WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Argo Links 403 Error (48 posts)

  1. Matt
    Member
    Posted 1 year ago #

    Trying out a new plugin, called Argo Links:
    http://argoproject.org/argo-links.php

    Included with it is a bookmarklet that allows you to capture the URL from the website and add it to a list of links in your WordPress site. BulletProof Security is blocking the requests, resulting in a 403 on the pop-up. This is what the bookmarklet looks like:

    javascript:var d=document,w=window,e=w.getSelection,k=d.getSelection,x=d.selection,s=(e?e():(k)?k():(x?x.createRange().text:0)),f='http://www.mysite.com/wp-content/plugins/argoproject-argo-links-ec58e2a/argo-this.php',l=d.location,e=encodeURIComponent,u=f+'?post_type=argolinks&u='+e(l.href)+'&t='+e(d.title)+'&s='+e(s)+'&v=4';a=function(){if(!w.open(u,'t','toolbar=0,resizable=1,scrollbars=1,status=1,width=720,height=570'))l.href=u;};if (/Firefox/.test(navigator.userAgent)) setTimeout(a, 0); else a();void(0)

    This is what the BPS error log shows:

    >>>>>>>>>>> 403 GET or Other Request Error Logged - March 20, 2013 - 3:36 am <<<<<<<<<<<
    REMOTE_ADDR: editedout
    Host Name: editedout
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: editedout
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.fromaway.com/features/how-to-start-a-food-blog
    REQUEST_URI: /wp-content/plugins/argoproject-argo-links-ec58e2a/argo-this.php?post_type=argolinks&u=http%3A%2F%2Fwww.fromaway.com%2Ffeatures%2Fhow-to-start-a-food-blog&t=How%20to%20Start%20a%20Food%20Blog&s=&v=4
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22

    I have tried to update the .htaccess file with this line, but it does not help:

    # Argo Links
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/argoproject-argo-links-ec58e2a/ [NC]
    RewriteRule . - [S=13]

    Any other way around this?

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Since this plugin is simulating an RFI hacking method you will need to whitelist the argo-this.php file in the TimThumb / MISC File skip/bypass security filter. Add the argo-this.php file name to this security filter as shown below in your Root .htaccess file using the BPS built-in htaccess file editor. I need to add this Note below for anyone else who sees this Forum Thread. ;)

    NOTE: The ait-pro.com domain is shown below in this security filter because this code example was taken from the ait-pro.com website. You will see your domain instead in this security filter.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*ait-pro.com.*
    RewriteRule . - [S=1]
  3. Matt
    Member
    Posted 1 year ago #

    That didn't seem to help. With or without that entry, I can click the bookmarklet when browsing my own site and it works fine. Even with that entry, when I am browsing another site, clicking the bookmarklet (to capture the URL and title of page I am on), still brings up the 403 error.

    I also tried this to see if it was a problem with the referrer, but this didn't seem to fix it (when browsing from songsterr.com).

    # TimThumb Forbid RFI By Host Name But Allow Internal Requests
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*mysite.com.* [OR]
    RewriteCond %{HTTP_REFERER} ^.*songsterr.com.*
    RewriteRule . - [S=1]

    If that did fix it, it wouldn't really help, since the bookmarklet is there to be used when browsing any URL I want to capture (which would then be the value of HTTP_REFERER:)

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I do not fully understand the issue/problem. I have a general understanding of what is occurring. It is a similar issue that had once occurred in the past with the WordPress Press This feature.

    That issue/problem was resolved by adding a skip/bypass rule in the wp-admin .htaccess file and NOT the Root .htaccess file. I am assuming that this plugin is doing something similar and calling from the wp-admin folder to grab other websites content.

    Edit your wp-admin .htaccess file and whitelist the argo-this.php file by doing this below and also try whitelisting admin-ajax.php.

