Yahoo links blocked due to using dangerous coding characters in links

Home Forums BulletProof Security Pro Yahoo links blocked due to using dangerous coding characters in links

Tagged: ,

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • March 26, 2013 at 11:45 am #3479
    Paul Burner
    Member

    I had to turn off the main .htaccess protection because BP Pro blocked any clicks from yahoo to our site gretasgourmetfood.com..

    For instance if you click on our site from http: //search.yahoo.com/search?p=Greta%27s%20Gourmet&fr2=sb-top&fr=yfp-t-621&pqstr=Greta%27s%20Gourmet

    We would get a 403 forbidden, effectively killing any traffic from yahoo.

    Is there a fix for this? Also I am afraid this will happen with Google and Bing in certain situations. I need a way to whitelist any traffic being referred from any yahoo.com, google.com, bing.com, and msn.com servers otherwise this plugin is useless.

    March 26, 2013 at 12:38 pm #3483
    AITpro Admin
    Keymaster

    The problem is that you are using dangerous coding characters in the URL.  %27 is the single quote coding character, which is the most dangerous coding character there is in the wrong hands.

    You can either put your website at serious risk and modify the BPS security filters shown in this Forum link below or you can do the correct thing and remove single quote characters from URLS.

    http://forum.ait-pro.com/forums/topic/feedburner-feed-header-causing-403-error/

    March 26, 2013 at 12:44 pm #3485
    AITpro Admin
    Keymaster

    WordPress automatically strips out the single quote coding character from URLs and Permalinks because WordPress understands/knows how dangererous the single quote coding character is so you should also remove the single quote coding character from any links that you post or anywhere else on your webisite where the string will be used as a link/URL by a 3rd party website.

    Or you can role the dice, modify the BPS security filters and take your chances.  😉

    BPS is designed with overlapping security filters so your website will still be protected against SQL Injection hacking attempts by this SQL Injection security filter if you modify the other security filters.

    
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    March 26, 2013 at 12:45 pm #3487
    Paul Burner
    Member

    Sorry – I may be dense here.  The domain name gretasgourmetfood.com does not contain a single quote character.  There is  single quote character in the Title of the page – but not the URL.

    The resulting URL that was given to me by my client was the result of entering Greta’s  Gourmet in the Yahoo search fields.  I don’t believe there are any pages on my site that have a single quote in the URL.

     

     

     

    March 26, 2013 at 12:59 pm #3492
    AITpro Admin
    Keymaster

    The title of the page is being grabbed by a 3rd party website – Yahoo – and the URL that is being automatically generated based on the fact that you are using a single quote coding character/Apostrophe in the Title. Since this single quote coding character/Apostrophe is important to match the literal name of the site/brand then go ahead and modify the security filters shown in the link above.  The risk is actually fairly low since other security filters will protect against SQL Injection attacks against the site.

    If you use a single quote coding character in a search then the same thing will happen.  URL generation with dangerous coding characters.  I am surprised that the URL is not cleaned up/stripped/made safe before being displayed to you.

    March 26, 2013 at 1:23 pm #3495
    Paul Burner
    Member

    I added the code here http: //screencast.com/t/lic7UT01E

    then rebuilt the htaccess file and activated it.

    We are still getting the error.

    March 26, 2013 at 1:45 pm #3496
    AITpro Admin
    Keymaster

    You will not be adding code to Custom Code you will be modifying the existing code in your Root .htaccess file.  BPS Pro upgrades with automatic .htaccess file updating do not change any of your .htaccess code modifications that you have made, but if Activate BulletProof Modes again in the future then your code changes/modifications to the standard BPS root .htaccess will be overwritten with the standard BPS .htaccess code.  Please see the link I posted above for the security filters you will need to modify in your root .htaccess file.

    March 26, 2013 at 4:40 pm #3503
    Paul Burner
    Member

    I put the code in as the link you sent said to. I checked it’s in the htaccess file and still nothing. Is this the correct code for my situation or not? http: //screencast.com/t/8o8z4O7D8 If not I need the exact code and where it should go for this to stop happening.

    March 26, 2013 at 4:47 pm #3505
    AITpro Admin
    Keymaster

    Ok let’s try this another way.  First delete that Custom Code you created.

    Then do these steps below.

    1. Go to the B-Core htaccess File Editor tab page.

    2. Click on the Your Current Root htaccess file tab.

    3. Scroll down in the contents or your Root .htaccess file and look for each of these security filters shown below:

    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

    4. Change each one of these security filters as shown below:

    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]

    5. Save the edits you just made to your root .htaccess file. Done.

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.