iThemes Security (formerly Better WP Security)
GET requests with empty variables causes 403 errors (4 posts)

  1. computerslayer1
    Posted 3 years ago #

    I noticed that if I used the search field without entering any keywords, I got a 403 error.

    The search form resulted in a GET request, but with an empty query value. For example:


    It appears that the generated htaccess rule is causing the issue:

    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]

    Is this unintentional or by design?


  2. matiyin
    Posted 3 years ago #

    great find! I have the same issue, thanks for posting a solution!

    I'm using a function to override empty searches with a 'space' to prevent routing to home, but indeed in webkit it results in an error because the string is empty

    why not in firefox? no idea...

  3. MickeyRoush
    Posted 3 years ago #

    You should really try to control that within the theme itself. For example, the word "search" could already be placed in the search box, so if a user just clicks the search button it will use the default word of "search". You really don't want spaces in a URL. That's a good sign of a malicious attack.

  4. matiyin
    Posted 3 years ago #

    indeed, I've added a jquery validation check and just return an alert to the user to insert something in the empty search box:

    		var searchVal = $("#s").val();
    		if(searchVal == '') {
    		alert("Please enter a search term");
    		return false; }

    Strangely enough Firefox doesn't give a 403 like webkit does.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic


No tags yet.