WordPress.org

Support

Support » Plugins and Hacks » [Resolved] 403 error on callback file

[Resolved] 403 error on callback file

  • Hi

    I have an ecommerce site using worldpay as the payment processor, when a payment is complete it posts data back to my server from worldpay to a file in the root folder called callback.php

    Bulletproof is quite rightly block this and consequently I get a 403. I need to allow this one file to receive an httppost and return a 200.

    Please can someone help me to know what I need to put in the .htaccess file to allow posting remotely to this one file.

    http://wordpress.org/extend/plugins/bulletproof-security/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author AITpro
    Participant

    @aitpro

    First off the callback.php file should be in its own folder/directory. The best site design/architecture is to compartmentalize very important scripts such as this one for two reasons.

    1. Your website root folder is the most vulnerable folder of all of your folders under your entire website.

    2. For important scripts such as this script you would want the ability to be able to have isolated/directory/folder specific control of the security/protection of this very important script file. Also by compartmentalizing this script you do not have to make security exceptions or allowances in your website root folder and throughout your entire website because of this 1 script/file.

    For example:
    Let’s say you move the callback.php file to a folder called /callback. you can now add an .htaccess file in the /callback folder that will ONLY apply to files in the /callback folder and not any other files or folders throughout your entire website. .htaccess files work in a hierarchical way – if an .htaccess file exists in a particular folder then all files in that particular folder will ONLY follow the rules of that .htaccess file.

    website root folder .htaccess file – all files in the root folder will follow the security rules in this .htaccess file and all subfolders that DO NOT have .htaccess files in them will also follow the security rules in the website root .htaccess file.
    /.htaccess

    callback folder .htaccess file – all files in the /callback folder will follow the security rules in this .htaccess file and not the security rules in the website root folder .htaccess file.
    /callback/.htaccess

    To turn off security completely for ONLY the /callback folder you would add a RewriteEngine Off .htaccess file by doing these steps below.

    1. open NotePad on your computer (not Word and not WordPad)
    2. add one line of .htaccess code in the file: RewriteEngine Off
    3. save the text file with this file name: nosecurity.txt
    4. upload the nosecurity.txt file to the /callback folder
    5. rename the nosecurity.txt file to .htaccess
    6. the /callback folder now has its own compartmentalized security rules, which are No Security/Rewriting is turned off.

    I do not advise doing this method below, but it is possible to allow unfiltered access to only the callback.php file and leave it in your root website folder. Leaving the callback.php file in the website root folder is bad site architecture/design in general. You would add the callback.php file to this skip/bypass rule below and then you would also have to allow worldpay.com as a Referrer.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (callback\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*demo4.local.*
    RewriteRule . - [S=1]
    Plugin Author AITpro
    Participant

    @aitpro

    The post above was closed before i could finish adding the rest of the code modifications:

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (callback\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*your-website.com.* [OR]
    RewriteCond %{HTTP_REFERER} ^.*worldpay.com.*
    RewriteRule . - [S=1]
    Plugin Author AITpro
    Participant

    @aitpro

    Is your issue/problem resolved? If so, please mark this thread as resolved. Thank you.

    Plugin Author AITpro
    Participant

    @aitpro

    Is your issue/problem resolved? If so, please mark this thread as resolved. Thank you.

    Plugin Author AITpro
    Participant

    @aitpro

    Resolving this thread due to lack of response. If the problem is still occurring please unresolve the thread and post a status update. Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘[Resolved] 403 error on callback file’ is closed to new replies.