BulletProof Security
[resolved] Bing.com Referrer Error (7 posts)

  1. casper14209
    Posted 1 year ago #

    Hey guys/gals, it appears that we have found an issue with Bing.com search results when an apostrophe ['] is included in the search query.
    I have tracked it back to the BPS Security Plugin and then looked to see if it was present on the ait-pro.com site using this search,


    clicked the first result to the site and sure enough, issue is on their server too.
    Tested a query without the apostrophe


    and issue is not present.

    We just happened to come across this because we have a client that has an apostrophe in their business name.

    This ticket is a double purpose, one to see if there is a fix for this that I can implement in the mean time, and to let you guys/gals know about the issue.

    My affected site is http://www.sadiespetproducts.com running on apache.


  2. casper14209
    Posted 1 year ago #

    Disabled all custom code entries and problem is still present.
    Put in default mode, problem is gone.
    Bulletproof mode, problem back.

  3. casper14209
    Posted 1 year ago #

    OK, was able to track it down to this line of code in the .htaccess file.
    #RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    Now I'm outside my knowledge level, any assistance or further information would be appreciated.

  4. casper14209
    Posted 1 year ago #

    OK, after more research I have found that the %27 in the code line is to make the system deny (forbid) any referrer that has an apostrophe ['] in the string.
    Would anybody be interested in commenting on the possible security risk by allowing this on a shopping cart site?
    I don't like editing core plugin files as it makes for a pain to update things, and in this case, I'm going to say the developers have added this for good reason.
    But at this time I really don't have any choice on this site due to the business name and search volume on this phrase for the client. :-/

  5. AITpro
    Plugin Author

    Posted 1 year ago #

    The steps to allow the single quote code character/apostrophe in URL's & Query Strings and permanently save your modified .htaccess code to BPS Custom Code is in the link below.


    Impact to overall website security: BPS has several overlapping security filters/rules. So by modifying these particular rules/filters in the link above, your website is still protected against SQL Injection attacks. The SQL Injection security filter/rule below will still protect the site from all SQL Injection attacks. The single quote code character is used in most SQL Injection attacks.

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

  6. casper14209
    Posted 1 year ago #

    Awesome, thanks!
    In all my searches that post didn't come up. Thanks for pointing me in the right direction.
    Impact is understood, thanks for the useful plugin and information.
    Have an awesome day.

  7. casper14209
    Posted 1 year ago #

    Forgot to mark resolved in my last comment.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic