WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] BuddyPress and 403 (31 posts)

  1. Matt
    Member
    Posted 1 year ago #

    When members go to reply to a forum posting in BuddyPress (default forum, not bbPress), they are immediately taken to a page that shows:

    Forbidden

    You don't have permission to access /.../groups/.../forum/topic/.../ on this server.

    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    If you hit the back button and refresh the page, the reply is shown, so it is getting written to the db.

    When I disable BulletProof Security, the error goes away. Any ideas what I can modify to avoid this?

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Just for a basic check did you activate all BulletProof Modes? Both the Root and wp-admin BulletProof Modes must be activated together. I do not think this is the cause of the problem.

    What I suspect is that the full query string contains something in it that is being blocked by one of the BPS security filters in the root .htaccess file. There are 2 approaches to fixing issues like this.

    1. You can tell BPS not to apply any security filters to the forum folder

    or

    2. You can isolate the query string that is being blocked and create an .htaccess rule to skip / bypass the BPS security filters for that particular query string.

    In order to create a query string skip / bypass rule for you I would need to see the entire query string in the URL.

    or

    To see examples of .htaccess bypass / skip rules you can take a look at this help post >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/

  3. Matt
    Member
    Posted 1 year ago #

    Yes, both modes are activated. When the query returns to the original page, it looks like this:

    http://mysite/community/groups/fearless/forum/topic/chapter-1-questions/?

    If I load that URL with BPS on, I get the 403 page. If I load that URL with BPS off, the page loads fine.

    Maybe it is the question mark at the end that is being blocked?

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok so what is the original query then?
    I do not have enough information to be able to tell you what is being blocked. Is some sort of unsafe redirection occurring?
    I need the whole scenario in order to determine what is not working correctly.

    What exactly is occurring right here?
    "When members go to reply to a forum posting in BuddyPress.."

    What exactly is occurring right here? By the way you describe this it sounds like some sort of redirection is occurring here. If so, how this is being done is essential information in determining the problem.

    "If you hit the back button and refresh the page, the reply is shown, so it is getting written to the db..."

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    If the forum is outside of WordPress you can just use a skip / bypass rule for the entire forum. Is it part of BuddyPress or not?

    I do not understand this "default forum, not bbPress"

  6. Matt
    Member
    Posted 1 year ago #

    Sorry, not really sure what is being done here query-wise to redirect; it is something within BuddyPress. You reply to a forum posting and it then redirects you back to the forum, tacking on the posting ID (which is then the permalink for the reply).

    Example: http://mysite/community/groups/fearless/forum/topic/chapter-1-questions/?#post-15

    If I were then to delete that reply, it redirects me back to the forum with the question mark at the end, but without the original post ID.

    Example: http://mysite/community/groups/fearless/forum/topic/chapter-1-questions/?

    Again, not sure what the query is exactly - all I can see are the generated URLs - which in this case appears that the question mark portion is what is causing the problem. If I manually enter the URL without the question mark (even with the #post-15), the page loads fine. But the question mark is added to the URL by BuddyPress somewhere.

    The forum is part of BuddyPress, so is all within WordPress. When I say it is the default forum, I am referring to the functionality within BuddyPress. BuddyPress gives you the option to have bbPress as your forum provider or use the built-in forum (part of BuddyPress) within BuddyPress groups.

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Nope the question mark is not going to be the problem. A question mark just means a query string starts from this point on in the URL. So ?#post-15 means query #post-15. BPS does not block question marks.

    BPS already contains this permanent BuddyPress redirect query string fix below and what i am guessing is that either something new has been done in BuddyPress or in your particular website's case something is unique or different. This fix below pertains to BuddyPress Logouts, but the concept is the same. There is a query string that is doing a redirect after a user's reply in your Forum. That is the query string that i need to create the skip / bypass rule. Apparently it is not being displayed to you in your browser for long enough for you to see it or maybe not at all. So what i need from you is the version of BuddyPress you are using and if it is free. If you are using anything Premium then i cannot look at the code or test it. So let me know if you have free or premium stuff and a link to download it.

    # BuddyPress Logout Redirect
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=6]
  8. Matt
    Member
    Posted 1 year ago #

    Installed BuddyPress version is 1.5.5. These are all the BuddyPress related plugins installed (all free, all from the wordpress plugin repository):

    BuddyPress
    Version 1.5.5

    BP Group Hierarchy
    Version 1.3.2

    BP Group Management
    Version 0.5.3

    BP Group Organizer
    Version 1.0.4

    BuddyPress Auto Group Join
    Version 2.2.1

    BuddyPress Automatic Friends
    Version 1.6.1

    BuddyPress Group Email Subscription
    Version 3.1.1

    BuddyPress Profile Privacy
    Version 1.4.2

    Private BuddyPress
    Version 1.0.4

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok so you said that the Forum is built into BuddyPress correct so i am assuming that i can test the Forum without adding the additional plugins correct?

  10. Matt
    Member
    Posted 1 year ago #

    Correct; you would use "Forums for Groups" and not "New! Site Wide Forums"

  11. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I love the new walk-through installation in BuddyPress, unfortunately i was unable to get BuddyPress installed and working correctly on my local XAMPP setup. It is a very advanced XAMPP setup so BuddyPress probably cannot handle interpreting my vhosts file correctly or maybe it is something else, but after spending an hour just trying to get BuddyPress to work i had to throw in the towel.

    I notice that on installation BP wipes out the existing .htaccess code and writes new .htaccess code, which is fine and is probably done with wp rewrite flush function. No big deal here.

    Ok since i cannot see this visually quickly and digging through the BuddyPress coding would take too much time that i cannot spare right now so here is an alternative solution.

    Do not apply BPS security to BuddyPress Forum. This is obviously not an optimum solution, but at this time I cannot fiddle around with this. Next week i will have some time to spare to find out exactly what the issue is.

    An example of the bypass / skip rule that you would use to not apply security to the BuddyPress Forum area would be something like this and it would go above skip rule #12

    # BuddyPress Forum bypass / skip rule
    RewriteCond %{REQUEST_URI} ^forum/ [NC]
    RewriteRule . - [S=13]

    Or i just thought of something else. If you can get the error from one of your log files - either Server log or php error log then it will probably contain the query string in the logged error. Once i know what the query string is then i can quickly create the bypass / skip rule for that query string.

  12. Matt
    Member
    Posted 1 year ago #

    Thanks for looking into this! Unfortunately that entry in the .htaccess file doesn't alleviate the problem. The strange this is I cannot find any errors at all - no error_log files are being generated and when I check my Error Log in cPanel, it is blank. Checking with my web host as I've never seen this before.

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Actually your Web Host is probably not going to look into this. This is a question for the BuddyPress folks and you would want to post in the BuddyPress Forum on the BuddyPress site.

  14. Matt
    Member
    Posted 1 year ago #

    I'll have to look more into the error log issue. What I can say is that if I take this line out:

    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

    The problem goes away. I understand that this is probably blocking a query exploit, but is there any way to just say ignore it in certain circumstances?

  15. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    That security filter protects against Remote File Inclusion (RFI) and XSS hacking attempts against your website so it would not be a good idea to comment it out.

    What this tells me is that BuddyPress is trying to do a redirect by adding a URL after the query to redirect back to your website using HTTP in the query string.

    The string / URL would look generally something like this, which is very similar to RFI or XSS hacking attempts where a hacker adds a redirect to another site and they also add a script on the end of the redirect URL to deliver a payload.

    http://www.example.com/?redirect_to=http://www.example.com/

    Instead of putting your entire website at risk of being hacked, just post in the BuddyPress Forum and ask them what the query string is for Forum replies / redirect after replies.

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    is there any way to just say ignore it in certain circumstances?

    Yes, get the query string that is used in the redirect from the BuddyPress folks. ;)

  17. Matt
    Member
    Posted 1 year ago #

    Hopefully I've asked the right question here:

    http://buddypress.org/community/groups/how-to-and-troubleshooting/forum/topic/forum-reply-query-and-bulletproof-security/

    Understood that I am putting my site at risk by commenting out that line, but for now it still seems better to do that than go back to the default .htaccess code. :-)

  18. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Doesn't look like you are getting a response from them regarding your post. Ok i just got BPS Pro 5.1.7 released today so I will install BuddyPress on a Live test site and see what is going on.

    FYI - my XAMPP test site that i installed BuddyPress on went completely blank after i did the uninstall of BuddyPress. Somehow it wiped out my Database for that site. No big deal as i can create new test sites in a couple of minutes. I would be sweating it if i was going to install BuddyPress on a Live production site though Yikes.

  19. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Interesting that if the question mark character was changed to the ASCII equivalent of %3F then there would not be a problem here.

    It is very strange what is happening here and is something that i do not fully understand yet. I created a skip rule that will only work when you use the URL directly in your Browser window, but something else is happening in the redirection process that makes the rule not work when being redirected from the post reply window.

    Normally a question mark is not blocked by itself, but in this case the block is occurring because of the combination of the question mark and pound sign being used together - ?# - is causing this issue.

    If you remove either of these characters then the like works fine.

    very interesting. I do not have a solution yet, but i will have one soon.

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ah ha i was not aware of this below and it explains why using a rewriterule with the NE Flag did not work. I think i am just looking at this all wrong. I'll try another approach as soon as i think of it. ;)

    The hash part of a URL is not available for rewriting. When a web browser sends a URL request to a web server it sends everything up to the hash sign. The hash is only available on the client (e.g. JavaScript code can see it).

  21. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    This is actually a bug that needs to be fixed in BuddyPress. I am not exactly sure where the WordPress add_query_arg function is screwing up, but it has to do with that WP function so do this test.

    Create a new Test Forum Topic.
    Keep creating test replies until you have 2 pages worth of replies - MUST be 2 pages worth.

    Once you have 2 pages worth of replies Activate BulletProof Mode without commenting out the filter that is blocking 1 page replies and you will see that BPS does not block the reply and the URL displays correctly.

    This is what the URL's should look like - ?topic_page=2&num=15#post-17

    The replies on the first page are mangled and somehow the rest of the query string that should be there is being stripped out.

    /**
    	 * Returns the permalink for the New Reply button at the top of forum topics
    	 *
    	 * @package BuddyPress
    	 * @since 1.5
    	 *
    	 * @uses apply_filters() Filter bp_get_forum_topic_new_reply_link to modify
    	 * @return str The URL for the New Reply link
    	 */
    	function bp_get_forum_topic_new_reply_link() {
    		global $topic_template;
    
    		if ( $topic_template->pag->total_pages == $topic_template->pag_page ) {
    			// If we are on the last page, no need for a URL base
    			$link = '';
    		} else {
    			// Create a link to the last page for the topic
    			$link = add_query_arg( array(
    				'topic_page' =>	$topic_template->pag->total_pages,
    				'num'        => $topic_template->pag_num
    			), bp_get_the_topic_permalink() );
    		}
    
    		// Tack on the #post-topic-reply anchor before returning
    		return apply_filters( 'bp_get_forum_topic_new_reply_link', $link . '#post-topic-reply', $link );
    	}
  22. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Oh i also wanted to mention that the problem i had with my XAMPP test site did not occur on this Live test site. I am very impressed with the BuddyPress plugin Installation Wizard. This is some fantastic and smart coding work. The reason my XAMPP site blew itself up is because of what i am doing with my vhosts and other Server config files and is in no way a BuddyPress plugin problem. Just wanted to clear that up so if anyone sees this thread they will not worry about having a problem with the BuddyPress plugin. BuddyPress is extremely well coded. ;)

  23. Matt
    Member
    Posted 1 year ago #

    Thanks for looking into this; I really appreciate it. Not sure how I'd approach this through BuddyPress since I never got a response on my initial request.

  24. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Well i could probably figure out a coding solution, but ideally the BuddyPress folks should look into this because ?# is not a good thing in general. I had never seen this before and thought i was missing something, but then i realized that this was not intended and some glitch in the coding was causing this. odd how the array is not returning the rest of the query args until you get to 2 pages of replies. I'm sure if i dissected the code i could figure out why that is, but if the BuddyPress folks don't do this in their coding then you would have to keep adding your own coding hack each time you upgraded to a newer version of the plugin. ;)

    What i suggest is sending them an email with a link back to this thread. Hopefully they will not get pissed off with what i said about BuddyPress and my XAMPP test site. ;) This was completely because of the way i have my Server set up on my end and not an issue with the BuddyPress plugin at all.

  25. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also this is a very important fact - since the query string is malformed it opens a recent known vulnerability when a query string does not contain an "=" sign when a "-" is used in the query string.

    http://www.php.net/archive/2012.php#id2012-05-06-1

  26. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    And I will be implementing new .htaccess code to address this recently found vulnerability.

    Forbidden - exploitable query string
    http://www.example.com/?top-40
    http://www.example.com/?#top-40

    Allowed - valid query string
    http://www.example.com/?s=25#top-40
    http://www.example.com/?s=top-40

    The new .htaccess code will go right after the .htaccess code from WordPress that WP recommends to harden WP, and which I have included / incorporated into BPS .htaccess files.

    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    
    # query string contains a '-' and no '='
    # ?top-40 is Forbidden - ?s=top-40 is not Forbidden
    RewriteCond %{QUERY_STRING} ^[^=]*$
    RewriteCond %{QUERY_STRING} (%2d|\-) [NC]
    RewriteRule .? - [F,L]
  27. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Damn. I must be doing something wrong when uninstalling the BuddyPress plugin. The Live test website is hosed - blank white screen. I guess you just can't do an uninstall and need to do something else first. crap.

  28. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Not a BPS issue - Pending resolution by BuddyPress.

  29. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Hey Matt,
    I have not had a chance to test the latest BuddyPress version and wanted to check back with you to see if you are still having the same problems/issues with the new version of BuddyPress. I will be testing the new version to see if the bugs were taken care of. Also the .htaccess code i was planning on using did not effectively stop real hacking attempts out in the wild so this new security filter below was added to BPS to stop/block those real hacking attempts. If the previous bug still exists then this new security filter will also block BuddyPress.

    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]

    Thanks.

  30. Matt
    Member
    Posted 1 year ago #

    Nope, the problem has been resolved with the latest update(s). Thanks for the follow-up!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic