• Resolved gleanweb

    (@gleanweb)


    I have installed php pages that connect to a database in domain/subfolder. The database, folder and its files are not part of WordPress. Some scripts in this folder are triggering “403 Forbidden – A potentially unsafe operation has been detected in your request to this site.”

    I followed the suggestion in the forum to add to the subfolder a file named .user.ini that contains only the line: auto_prepend_file = none

    This has not solved the problem.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Hi @gleanweb,

    This may be due to how they are being called.

    Can you show me an example request to one of your scripts?

    For example: http://example.com/your_script.php?any_query=<runtime>something</runtime>

    I suspect there are query variables within the URL or in the POST body that is triggering the 403 by Wordfence.

    If you can show me how these scripts are being called, we can try to whitelist these actions.

    Dave

    Hi Dave,
    Thanks for the note. The $_POST array looks like this:
    Array
    (
    [title] => All sites +Site stats+
    [sqlquery] => select farm, contact1, phone1, address, city, state, zip from sites order by farm
    [list] => Show this report
    [terms] =>
    [querynum] => 3
    )

    @gleanweb

    I have systematically gone through the POSTed inputs and found that what triggers the Wordfence block in the $_POST array is:

    [sqlquery] => select farm, contact1, phone1, address, city, state, zip from sites

    Is this because of the name of the variable?
    Or does Wordfence recognize the string as an sql query and block it for that reason?
    Or something else?

    The whole point of the page is to write and save customized sql queries. The POSTed input is rigorously sanitized on the server and the page is password-protected.

    Hi again!

    Can you try whitelisting the sqlquery variable?

    1. Go to Wordfence -> All Options
    2. Scroll down until you see Whitelisted URLs
    3. Put / for the URL
    4. Select Param Type: POST Body for the dropdown
    5. Put sqlquery for the Param Name
    6. Click on Add
    7. Click on Save Changes in the top right corner

    For example: https://i.imgur.com/cKus1f0.png

    * For (3) you can put the exact URL of the script, for example /my_script.php or /folder/my_script.php

    Dave

    Thanks, Dave. I added the script to the whitelist. The first time I then ran the script it again balked, but gave me the option on the 403 Forbidden page to whitelist it. I checked that box and it all seems to work now.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘403 forbidden’ is closed to new replies.