how to avoid admin-ajax.php call as forbidden (403)

(@chrisfo)

I use a WP blog on a MultiSite installation with iThemes Security. I’m not allowed to deactivate iS or change settings.
I have an Error 403 Problem when the WP Plugin Zotpress calls
.../wp-admin/admin-ajax.php?action=zpRetrieveViaShortcode&instance_id=zp-InTextBib-zotpress-89c9…C&update=false&request_start=0&request_last=0&zpShortcode_nonce=be33c57b68
JS Error message
Failed to load resource: the server responded with a status of 403 (Forbidden)

With the help of Wolfi (thanks) I tried this on a WP test installation with iThemes Security and when iS “Filter Suspicious Query Strings in the URL” was deactivated the error 403 does not happen.

Relevant part of iS code in the .htaccess file

# Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings
        RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
        RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
        RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
        RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
        RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
        RewriteCond %{QUERY_STRING} http\:  [NC,OR]
        RewriteCond %{QUERY_STRING} https\:  [NC,OR]
        RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
        RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
        RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
        RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
        RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
        RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
        RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
        RewriteCond %{QUERY_STRING} !^loggedout=true
        RewriteCond %{QUERY_STRING} !^action=jetpack-sso
        RewriteCond %{QUERY_STRING} !^action=rp
        RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
        RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$
        RewriteRule ^.* - [F]

My question would be: how much safety is lost by deactivating this Filters?
And would it be useful to manually add those that do not block the Zotpress request (have yet to find out)?

https://wordpress.org/plugins/better-wp-security/

Viewing 7 replies - 1 through 7 (of 7 total)

dwinden
(@dwinden)

4 years, 9 months ago
@chrisfo

Enable the “Filter Suspicious Query Strings in the URL” setting and then change the following lines like this in the .htaccess file:
```
...
	RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC]
#        RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
...
```
Not a permanent solution but it will help in determining which RewriteCond line is the culprit. I’m putting my money on the second RewriteCond line above because it filters on the string “request” which is included in your forbidden URL.

Note commenting (#) the second RewriteCond line is not enough !
You also need to change [NC,OR] into [NC] at the end of the previous RewriteCond line.

dwinden
Thread Starter ChrisFo
(@chrisfo)

4 years, 9 months ago

Thanks dwinden. I tested on the WP test installation and indeed Zotpres worked when the two lines were edited according to your post.

Now I wonder if the only permanent solution remains to ask the WP MS admin to deactivate “Filter Suspicious Query Strings in the URL” or iThemes Security is interested to add an option to get this filter less restrictive and/or some kind of white-listing?

Comment of the Zotpress author:

I’m sure there’s other plugins that use external data from a REST API so iThemes Security should allow for this.

dwinden
(@dwinden)

4 years, 9 months ago

@chrisfo

Simply disable the “Filter Suspicious Query Strings in the URL” setting.
There are other far more important security steps to take.

Also note that the idea behind the iTSec plugin is to enable only those settings that do not interfere with proper functioning of the site.

dwinden

Thread Starter ChrisFo
(@chrisfo)

4 years, 9 months ago

I have no admin access to the WordPress MultiSite installation where I manage one subsite. So I need to talk with the MS admin about this…

dwinden
(@dwinden)

4 years, 9 months ago

@chrisfo

Right, clearly didn’t realize that and the fact that it is in a MultiSite env.

MS does mean disabling the “Filter Suspicious Query Strings in the URL” setting will disable it for ALL sites in the network …

dwinden

maku8
(@maku8)

4 years, 6 months ago

Hi,

do you know how can I do in iThemes sucurity plugin to not block the requests from admin-post.php ?

I tried to do the same thing to access to the admin backend but it doesn’t work¸

RewriteRule ^(/)?connexion/?$ /wp-login.php [QSA,L]
RewriteRule ^(/)?post-admin/?$ /wp-admin/admin-post.php [QSA,L]

Any ideas?

Thank you!!

nnimis
(@nnimis)

3 years, 11 months ago

Hi all! I have faced the same issue this week, plugin Version 6.1.1
I did not have the “Filter Suspicious Query Strings in the URL” options, nor the htaccess file modified.

The solution I have found: comment some plugin code. The file is better-wp-security/core/modules/wordpress-tweaks/config-generators.php
I have commented these lines:
107: $modification .= “\t\tif (\$http_user_agent ~ \”^$\”) { return 403; }\n”;
111: $modification .= “\t\tif (\$invalid_referer) { return 403; }\n”;

Not sure how it blocks request to admin-ajax.php… The config. option affecting this behavior was ‘Comment Spam’ under ‘WordPress Tweaks’ group. I had it disabled tough… but it seemed to be irrelevant. Ajax calls started working again after commenting those lines. Hope it helps!