Support » Plugin: BulletProof Security » Argo Links 403 Error

  • Resolved justmattb

    (@mwbarker)


    Trying out a new plugin, called Argo Links:
    http://argoproject.org/argo-links.php

    Included with it is a bookmarklet that allows you to capture the URL from the website and add it to a list of links in your WordPress site. BulletProof Security is blocking the requests, resulting in a 403 on the pop-up. This is what the bookmarklet looks like:

    javascript:var d=document,w=window,e=w.getSelection,k=d.getSelection,x=d.selection,s=(e?e():(k)?k():(x?x.createRange().text:0)),f='http://www.mysite.com/wp-content/plugins/argoproject-argo-links-ec58e2a/argo-this.php',l=d.location,e=encodeURIComponent,u=f+'?post_type=argolinks&u='+e(l.href)+'&t='+e(d.title)+'&s='+e(s)+'&v=4';a=function(){if(!w.open(u,'t','toolbar=0,resizable=1,scrollbars=1,status=1,width=720,height=570'))l.href=u;};if (/Firefox/.test(navigator.userAgent)) setTimeout(a, 0); else a();void(0)

    This is what the BPS error log shows:

    >>>>>>>>>>> 403 GET or Other Request Error Logged - March 20, 2013 - 3:36 am <<<<<<<<<<<
    REMOTE_ADDR: editedout
    Host Name: editedout
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: editedout
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.fromaway.com/features/how-to-start-a-food-blog
    REQUEST_URI: /wp-content/plugins/argoproject-argo-links-ec58e2a/argo-this.php?post_type=argolinks&u=http%3A%2F%2Fwww.fromaway.com%2Ffeatures%2Fhow-to-start-a-food-blog&t=How%20to%20Start%20a%20Food%20Blog&s=&v=4
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22

    I have tried to update the .htaccess file with this line, but it does not help:

    # Argo Links
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/argoproject-argo-links-ec58e2a/ [NC]
    RewriteRule . - [S=13]

    Any other way around this?

    http://wordpress.org/extend/plugins/bulletproof-security/

Viewing 15 replies - 1 through 15 (of 47 total)
  • Plugin Author AITpro

    (@aitpro)

    Since this plugin is simulating an RFI hacking method you will need to whitelist the argo-this.php file in the TimThumb / MISC File skip/bypass security filter. Add the argo-this.php file name to this security filter as shown below in your Root .htaccess file using the BPS built-in htaccess file editor. I need to add this Note below for anyone else who sees this Forum Thread. 😉

    NOTE: The ait-pro.com domain is shown below in this security filter because this code example was taken from the ait-pro.com website. You will see your domain instead in this security filter.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*ait-pro.com.*
    RewriteRule . - [S=1]

    That didn’t seem to help. With or without that entry, I can click the bookmarklet when browsing my own site and it works fine. Even with that entry, when I am browsing another site, clicking the bookmarklet (to capture the URL and title of page I am on), still brings up the 403 error.

    I also tried this to see if it was a problem with the referrer, but this didn’t seem to fix it (when browsing from songsterr.com).

    # TimThumb Forbid RFI By Host Name But Allow Internal Requests
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*mysite.com.* [OR]
    RewriteCond %{HTTP_REFERER} ^.*songsterr.com.*
    RewriteRule . - [S=1]

    If that did fix it, it wouldn’t really help, since the bookmarklet is there to be used when browsing any URL I want to capture (which would then be the value of HTTP_REFERER:)

    Plugin Author AITpro

    (@aitpro)

    I do not fully understand the issue/problem. I have a general understanding of what is occurring. It is a similar issue that had once occurred in the past with the WordPress Press This feature.

    That issue/problem was resolved by adding a skip/bypass rule in the wp-admin .htaccess file and NOT the Root .htaccess file. I am assuming that this plugin is doing something similar and calling from the wp-admin folder to grab other websites content.

    Edit your wp-admin .htaccess file and whitelist the argo-this.php file by doing this below and also try whitelisting admin-ajax.php.

    # Allow wp-admin files that are called by plugins
    # Fix for WP Press This
    RewriteCond %{REQUEST_URI} (argo-this\.php|press-this\.php|admin-ajax\.php) [NC]
    RewriteRule . - [S=1]
    Plugin Author AITpro

    (@aitpro)

    I am grasping at straws obviously by having you try adding the argo-this.php file to the wp-admin bypass since I do not really know what this plugin is trying to do. The error does show that this plugin is simulating an RFI hacking attempt against your website and the origin of the simulated hacking attempt is wp-content and not wp-admin. I will post the security filters that you can comment out to allow RFI hacking attempts against your website in a second.

    Thanks; tried the admin piece, but that doesn’t work. I imagine that is because it is not actually calling it from wp-admin, but from within the plugin folder itself.

    If you want to look at the code for the argo-this.php file, you can see it here:

    https://github.com/argoproject/argo-links/blob/master/argo-this.php

    Plugin Author AITpro

    (@aitpro)

    To allow RFI hacking attempts against your website comment out these are the security filters in the Root .htaccess file that block RFI hacking attempts. Try commenting out each of these individual security filters 1 by 1. It may be that more than 1 security filter will need to be commented out.

    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]

    Plugin Author AITpro

    (@aitpro)

    I will look at the code for this plugin when I have some spare time. Currently I do not have any spare time available. Thanks.

    Thanks for looking; I commented out all of those and still have the issue. I even removed the whole # BPSQSE BPS QUERY STRING EXPLOITS section and still got the same 403 error from BPS.

    Hmmm… I know I tried this before, but got different results. Could have been mistaken… Anyways, if I take out the argo-this\.php| from the REQUEST_URI section, I am NOT able to use the bookmarklet from within my own site. When I add it back in, I am. So I guess now my question would be, how would I block everything else already being blocked, but allow access to this specific REQUEST_URI from any URL? Is there a way to do that?

    In other words, have a separate section for:

    RewriteCond %{REQUEST_URI} (argo-this\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*.*.* (not sure how to allow all)
    RewriteRule . - [S=2]
    Plugin Author AITpro

    (@aitpro)

    Ok then the issue probably has something to do with the wp-admin .htaccess file then or some other section of code in the Root .htaccess file. Take BPS completely out of the equation first and test. Then activate only the Root .htaccess file and vice versa and test to isolate which htaccess file is blocking this plugin.

    Source: http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    If you think that BulletProof Security is causing a plugin conflict or any other issue on your website that is causing something not to work, then please use these steps below to take BulletProof Security out of the equation completely for testing. There is no need to deactivate BulletProof Security because it has a built-in Default Mode that allows you to put WordPress in a default state without deactivating BulletProof Security. If you find that BulletProof Security does have a conflict with another plugin then please check the BulletProof Security Plugin Compatibility Issues – Testing and Fixes Page to see if a fix (bypass/skip rule) is already listed. If your plugin is not listed and you have confirmed that BulletProof Security is definitely causing a conflict then please post a comment in this Forum.

    1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
    2. Activate Default Mode on the Security Modes page.
    3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
    4. Test your plugin or theme.
    5. Restore your .htaccess files using BulletProof Security built-in Restore.

    Plugin Author AITpro

    (@aitpro)

    Allowing any site to exploit files is the same as removing the security filter entirely. So to isolate that this is the security filter that is blocking this plugin comment out the entire security filter.

    Plugin Author AITpro

    (@aitpro)

    CORRECTION: never mind what i said above that was dumb. What i assume is going to be solution is that you will need to whitelist a combination of things that are seen as threats/attacks against your website by this plugin.

    In other words, if this plugin is violating several security filters/rules then exceptions/whitelisting will need to be done in several places.

    I disabled the wp-admin .htaccess file and that didn’t help, so I imagine there is something in the main .htaccess file that is preventing access. Without BPS enabled, it works, but I certainly don’t want to use that as mu solution! 😉

    Plugin Author AITpro

    (@aitpro)

    Ok I took a look at this plugins code at github. It has very similar functionality that Timthumb uses. Comment out all the security filters that prevent RFI attacks, but leave the bottom section of code uncommented as shown below. Also make sure you have whitelisted this plugins file – argo-this.php

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    #RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    #RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    #RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*ait-pro.com.*
    RewriteRule . - [S=1]

Viewing 15 replies - 1 through 15 (of 47 total)
  • The topic ‘Argo Links 403 Error’ is closed to new replies.