WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] 403 error on callback file (6 posts)

  1. mattcrane
    Member
    Posted 1 year ago #

    Hi

    I have an ecommerce site using worldpay as the payment processor, when a payment is complete it posts data back to my server from worldpay to a file in the root folder called callback.php

    Bulletproof is quite rightly block this and consequently I get a 403. I need to allow this one file to receive an httppost and return a 200.

    Please can someone help me to know what I need to put in the .htaccess file to allow posting remotely to this one file.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    First off the callback.php file should be in its own folder/directory. The best site design/architecture is to compartmentalize very important scripts such as this one for two reasons.

    1. Your website root folder is the most vulnerable folder of all of your folders under your entire website.

    2. For important scripts such as this script you would want the ability to be able to have isolated/directory/folder specific control of the security/protection of this very important script file. Also by compartmentalizing this script you do not have to make security exceptions or allowances in your website root folder and throughout your entire website because of this 1 script/file.

    For example:
    Let's say you move the callback.php file to a folder called /callback. you can now add an .htaccess file in the /callback folder that will ONLY apply to files in the /callback folder and not any other files or folders throughout your entire website. .htaccess files work in a hierarchical way - if an .htaccess file exists in a particular folder then all files in that particular folder will ONLY follow the rules of that .htaccess file.

    website root folder .htaccess file - all files in the root folder will follow the security rules in this .htaccess file and all subfolders that DO NOT have .htaccess files in them will also follow the security rules in the website root .htaccess file.
    /.htaccess

    callback folder .htaccess file - all files in the /callback folder will follow the security rules in this .htaccess file and not the security rules in the website root folder .htaccess file.
    /callback/.htaccess

    To turn off security completely for ONLY the /callback folder you would add a RewriteEngine Off .htaccess file by doing these steps below.

    1. open NotePad on your computer (not Word and not WordPad)
    2. add one line of .htaccess code in the file: RewriteEngine Off
    3. save the text file with this file name: nosecurity.txt
    4. upload the nosecurity.txt file to the /callback folder
    5. rename the nosecurity.txt file to .htaccess
    6. the /callback folder now has its own compartmentalized security rules, which are No Security/Rewriting is turned off.

    I do not advise doing this method below, but it is possible to allow unfiltered access to only the callback.php file and leave it in your root website folder. Leaving the callback.php file in the website root folder is bad site architecture/design in general. You would add the callback.php file to this skip/bypass rule below and then you would also have to allow worldpay.com as a Referrer.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (callback\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*demo4.local.*
    RewriteRule . - [S=1]
  3. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    The post above was closed before i could finish adding the rest of the code modifications:

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (callback\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*your-website.com.* [OR]
    RewriteCond %{HTTP_REFERER} ^.*worldpay.com.*
    RewriteRule . - [S=1]
  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Is your issue/problem resolved? If so, please mark this thread as resolved. Thank you.

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Is your issue/problem resolved? If so, please mark this thread as resolved. Thank you.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Resolving this thread due to lack of response. If the problem is still occurring please unresolve the thread and post a status update. Thank you.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic