WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
GET requests with empty variables causes 403 errors (4 posts)

  1. computerslayer1
    Member
    Posted 1 year ago #

    I noticed that if I used the search field without entering any keywords, I got a 403 error.

    The search form resulted in a GET request, but with an empty query value. For example:

    http://example.org/?s=
    or
    http://example.org/?s=test&page=

    It appears that the generated htaccess rule is causing the issue:

    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]

    Is this unintentional or by design?

    http://wordpress.org/extend/plugins/better-wp-security/

  2. matiyin
    Member
    Posted 1 year ago #

    great find! I have the same issue, thanks for posting a solution!

    I'm using a function to override empty searches with a 'space' to prevent routing to home, but indeed in webkit it results in an error because the string is empty

    why not in firefox? no idea...

  3. MickeyRoush
    Member
    Posted 1 year ago #

    You should really try to control that within the theme itself. For example, the word "search" could already be placed in the search box, so if a user just clicks the search button it will use the default word of "search". You really don't want spaces in a URL. That's a good sign of a malicious attack.

  4. matiyin
    Member
    Posted 1 year ago #

    indeed, I've added a jquery validation check and just return an alert to the user to insert something in the empty search box:

    $('#searchsubmit').click(function(){
    		var searchVal = $("#s").val();
    		if(searchVal == '') {
    		alert("Please enter a search term");
    		return false; }
    	});

    Strangely enough Firefox doesn't give a 403 like webkit does.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.