[Plugin: BulletProof Security] Extended characters in the URL are not accepted

  • Resolved mihai.todor85

    (@mihaitodor85)


    13 years, 3 months ago

    Hello,

    I noticed that after applying the secure main .htaccess file, my site would redirect to “Forbidden” if the URL query contains extended characters (from the HTTP point of view) like ă ț ș etc.

    I did some mod_rewrite debugging and discovered that these characters trigger a certain rule:

    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]

    Could you please tell me exactly what type of attack is this rule supposed to protect against? Please advise if it’s fairly safe to remove it.

    Thank you,
    Mihai

    http://wordpress.org/extend/plugins/bulletproof-security/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter mihai.todor85

    (@mihaitodor85)

    13 years, 3 months ago

    I spoke with the author of the plugin and he said that he intended to remove this line anyway and it will be removed in the next release.

    Plugin Author AITpro

    (@aitpro)

    13 years, 3 months ago

    yep the query string is filtering out ALL extended and special ascii characters and allowing only the standard ascii set to 127. There are only a couple of extended or special ascii characters that could be used in hacking methods so I will be creating new filters that will address only those specific characters. Thanks.

    Plugin Author AITpro

    (@aitpro)

    13 years, 3 months ago

    This is not a critcal BPS filter so it can be commented out without worrying about a security vulnerability. Just add a pound sign (#) in front of this line of htaccess code. Resolving.

    # RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]

    Plugin Author AITpro

    (@aitpro)

    13 years, 3 months ago

    This query string filter has been removed from the BPS as of version .45.8 and will not be in used in any future versions of BPS.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Plugin: BulletProof Security] Extended characters in the URL are not accepted’ is closed to new replies.