WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Extended characters in the URL are not accepted (5 posts)

  1. mihai.todor85
    Member
    Posted 3 years ago #

    Hello,

    I noticed that after applying the secure main .htaccess file, my site would redirect to "Forbidden" if the URL query contains extended characters (from the HTTP point of view) like ă ț ș etc.

    I did some mod_rewrite debugging and discovered that these characters trigger a certain rule:

    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]

    Could you please tell me exactly what type of attack is this rule supposed to protect against? Please advise if it's fairly safe to remove it.

    Thank you,
    Mihai

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. mihai.todor85
    Member
    Posted 3 years ago #

    I spoke with the author of the plugin and he said that he intended to remove this line anyway and it will be removed in the next release.

  3. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    yep the query string is filtering out ALL extended and special ascii characters and allowing only the standard ascii set to 127. There are only a couple of extended or special ascii characters that could be used in hacking methods so I will be creating new filters that will address only those specific characters. Thanks.

  4. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    This is not a critcal BPS filter so it can be commented out without worrying about a security vulnerability. Just add a pound sign (#) in front of this line of htaccess code. Resolving.

    # RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
  5. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    This query string filter has been removed from the BPS as of version .45.8 and will not be in used in any future versions of BPS.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic