WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Allowing ' and . in Events Manager's searches (23 posts)

  1. Daedalon
    Member
    Posted 1 year ago #

    Currently when searching for any string with ' or . using Events Manager's search (with GET instead of POST so the variables are displayed in the URL), a 403 error is given.

    What's the correct exception to allow those two (and possibly other) characters in the query variables of two URLs (event and location searches, respectively)?

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yes, the single quote coding character/Apostrophe is the most dangerous coding character there is. It is used in many different types of hacking methods. BPS blocks the single quote character in several different security filters since it is the #1 MOST dangerous hacking coding character using in hacking attempts.

    Here are your options:

    You can either decide not use the single quote character in search strings or you can modify these security filters in your root .htaccess file to allow the single quote character.

    You would remove %27 from these security filters below and also remove the single quote coding character in the QUERY_STRING filter.

    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
  3. Daedalon
    Member
    Posted 1 year ago #

    Thanks for the quick reply!

    Is it possible to allow the single quote ' and dot . (which is also blocked on Events Manager's searches, though not on the site general search), only for specific URL structures?

    Does it matter to which custom code section would I paste this code to make the exception update-safe?

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Unfortunately, I believe it is an "all or nothing" thing. With that said post an exact example of what you would like to try and whitelist and I will tell you if that is possible and then post the whitelist rule if that is possible.

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    What is curious to me is why Event Managers search feature is not stripping out or sanitizing the single quote? That would be the safest approach.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    A simple string replace or preg_replace in the search feature would do this such as...

    if preg_match "list of dangerous coding characters"
    // then do X sring replace or preg_replace the single quote with blank
    str_replace blah with nothing
    or
    preg_replace blah with nothing

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    The last coding character that you want sent in a query to your database is the single quote code character. SQL Injection hacking attempts always use the single quote code character to hack your database. When you perform a search you are querying/searching your database.

  8. Daedalon
    Member
    Posted 1 year ago #

    An example where the user searches for Ed's Band: http://demo.wp-events-plugin.com/events/?em_search=ed's&town=&action=search_events

    They don't run BPS, at least not the default secure .htaccess file, so that search doesn't return error message there. On our site runs BPS secure .htaccess and the corresponding search URL returns a 403 error. We're getting user complaints for a search they consider broken.

    Our users need to be allowed to search for any character in the two-three search boxes that we show in the UI without being shown 403 errors. The proper handling of all input values needs to be done without error messages to user, apart from the occasional "no search results found". In this case Events Manager needs to sanitize the input before running it against the database or displaying it on their HTML (I noticed a slight problem regarding the latter, informing them).

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Oh ok then if the URLs are coming from an external source that is not sanitizing/making URL's safe then that is a different matter.

    And to make things less complicated for you just modify the BPS security filters as I mentioned above. There are overlapping layers of security filters in BPS so your site is still protected against SQL Injection attacks primarily with this specific SQL Injection security filter below so it is really not a big deal to modify the other security filters above. My hope is always that other folks will apply/create the highest possible security measures when processing data/outputting strings/etc, but that is not always the case or not possible or for other personal reasons.

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
  10. Daedalon
    Member
    Posted 1 year ago #

    Thanks for the info and support. The way I believe we can guarantee the best user experience is:

    1. The search URLs that we use accept any characters in them and pass them on to WP.

    2. The applications handling the input of those specific URLs sanitize the input as necessary.

    3. If BPS has a security enhancement, eg. a filter, that affects WP's DB operations instead of URLs, I'd do further testing that it doesn't disallow any valid searches.

    I'll check with Events Manager team and the theme team that the inputs are sanitized appropriately. http://www.joellipman.com/articles/web-development/503-basic-tests-for-sql-injection-vulnerabilities.html is a good checklist.

    What's the correct Custom Code rule to add to BPS to ensure that these three

    domain/search/?*em_search=*
    domain/locations/?*em_search=*
    domain/?s=*

    don't trigger a 403 alert for *updated*: any of these characters inside the query parameters:

    '<>

  11. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yikes that is a scary query string! LOL

    Ok let me just rephrase what I said in a way that makes everything really simple - The BPS security filters are designed to have many different layers and are also designed in a way that if you have to remove/modify/edit some security filters then you will still always be protected.

