Support » Plugin: 404 Solution » 403 when try to save Option

  • Resolved cosmoweb

    (@cosmoweb)


    Hi,

    when i try to save option pagine I have 403 error:

    Forbidden
    You do not have permission to access this document.

    Any solution? Thanks

Viewing 15 replies - 1 through 15 (of 19 total)
  • Plugin Author Aaron

    (@aaron13100)

    Did you try reloading the page and trying again?

    Plugin Author Aaron

    (@aaron13100)

    Generally this happens because of a security plugin that’s interfering with admin access. Like “BulletProof Security” for example.

    @cosmoweb – If you are using the BulletProof Security plugin then you can confirm or eliminate that the BPS plugin is causing the problem by doing these BPS troubleshooting steps > https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting. Another thing that can cause 403 errors when saving option settings is ModSecurity installed in your web host control panel.

    @cosmoweb – I tested both the BPS plugin and ModSecurity CRS. BPS does not block saving option settings in this plugin. ModSecurity CRS does block saving option settings in this plugin.

    @aaron13100 – I ran into the same problem with ModSecurity CRS in several of the BPS plugin features and created encryption/decryption to evade/bypass ModSecurity. You can grab my code in the BPS plugin. It’s actually very simple and easy to implement. See the ModSecurity CRS errors below.

    ModSecurity CRS errors logged:

    [Tue Aug 25 00:20:17.550032 2020] [:error] [pid 20304:tid 2072] [client 127.0.0.1:58631] [client 127.0.0.1] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'nc' [file "C:/xampp/apache/modsecurity/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nc found within ARGS:folders_files_ignore: wp-content/plugins/*\\x0d\\x0awp-content/themes/*\\x0d\\x0a.well-known/acme-challenge/*"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "demo5.local"] [uri "/wp-admin/options-general.php"] [unique_id "X0S7sVJ6dPYWDcXi3CIl1gAAAJU"], referer: http://demo5.local/wp-admin/options-general.php?page=abj404_solution&subpage=abj404_options
    
    [Tue Aug 25 00:20:17.555018 2020] [:error] [pid 20304:tid 2072] [client 127.0.0.1:58631] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/modsecurity/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "demo5.local"] [uri "/wp-admin/options-general.php"] [unique_id "X0S7sVJ6dPYWDcXi3CIl1gAAAJU"], referer: http://demo5.local/wp-admin/options-general.php?page=abj404_solution&subpage=abj404_options

    Hi,

    I don’t use BulletProof Security plugin, it’s possible issue on hosting? I’m on dedicated server.

    I tried to deactive all plugins and change theme, but still don’t work-

    Thanks in advance

    i found this error on server:

    [client 1.2.3.4] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\\\n|\\\\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+" at MATCHED_VAR. [file "/etc/httpd/conf/modsecurity.d/rules/custom/12_HTTP_Protocol.conf"] [line "137"] [id "217280"] [rev "6"] [msg "COMODO WAF: HTTP Request Smuggling Attack||www.mywebsite.ltd|F|2"] [data "Matched Data: post found within MATCHED_VAR"] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "www.mywebsite.ltd"] [uri "/wp-admin/options-general.php"] [unique_id "X0VKrN91C3dKZBghy9FV7gAAAAg"], referer: https://www.mywebsite.ltd/wp-admin/options-general.php?page=abj404_solution&subpage=abj404_options

    [client 1.2.3.4] ModSecurity: Warning. Pattern match "(?:\\\\n|\\\\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+" at MATCHED_VAR. [file "/etc/httpd/conf/modsecurity.d/rules/custom/12_HTTP_Protocol.conf"] [line "137"] [id "217280"] [rev "6"] [msg "COMODO WAF: HTTP Request Smuggling Attack||www.mywebsite.ltd|F|2"] [data "Matched Data: post found within MATCHED_VAR"] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "www.mywebsite.ltdt"] [uri "/wp-admin/options-general.php"] [unique_id "X0VK9wgf1bVIT9rKUFEv9QAAAAU"], referer: https://www.mywebsite.ltd/wp-admin/options-general.php?page=abj404_solution&subpage=abj404_options

    Plugin Author Aaron

    (@aaron13100)

    @aitpro When you say “grab your code,” which code specifically do you mean?

    Yep, ModSecurity CRS is causing the 403 error. Some web hosts will create whitelist rules for you, but most hosts won’t do that. In the long run the best solution for the plugin author is to either change the way the option forms are processing the form field data or to use something like I’ve done in my plugin, which is to encrypt the form data before processing it so that the form data bypasses/evades ModSecurity detection.

    I used to recommend disabling ModSecurity if your web host allows that, but ModSecurity is a good thing. The security rules are too generalized and not specific enough in a lot of cases so the ModSecurity rules detect a significant amount of false positives. It would be nice if ModSecurity would include a simply way to whitelist by URI, but that would have to be intentionally pre-built into ModSecurity itself. Even better would be a frontend interface, but the problem with that is ModSecurity is a server-side thing. 😉

    • This reply was modified 3 months, 1 week ago by AITpro.

    @aaron13100 – These 2 files/folders make everything go…

    /bulletproof-security/js/crypto-js
    /bulletproof-security/bps-encryption.js

    Then you just call the classes and use instances of the classes wherever you want encryption/decryption.

    Take a look at this file and reverse engineer it in your plugin code/forms…

    /bulletproof-security/admin/core/core-custom-code.php

    In my particular usage I created Encrypt/Decrypt buttons and let people know that if they see a 403 error due to ModSecurity then they would need to click the Encrypt button before clicking a “Save” button.

    • This reply was modified 3 months, 1 week ago by AITpro.

    The same problem would occur if you tried to do something like a preg_replace in your form processing code. So that leaves you with creating the outputted code with characters such as < and > in your outputted code instead of passing those types of characters in a POST or GET form submission. In my case I did not have that option. 😉

    • This reply was modified 3 months, 1 week ago by AITpro.
    • This reply was modified 3 months, 1 week ago by AITpro.
    • This reply was modified 3 months, 1 week ago by AITpro.
    • This reply was modified 3 months, 1 week ago by AITpro.
    Plugin Author Aaron

    (@aaron13100)

    @aitpro So if when saving the form data, the POST data is encrypted in JS before sending to the server, and then decrypted server-side, that will avoid the modsecurity issue?

    If so it seems that simply garbling the data instead of specifically encrypting it would work, right? i.e. Is it the sending of plain text that’s causing the issue?

    thanks

    Yep, obfuscating that data would also work. The Crypto JS stuff was created by someone else so instead of reinventing the wheel I just used a great solution that was already available. The Crypto JS code/files complies with WordPress licensing guidelines.

    ModSecurity has rulesets that look for certain code characters and patterns that resemble malicious POST and GET attacks. So if you encrypt the form data ONLY during the actual form submission then ModSecurity does not see a possible threat.

    The way I am doing it is the data is ONLY encrypted during the actual form POST. The data is not stored encrypted and does not display encrypted in any of the form fields even after form submission…

    // wp-admin Custom Code Form
    // Important Note: stripslashes is used to strip any slashes that are added to a $_POST value and not slashes in the code itself.
    ## 3.6: Encryption|Decryption added to Forms to bypass/evade OWASP ModSecurity CRS Ruleset on web hosts.
    function bpsPro_CC_WPA_values_form() {
    global $bps_topDiv, $bps_bottomDiv;
    
    	if ( isset( $_POST['bps_customcode_submit_wpa'] ) && current_user_can('manage_options') ) {
    		check_admin_referer( 'bulletproof_security_CC_WPA' );
    		
    		$Encryption = new bpsProPHPEncryption();
    		$nonceValue = 'ghbhnyxu';
    		
    		$pos1 = strpos( $_POST['bps_customcode_deny_files_wpa'], 'eyJjaXBoZXJ0ZXh0Ijoi' );
    		$pos2 = strpos( $_POST['bps_customcode_one_wpa'], 'eyJjaXBoZXJ0ZXh0Ijoi' );
    		$pos3 = strpos( $_POST['bps_customcode_two_wpa'], 'eyJjaXBoZXJ0ZXh0Ijoi' );
    		$pos4 = strpos( $_POST['bps_customcode_bpsqse_wpa'], 'eyJjaXBoZXJ0ZXh0Ijoi' );
    
    		if ( $pos1 === false ) {
    			$bps_customcode_deny_files_wpa = stripslashes($_POST['bps_customcode_deny_files_wpa']);
    		} else {
    			$bps_customcode_deny_files_wpa = $Encryption->decrypt($_POST['bps_customcode_deny_files_wpa'], $nonceValue);
    		}
    
    		if ( $pos2 === false ) {
    			$bps_customcode_one_wpa = stripslashes($_POST['bps_customcode_one_wpa']);
    		} else {
    			$bps_customcode_one_wpa = $Encryption->decrypt($_POST['bps_customcode_one_wpa'], $nonceValue);
    		}
    
    		if ( $pos3 === false ) {
    			$bps_customcode_two_wpa = stripslashes($_POST['bps_customcode_two_wpa']);
    		} else {
    			$bps_customcode_two_wpa = $Encryption->decrypt($_POST['bps_customcode_two_wpa'], $nonceValue);
    		}
    
    		if ( $pos4 === false ) {
    			$bps_customcode_bpsqse_wpa = stripslashes($_POST['bps_customcode_bpsqse_wpa']);
    		} else {
    			$bps_customcode_bpsqse_wpa = $Encryption->decrypt($_POST['bps_customcode_bpsqse_wpa'], $nonceValue);
    		}
    
    		$wpadmin_CC_Options = array(
    		'bps_customcode_deny_files_wpa' => $bps_customcode_deny_files_wpa, 
    		'bps_customcode_one_wpa' 		=> $bps_customcode_one_wpa, 
    		'bps_customcode_two_wpa' 		=> $bps_customcode_two_wpa, 
    		'bps_customcode_bpsqse_wpa' 	=> $bps_customcode_bpsqse_wpa 
    		);
    
    		foreach( $wpadmin_CC_Options as $key => $value ) {
    			update_option('bulletproof_security_options_customcode_WPA', $wpadmin_CC_Options);
    		}		
    	
    	echo $bps_topDiv;
    	$text = '<strong><font color="green">'.__('wp-admin Custom Code saved successfully! Go to the Security Modes tab page and click wp-admin Folder BulletProof Mode Activate button to add/create your new Custom Code in your wp-admin htaccess file.', 'bulletproof-security').'</font></strong>';
    	echo $text;		
    	echo $bps_bottomDiv;	
    	
    	}
    }

    It’s a similar method that hackers use to evade WAF’s, etc. You want your data to pass through the WAF without being detected and of course you also want your code/data intact as well on the other end to perform whatever attack vector you are going for.

    • This reply was modified 3 months, 1 week ago by AITpro.
    Plugin Author Aaron

    (@aaron13100)

    @cosmoweb Please try version 2.22.10 and let me know if it works or not.
    thanks

Viewing 15 replies - 1 through 15 (of 19 total)
  • You must be logged in to reply to this topic.