redirect with url passed in querystring

Resolved jfinnis
(@jfinnis)

5 years, 2 months ago

I am trying to open a php page that redirects to a url given in the query string, eg:
open.php?url=http://eg.com/page.html

However BPS returns a ‘403 Forbidden Error Page’.

Any way around this?

https://wordpress.org/plugins/bulletproof-security/

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author AITpro
(@aitpro)

5 years, 2 months ago

Yes, that is simulating an RFI hacking attempt/attack.
To allow/whitelist this you would first try this whitelist method to whitelist the “open.php” file.

User Avatar – avatar images not displaying for custom images 403 error

Plugin Author AITpro
(@aitpro)

5 years, 2 months ago

Did the RFI/Misc file whitelisting method work? If so, please resolve this thread. If not, post the security log entry for this from your BPS Security Log. You can hide the orgin/referer domains/urls, but I would need to know if the domains are the same domain or different domains.

jfinnis
(@jfinnis)

5 years, 2 months ago

Thanks, but I am non-technical and do not understand how to edit this code, eg is: (blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame) necessary just to whitelist one file (open.php) on my domain?

log code below, I changed real domains for mydomain.com, otherdomain.com

[403 GET / HEAD Request: September 17, 2014 – 1:24 pm]
Event Code: BFHS – Blocked/Forbidden Hacker or Spammer
Solution: N/A – Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 86.160.192.206
Host Name: host86-160-192-206.range86-160.btcentralplus.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://mydomain.com/test.php
REQUEST_URI: /open.php?url=http://otherdomain.com/form.html
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

open.php works if I move it to another (non-BPS protected) domain, so if no simple solution I will go with that.
Plugin Author AITpro
(@aitpro)

5 years, 2 months ago
Try this first (replace example.com with your actual domain name):
```
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (open\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*example.com.*
RewriteRule . - [S=1]
```
Since another domain is involved and several files then you may need to whitelist all files involved and the other domain (replace example.com with your actual domain name, replace “otherdomain.com” with your actual other domain name, replace the file names with the actual file names):
```
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (open\.php|test\.php|form\.html|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*(example.com|otherdomain.com).*
RewriteRule . - [S=1]
```
1. Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code above to this BPS Root Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode.
jfinnis
(@jfinnis)

5 years, 2 months ago

Thanks for your reply. For simplicity I decided to host open.php on another domain as it is used to redirect to multiple other domains.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘redirect with url passed in querystring’ is closed to new replies.

WordPress.org

redirect with url passed in querystring

Topic Tags

Views