WordPress.org

Support

Support » Plugins and Hacks » iThemes Security (formerly Better WP Security) » GET requests with empty variables causes 403 errors

GET requests with empty variables causes 403 errors

  • I noticed that if I used the search field without entering any keywords, I got a 403 error.

    The search form resulted in a GET request, but with an empty query value. For example:

    http://example.org/?s=
    or
    http://example.org/?s=test&page=

    It appears that the generated htaccess rule is causing the issue:

    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]

    Is this unintentional or by design?

    http://wordpress.org/extend/plugins/better-wp-security/

Viewing 3 replies - 1 through 3 (of 3 total)
  • great find! I have the same issue, thanks for posting a solution!

    I’m using a function to override empty searches with a ‘space’ to prevent routing to home, but indeed in webkit it results in an error because the string is empty

    why not in firefox? no idea…

    You should really try to control that within the theme itself. For example, the word “search” could already be placed in the search box, so if a user just clicks the search button it will use the default word of “search”. You really don’t want spaces in a URL. That’s a good sign of a malicious attack.

    indeed, I’ve added a jquery validation check and just return an alert to the user to insert something in the empty search box:

    $('#searchsubmit').click(function(){
    		var searchVal = $("#s").val();
    		if(searchVal == '') {
    		alert("Please enter a search term");
    		return false; }
    	});

    Strangely enough Firefox doesn’t give a 403 like webkit does.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘GET requests with empty variables causes 403 errors’ is closed to new replies.
Skip to toolbar