WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Bing.com Referrer Error (7 posts)

  1. casper14209
    Member
    Posted 6 months ago #

    Hey guys/gals, it appears that we have found an issue with Bing.com search results when an apostrophe ['] is included in the search query.
    I have tracked it back to the BPS Security Plugin and then looked to see if it was present on the ait-pro.com site using this search,

    http://www.bing.com/search?q=bullet+proof+security+%27&go=Submit&qs=n&form=QBRE&pq=bullet+proof+security+%27&sc=8-23&sp=-1&sk=&cvid=e52a177fe4d94a3782eff882168a22b0

    clicked the first result to the site and sure enough, issue is on their server too.
    Tested a query without the apostrophe

    http://www.bing.com/search?q=bullet+proof+security&go=Submit&qs=n&form=QBRE&pq=bullet+proof+security&sc=8-21&sp=-1&sk=&cvid=4b21b24eee7243a681ac100697ba8864

    and issue is not present.

    We just happened to come across this because we have a client that has an apostrophe in their business name.

    This ticket is a double purpose, one to see if there is a fix for this that I can implement in the mean time, and to let you guys/gals know about the issue.

    My affected site is http://www.sadiespetproducts.com running on apache.

    https://wordpress.org/plugins/bulletproof-security/

  2. casper14209
    Member
    Posted 6 months ago #

    UPDATE:
    Disabled all custom code entries and problem is still present.
    Put in default mode, problem is gone.
    Bulletproof mode, problem back.

  3. casper14209
    Member
    Posted 6 months ago #

    UPDATE:
    OK, was able to track it down to this line of code in the .htaccess file.
    #RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    Now I'm outside my knowledge level, any assistance or further information would be appreciated.

  4. casper14209
    Member
    Posted 6 months ago #

    UPDATE:
    OK, after more research I have found that the %27 in the code line is to make the system deny (forbid) any referrer that has an apostrophe ['] in the string.
    Would anybody be interested in commenting on the possible security risk by allowing this on a shopping cart site?
    I don't like editing core plugin files as it makes for a pain to update things, and in this case, I'm going to say the developers have added this for good reason.
    But at this time I really don't have any choice on this site due to the business name and search volume on this phrase for the client. :-/

  5. AITpro
    Member
    Plugin Author

    Posted 6 months ago #

    The steps to allow the single quote code character/apostrophe in URL's & Query Strings and permanently save your modified .htaccess code to BPS Custom Code is in the link below.

    http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

    Impact to overall website security: BPS has several overlapping security filters/rules. So by modifying these particular rules/filters in the link above, your website is still protected against SQL Injection attacks. The SQL Injection security filter/rule below will still protect the site from all SQL Injection attacks. The single quote code character is used in most SQL Injection attacks.

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

  6. casper14209
    Member
    Posted 6 months ago #

    Awesome, thanks!
    In all my searches that post didn't come up. Thanks for pointing me in the right direction.
    Impact is understood, thanks for the useful plugin and information.
    Have an awesome day.

  7. casper14209
    Member
    Posted 6 months ago #

    Forgot to mark resolved in my last comment.

Reply

You must log in to post.

About this Plugin

About this Topic