    # Allow wp-admin files that are called by plugins
    # Fix for WP Press This
    RewriteCond %{REQUEST_URI} (argo-this\.php|press-this\.php|admin-ajax\.php) [NC]
    RewriteRule . - [S=1]
  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I am grasping at straws obviously by having you try adding the argo-this.php file to the wp-admin bypass since I do not really know what this plugin is trying to do. The error does show that this plugin is simulating an RFI hacking attempt against your website and the origin of the simulated hacking attempt is wp-content and not wp-admin. I will post the security filters that you can comment out to allow RFI hacking attempts against your website in a second.

  6. Matt
    Member
    Posted 1 year ago #

    Thanks; tried the admin piece, but that doesn't work. I imagine that is because it is not actually calling it from wp-admin, but from within the plugin folder itself.

  7. Matt
    Member
    Posted 1 year ago #

    If you want to look at the code for the argo-this.php file, you can see it here:

    https://github.com/argoproject/argo-links/blob/master/argo-this.php

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    To allow RFI hacking attempts against your website comment out these are the security filters in the Root .htaccess file that block RFI hacking attempts. Try commenting out each of these individual security filters 1 by 1. It may be that more than 1 security filter will need to be commented out.

    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I will look at the code for this plugin when I have some spare time. Currently I do not have any spare time available. Thanks.

  10. Matt
    Member
    Posted 1 year ago #

    Thanks for looking; I commented out all of those and still have the issue. I even removed the whole # BPSQSE BPS QUERY STRING EXPLOITS section and still got the same 403 error from BPS.

  11. Matt
    Member
    Posted 1 year ago #

    Hmmm... I know I tried this before, but got different results. Could have been mistaken... Anyways, if I take out the argo-this\.php| from the REQUEST_URI section, I am NOT able to use the bookmarklet from within my own site. When I add it back in, I am. So I guess now my question would be, how would I block everything else already being blocked, but allow access to this specific REQUEST_URI from any URL? Is there a way to do that?

    In other words, have a separate section for:

    RewriteCond %{REQUEST_URI} (argo-this\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*.*.* (not sure how to allow all)
    RewriteRule . - [S=2]
  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok then the issue probably has something to do with the wp-admin .htaccess file then or some other section of code in the Root .htaccess file. Take BPS completely out of the equation first and test. Then activate only the Root .htaccess file and vice versa and test to isolate which htaccess file is blocking this plugin.

    Source: http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    If you think that BulletProof Security is causing a plugin conflict or any other issue on your website that is causing something not to work, then please use these steps below to take BulletProof Security out of the equation completely for testing. There is no need to deactivate BulletProof Security because it has a built-in Default Mode that allows you to put WordPress in a default state without deactivating BulletProof Security. If you find that BulletProof Security does have a conflict with another plugin then please check the BulletProof Security Plugin Compatibility Issues – Testing and Fixes Page to see if a fix (bypass/skip rule) is already listed. If your plugin is not listed and you have confirmed that BulletProof Security is definitely causing a conflict then please post a comment in this Forum.

    1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
    2. Activate Default Mode on the Security Modes page.
    3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
    4. Test your plugin or theme.
    5. Restore your .htaccess files using BulletProof Security built-in Restore.

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Allowing any site to exploit files is the same as removing the security filter entirely. So to isolate that this is the security filter that is blocking this plugin comment out the entire security filter.

  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    CORRECTION: never mind what i said above that was dumb. What i assume is going to be solution is that you will need to whitelist a combination of things that are seen as threats/attacks against your website by this plugin.

    In other words, if this plugin is violating several security filters/rules then exceptions/whitelisting will need to be done in several places.

  15. Matt
    Member
    Posted 1 year ago #

    I disabled the wp-admin .htaccess file and that didn't help, so I imagine there is something in the main .htaccess file that is preventing access. Without BPS enabled, it works, but I certainly don't want to use that as mu solution! ;-)

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok I took a look at this plugins code at github. It has very similar functionality that Timthumb uses. Comment out all the security filters that prevent RFI attacks, but leave the bottom section of code uncommented as shown below. Also make sure you have whitelisted this plugins file - argo-this.php

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    #RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    #RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    #RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*ait-pro.com.*
    RewriteRule . - [S=1]
  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    This plugin also uses admin-ajax.php so make sure that you have whitelisted admin-ajax.php in your wp-admin .htaccess file.

