.  Ok just do this below then.

    1.  Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here 
    2.  Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #25350

    Tom
    Participant

    yes, I think that the modified BPS Query String Exploits has done the job! I have quick tested the site and is working correctly now on all devices! Now, do I have to ask the theme developer if advanced-search feature has security protection? Many many thanks for incredibly quick support!

    #25352

    AITpro Admin
    Keymaster

    I would ask the Theme developer if the search forms are sanitized and protected against SQL Injection, XSS, LFI, RFI, etc etc etc.

    #25354

    Tom
    Participant

    I will ask about that. and what it it isn’t protected the way it should be?

    #25355

    AITpro Admin
    Keymaster

    If you are asking for advice about what to change in the WP Residence Real Estate WordPress Theme then we cannot offer any advice.  We only support things directly related to BPS.

    #25358

    Tom
    Participant

    Ok, I understand. Would your pro version cover that optional issue?

    #25363

    AITpro Admin
    Keymaster

    What optional issue?  We only support things directly related to BPS or BPS Pro so if an issue or problem is directly related to BPS or BPS Pro then we provide a solution.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.