WordPress.org

Forums

BulletProof Security
[resolved] Problem with questionmark at end of URL (9 posts)

  1. Daan Oostindiën
    Member
    Posted 1 year ago #

    Hello!

    I use your plugin to secure quite a few websites. On all websites I have the same problem: URL's ending with a questionmark result in a ugly 403 Forbidden.

    So:
    domain.com/?
    domain.com/thisfileisnothere.php?
    domain.com/someworkingurl/?
    All result in 403's

    While:
    domain.com/
    domain.com/thisfileisnothere.php
    domain.com/someworkingurl/
    Result in the website, a (decent) 404 and a subpage.

    Why is the questionmark bad? Why can't it just redirect to the homepage instead of leaving the visitor on a ugly 403 page?

    It seems to go wrong on the line:
    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

    I have disabled all other plugins and the issue persisted. I have put back the default .htaccess (with other plugins activated) and the issue was gone.

    Daan

    http://wordpress.org/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    A question mark is not "bad" in itself. A question mark code character in URI/URL means/denotes a Query String. A question mark by itself without the Query String means nothing/is invalid since it is missing the Query String variable and value/parameters.

    Standard Query String format:

    example.com/?variable=value&other-query-string-stuff
    admin.php?page=bulletproof-security

    This security filter does trigger either a 403 or 500 error for an empty/malformed/invalid Query String so if you actually want to allow malformed Query Strings/invalid Request URIs/URLs/Query Strings on your website then you would copy the entire block of BPS Query String Exploits code to this Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here

    edit the code in the Custom Code text box and comment out this security filter with a #sign: #RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

    click the Save Root Custom Code button.

    go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode again.

  3. Daan Oostindiën
    Member
    Posted 1 year ago #

    Obviously I don't want to allow malformed Query Strings/invalid Request URIs/URLs/Query Strings on my website. I want a user friendly and safe website :)

    I think the line in the .htaccess is solely for the ? behind the URL, but I'm not sure. If that's the case, and its not 'unsafe' but only syntactically wrong I'd rather remove the line.
    On the other hand, if there are issues with attacks that are blocked by this rule I'd rather let it be, that's something I can explain that to my clients.

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yeah, I stated that wrong sorry. I meant to say "if that is ok with you to allow that sort of thing in cases where someone clicks on a bad link to your site or enters a bad URL, etc.".

    That particular security rule is too general/not defined specifically enough and will be phased out at some point (or better defined). There are many overlapping BPS security filters so any malicious strings for that particular attack vector are already covered in those filters/rules. So bottom line that rule/filter can be removed without any negative impact or added vulnerability to your website security whatsoever.

    And yep it is an odd rule (pretty sucky) in general because of how things like a ? or a hashtag # are treated/processed by Browsers. Too many innocent/non-malicious things trigger that security filter so it is history soon...

  5. Daan Oostindiën
    Member
    Posted 1 year ago #

    Thanks for the answer. I will remove it from my .htaccess.

  6. bigneno
    Member
    Posted 1 year ago #

    Same issue here, users get 500s on empty questionmark, please remove this rule in future updates.

    If I copy the whole section "CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS" to custom code and comment out only one line, how will I know that there's nothing new in other lines of this section on a plugin update.
    Is there any way to compare my current customized htaccess with any new one after plugin update?
    Should I clean all custom code, copy new sections and edit it (comment out lines etc) on every plugin update?
    Thanks

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    This filter will be better defined so that it does not trigger on non harmful/incorrect urls/bad query strings/bad coding practices/coding mistakes and only fires on actual attacks. This change may or may not make it into .50.2, but will definitely be in .50.3.

    BPS checks your permanently saved Custom Code and if new security rules/filters have been added or old rules removed or modified from the standard BPS code then you will see a notice similar to this (the BPS function that compares the code will have additional notice messages added as needed):

    Notice: BPS Query String Exploits Code Changes
    Older BPS Query String Exploits code was found in BPS Custom Code.
    Several Query String Exploits rules were changed/added/modified in the root .htaccess file in BPS .49.6
    Copy the new Query String Exploits section of code from your root .htaccess file and paste it into this
    BPS Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS and click the Save Root Custom Code button.
    This Notice will go away once you have copied the new Query String Exploits code to BPS Custom Code and
    clicked the Save Root Custom Code button.

    So bottomline, BPS is handling this for you. If anything new is added, removed or changed about .htaccess code rules or filters you will see a notice with instructions on what to do next.

  8. bigneno
    Member
    Posted 1 year ago #

    Thank you for your quick reply and for a great plugin!

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    oops my bad. This security filter has already been redefined and added in BPS .50.2. sorry about that.

    The new redefined security filter is this below. during the BPS update the old security filter will be replaced by the new security filter and a check will also be done to notify folks of that new code.

    RewriteCond %{THE_REQUEST} \?+(%20{1,}|[^\s])+HTTP+(:/|/) [NC,OR]

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.