    In a nutshell - we start from the maximum security possible and have already factored in that less important security filters will be removed/commented out/edited/modified on case by case basis for personal reasons. This primary security filter below will never and has never needed to be modified in any cases over the years because it is so focused/targeted on an exact hacking/attack pattern/method. If you remove/edit/delete/comment out/modify top level/general security filters then this security filter is the primary security filter/fallback.

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
  12. Daedalon
    Member
    Posted 1 year ago #

    I understand that limiting those characters in a URL is a good shortcut on filtering certain attacks, but we need to have a way to allow users to search for anything they want and get all the related results. The security needs to be handled at a different level than blocking valid search URLs.

    As Events Manager escapes the inputs it receives from its own search URLs, it should be secure enough to bypass the above security filter for the URLs for EMs searches (but to let it activate for other URLs).

    What do you think, can such an exact exception be made?

  13. Daedalon
    Member
    Posted 1 year ago #

    In addition to the previously mentioned chars, also "..", two consecutive dots, has caused unwanted error messages.

  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok let's try this again. ;)

    If you modify these filters then all problems are solved. The site is still protected against SQL Injection attacks. External URL's using unsafe coding characters in the URL's will not be blocked. Users can use unsafe coding characters in searches and they will not be blocked. The Primary SQL Injection security filter will block actual hacking attempts that are attempting to exploit the search feature - all problems are solved by modifying the security filters below.

    You would remove %27 from these security filters below and also remove the single quote coding character in the QUERY_STRING filter.

    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

    The .. pattern is used in Directory Traversal hacking methods against websites.

    The security filter that you would comment out would be this one.

    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]

    The fallback is this security filter

    RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]

    NOTE: The fallback security filter above is pending new additions to include additional new targets.

  15. Daedalon
    Member
    Posted 1 year ago #

    Thanks!

    Is there a way to disable these in an update-safe way, for example in Custom Code?

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    These are primary/base/standard BPS security filters so you would not be adding them to Custom Code and would simply just modify the root .htaccess file directly.

    When installing a BPS upgrade/update/new version of BPS the automatic htaccess file update does not replace/change/modify any custom modifications that you have made to your root .htaccess file. Since you are making custom modifications to the standard BPS security filters then it is recommended that you also use the BPS built-in .htaccess Backup feature so that you have backup copies of your custom modified .htaccess files and can restore them using the BPS built-in .htaccess file Restore feature if necessary.

  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Can this thread be resolved? If so, please resolve this thread. Thanks.

  18. Daedalon
    Member
    Posted 1 year ago #

    So the modifications would be update-safe, but would need to be redone always after recreating a secure .htaccess file?

    Resolving the issue since that would be an acceptable workaround while waiting for a plugin option to enable/disable core filters when recreating the secure .htaccess files.

  19. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yes, if you use AutoMagic again then the standard BPS security filters/rules would be created again.

    We have been looking at and testing the best way to handle this type of scenario. Creating separate options is not a good solution, but what is a good solution is to create another Custom Code text area for the entire Section of # BPSQSE BPS QUERY STRING EXPLOITS code. This will be added in the next version of BPS.

  20. Daedalon
    Member
    Posted 1 year ago #

    Sounds great!

  21. Daedalon
    Member
    Posted 3 months ago #

    BPS has gotten an overhaul in the custom code section after we last spoke about this. Is there now a way to allow ' in searches in a way that's both update-safe and survives the recreation of the secure .htaccess file?

  22. AITpro
    Member
    Plugin Author

    Posted 3 months ago #

    You would copy the entire BPS Query String Exploits block of code from the root .htaccess file to Custom Code and edit/modify it or you can copy and paste the BPS Query String Exploits code in this link below to Custom Code, which has already been edited/modified to allow the single quote code character in strings.

    http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

  23. Daedalon
    Member
    Posted 3 months ago #

    That worked. Thank you!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic