Support » Plugin: All In One WP Security & Firewall » Bad Query Strings breaks Widgets

  • This is a duplicate of https://wordpress.org/support/topic/bad-query-strings-breaks-widgets/ with more inspectation.

    AIOWS 4.4.9, WordPress 5.8.1 checking Firewall->Additional Firewall Rules->Deny Bad Query Strings causes the WordPress 5.8 Appearance->Widgets to show a 403 Forbidden error on each widget instead of the contents of the widget. Obvious solution is to uncheck that additional rule, just wanted to point this out. Surprised no one else has run into this…

    The causing problem are the addresses of the legacy widget iframe src attributes:
    widgets.php?legacy-widget-preview%5BidBase%5D=nav_menu&legacy-widget-preview%5Binstance%5D%5Bencoded%5D=YTo1OntzOjg6Im5hdl9tZW51IjtpOjEyMjk7czoxMjoid2lkZ2V0X2xvZ2ljIjtzOjIwOiIhaXNfdXNlcl9sb2dnZWRfaW4oKSI7czoxMDoidGl0bGVfbGluayI7czowOiIiO3M6MjM6InRpdGxlX2xpbmtfdGFyZ2V0X2JsYW5rIjtpOjA7czoxNToidGl0bGVfbGlua193cmFwIjtpOjA7fQ%3D%3D&legacy-widget-preview%5Binstance%5D%5Bhash%5D=65ade793669cf255d4f88b3729ce2253&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Bnav_menu%5D=1229&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Bwidget_logic%5D=!is_user_logged_in()&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btitle_link%5D=&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btitle_link_target_blank%5D=0&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btitle_link_wrap%5D=0

    if you compare with the Bad Query Strings line in .htaccess you will find the string “encode” in both of them.

    #AIOWPS_DENY_BAD_QUERY_STRINGS_START
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} ftp:     [NC,OR]
    RewriteCond %{QUERY_STRING} http:    [NC,OR]
    RewriteCond %{QUERY_STRING} https:   [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(request|insert|union|declare|drop) [NC]
    RewriteRule ^(.*)$ - [F,L]
    </IfModule>
    #AIOWPS_DENY_BAD_QUERY_STRINGS_END

    this also stopped previously the plugin “email address encoder” from working where the author was able to change the url of his setting site. i might imagine that that will not be possible here.

    this is how it looks like:

Viewing 1 replies (of 1 total)
  • Hi.

    Thank you for your comprehensive documentation on this. I will pass this onto our development team for further investigation

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.