Plugin Author
AITpro
(@aitpro)
Ok this bypass below will most likely work, but I was hoping to find the root thing that was being blocked. There is very limited info about how the EDD Software License API works so that is not giving me any clues to use in troubleshooting.
1. Copy your WP REWRITE LOOP START code from your root htaccess file and paste it into this Root Custom Code text box: CUSTOM CODE WP REWRITE LOOP START
2. Add the additional Skip/bypass checking the /my-account/ URI code as shown below.
3. Click the Save Root Custom Code button.
4. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode.
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# Skip/bypass checking the /my-account/ URI
RewriteRule ^my-account/ - [L]
Plugin Author
AITpro
(@aitpro)
This website is a standard/single WordPress installation correct? Is this site a GWIOD site by any chance? “Giving WordPress Its Own Directory” site?
This is a standard/single wordpress installation.
I will try the option you suggested and get back to you soon.
sorry for a late reply.
I tried the last option of adding code to “CUSTOM CODE WP REWRITE LOOP START”, but that also didn’t work.
Also, this is NOT a GWIOD site.
Let me know what I can try next.
Plugin Author
AITpro
(@aitpro)
What is left to try is manually commenting out the BPS Query String rules line by line. Yeah UGH.
Start whith the first rule and work your way down. Test after commenting out a rule/line of code. Yeah UGH.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
...
...
...
DO NOT comment out this last rule below. Your site will crash if you comment out this last rule.
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
Yeah UGH.
Wow!!! I was not expecting a response so quick especially on a Saturday evening. You guys rock.
I will try out this last option and let you know what I discover.
Plugin Author
AITpro
(@aitpro)
Oh and I meant to ask you if anything above that is XXX’d out has any unsafe code characters like: ' " < >
Nope. They don’t have any of those characters.
Plugin Author
AITpro
(@aitpro)
Do the XXX’s have any code characters or are they only alphanumeric: a through z and 0 to 9?
Plugin Author
AITpro
(@aitpro)
Is anything URL encoded in the XXX’s?
Plugin Author
AITpro
(@aitpro)
Oh and if you have added any additional custom code to BPS Custom Code then cut and paste any custom code to a notepad or notepad++ text file and save that file.
Then click the Save Root Custom Code button.
Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode.
I commenting out the BPS Query String rules line by line, and finally found the offending line.
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
If I remove this line what are the issues?
Plugin Author
AITpro
(@aitpro)
Great Job!
That security filter is a general secondary SQL Injection filter. The primary SQL Injection filter is this one below. The primary SQL Injection filter stops/blocks all/100% of SQL Injection attacks so the secondary filter can be commented out/removed without any security risks or negative impact.
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
Plugin Author
AITpro
(@aitpro)
Issue/problem was resolved – thread has been resolved.
Thread Start Date: 11-19-2014 to 11-20-2014
Thread Resolved/Current Date: 11-27-2014