    This plugin also uses press-this.php. press-this.php should already be whitelisted in your wp-admin .htaccess file.

    # Allow wp-admin files that are called by plugins
    # Fix for WP Press This
    RewriteCond %{REQUEST_URI} (press-this\.php|admin-ajax\.php) [NC]
    RewriteRule . - [S=1]
  18. Matt
    Member
    Posted 1 year ago #

    Still not working; this is what it looks like:

    root .htaccess:

    # TimThumb Forbid RFI By Host Name But Allow Internal Requests
    #RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    #RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    #RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*mysite.com.*
    RewriteRule . - [S=1]

    wp-admin .htaccess:

    # Allow wp-admin files that are called by plugins
    # Fix for WP Press This
    RewriteCond %{REQUEST_URI} (admin-ajax\.php|press-this\.php) [NC]
    RewriteRule . - [S=1]
  19. Matt
    Member
    Posted 1 year ago #

    Really, really, REALLY appreciate you looking at this. I have tried removing huge sections of the .htaccess file trying to identify what is causing this and am still scratching my head. Will keep plugging away at it.

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok that leaves you with isolating this RFI security filters.
    Comment them out 1 by 1 and test. Once you isolate the filter or filters then it may be possible to whitelist something without leaving your website wide open to RFI hacking attempts, but I need to know which filter is blocking this plugin before I can see if creating a whitelisting rule that will still leave your site protected, but also allow this plugin to do what it is doing.

    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
  21. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I just noticed something. Is this the true/actual plugin folder name?

    # Argo Links
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/argoproject-argo-links-ec58e2a/ [NC]
    RewriteRule . - [S=13]
  22. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Are you sure this plugin actually works with WP 3.5?

    * NOTE: The plugin has been verified to work in WordPress 3.3.1. It is no longer under active development.

  23. Matt
    Member
    Posted 1 year ago #

    Yeah, that was because I just uploaded the zip file that I downloaded directly from Git. I went ahead and renamed it to argo-links and reactivated it to clean it up. It appears to work in the latest version of WordPress. I am able to do everything with it, with the exception of using the bookmarklet with BPS. I have even gone so far as to remove most of the code from the .htaccess file:

    # BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Add or remove user agents temporarily or permanently from the first User Agent filter below.
    # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
    
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    But still get the same result.

  24. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Have you put BPS in Default Mode to make absolutely sure BPS is causing this issue?

    1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
    2. Activate Default Mode on the Security Modes page.
    3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
    4. Test your plugin or theme.

    After testing is completed
    5. Restore your .htaccess files using BulletProof Security built-in Restore.

  25. Matt
    Member
    Posted 1 year ago #

    Yes, and when I do, the bookmarklet works.

  26. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Let me know what happens after you put BPS into Default Mode.

  27. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Is the plugin folder name correct that you posted?

    argoproject-argo-links-ec58e2a

  28. Matt
    Member
    Posted 1 year ago #

    Yes it was, but to make sure that wasn't causing any issues, I simplified it down to just argo-links and reactivated the plugin (and updated that portion of the .htaccess file). The name was just how it came down from Github.

  29. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Wow ok so you have eliminated all of the root .htaccess code and the error still occurs? Something does not add up there???

  30. Matt
    Member
    Posted 1 year ago #

    This was just the piece that was leftover from the whole BPSQSE section; I did leave everything else intact. Just wanted to make sure I was clear that what you see below is not ALL that was in the .htaccess file.

    # BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Add or remove user agents temporarily or permanently from the first User Agent filter below.
    # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
    
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.