Whitelist Param – Wildcard/Regex Url or Global

  • JProffitt3G

    (@jproffitt3g)


    8 years, 6 months ago

    I see that right now there is no way to whitelist parameters on multiple urls or urls matching a pattern. This poses an issue for front-end builder plugins like Beaver Builder because every page has to be whitelisted separately for every parameter you want whitelisted.

    To demonstrate this issue:

    1. Install Beaver Builder Lite and WordFence (with Firewall Enabled) on a clean site.
    2. Enter Page Builder mode on any page.
    3. Drop in an HTML module, and paste in the embed code for “Big Buck Bunny” YouTube video: <iframe width="560" height="315" src="https://www.youtube.com/embed/YE7VzlLtp-4" frameborder="0" allowfullscreen></iframe>
    4. Save.

    The action will be blocked because the iframe triggers a warning. If you enter learning mode, the offending parameter will be whitelisted but only for this particular page. In order to whitelist it across the site, you would need to add each and every page to the whitelist table. That is not practical when we give control to the (non-technical) client to add/build their own pages with the page builder.

    I would like the option to whitelist a given parameter (and a few other parameters) for all pages on the site, so that I can build a small list of whitelisted urls. Alternatively I would take a hook into the whitelist process so I could add my own logic for catching false positives.

    • This topic was modified 8 years, 6 months ago by JProffitt3G.
Viewing 12 replies - 1 through 12 (of 12 total)
  • wfalaa

    (@wfalaa)

    8 years, 6 months ago

    Hi jproffitt3g,
    I couldn’t reproduce this issue, when the “Firewall Status” was set to “Learning Mode” I got this action whitelisted:
    URL: /wordpress/ “which is the root path to my installation, i.e. not specific page URL”
    Param: request.body[fl_builder_data][settings][html]
    Source: Whitelisted while in Learning Mode.

    After switching to “Enabeled and Protected”, I got the builder working on all other pages.

    Could you please re-check this issue and make sure the action was whitelisted while the firewall was in Learning Mode, not by the “False Positive Dialog”?

    Thanks.

    • This reply was modified 8 years, 6 months ago by wfalaa.
    Thread Starter JProffitt3G

    (@jproffitt3g)

    8 years, 6 months ago

    I made a sandboxed test environment that recreates this issue along with exact steps that consistently reproduce it.

    I made a temp forwarder to my email, tempwordfence@sandbox.3ge.biz, where we can initiate private communication. Alternatively if there is a place I can safely send you credentials for the site we can do that too.

    The steps to reproduce issue:

    1. Go to WordFence firewall settings, delete any whitelist rules at bottom, and set firewall to Learning Mode.
    2. Go to the home page / Test Page A.
    3. Enter the Page Builder (in each case you enter Page Builder, select “Blank” as the layout).
    4. Drop in an HTML module and paste in this embed code (same as before):
    <iframe width="560" height="315" src="https://www.youtube.com/embed/YE7VzlLtp-4" frameborder="0" allowfullscreen></iframe>
    5. Save
    6. Publish the page
    7. Go to WordFence firewall settings, check whitelist rules at bottom, and set firewall to Enabled and Protecting.
    8. Go to Test Page B and repeat steps 3-5.
    9. Optionally repeat steps 3-5 with Test Page C, Test Page D.

    In each case on B, C, and D you should be blocked from saving the HTML module.

    wfalaa

    (@wfalaa)

    8 years, 6 months ago

    Hi jproffitt3g,
    Could you please share with me a screenshot showing “Whitelisted URLs” section in (Wordfence > Firewall)? I want to take a look at the parameters added there after turning on “Learning Mode” and trying to save the builder settings.

    P.S. I’m afraid to tell that I’m not authorized to access your website directly.

    Thanks.

    Thread Starter JProffitt3G

    (@jproffitt3g)

    8 years, 6 months ago

    Hey Wfalaa,

    I understand, here is a screenshot after step 4:

    Link: http://www.tiikoni.com/tis/view/image.php?id=69bcd2d

    • This reply was modified 8 years, 6 months ago by JProffitt3G.
    • This reply was modified 8 years, 6 months ago by JProffitt3G.
    Thread Starter JProffitt3G

    (@jproffitt3g)

    8 years, 6 months ago

    Using a site for temporary image storage, here is the correct link: http://www.tiikoni.com/tis/view/?id=69bcd2d

    wfalaa

    (@wfalaa)

    8 years, 6 months ago

    Is “wordfence-test” is your website root directory? or this is the post slug?

    Assuming this was your post slug, then please try whitelisting manually this URL/Param:
    URL: /
    Param: POST Body
    Param Name: fl_builder_data][settings][html

    Let me know how it goes,
    Thanks.

    Thread Starter JProffitt3G

    (@jproffitt3g)

    8 years, 6 months ago

    “wordfence-test” is the root directory. I tried adding that rule anyways and it did not work when I switched to Enabled and Protecting and attempted to add the video on another page.

    wfalaa

    (@wfalaa)

    8 years, 6 months ago

    I think I figured out why it’s working fine at my end, that’s because I didn’t publish the page then activate the builder, I was just using the builder right away when the page is still draft, to get a better idea check this screencast.

    I will ask our dev team if there is an option to whitelist this parameter globally and get back to you as soon as possible.

    Thanks.

    wfalaa

    (@wfalaa)

    8 years, 6 months ago

    update: since there is no option to whitelist this parameter manually and get it working on every page, the team is investigating this case (with reference number: #3018) for the possibility to whitelist this parameter internally in our firewall rules.

    Thanks.

    Thread Starter JProffitt3G

    (@jproffitt3g)

    8 years, 6 months ago

    Thank you wfalaa. I imagine that must have been frustrating for a while and am glad you didn’t write this off as user-error.

    I am glad the team is looking into it. Ideally eventually I would like the option to whitelist parameters globally, so that in case I start using another front-end builder or Beaver Builder changes its implementation of saving modules (e.g. using different parameter names) we don’t run into this same scenario. If that would make more sense as a feature request topic, I can create one.

    Thread Starter JProffitt3G

    (@jproffitt3g)

    8 years, 5 months ago

    Hello wfalaa, is there any chance of something addressing this issue coming to WordFence soon?

    At the very least, having the ability to hook into the method that checks flagged parameters against the whitelist and implement my own whitelist logic would be extremely helpful right now. I am having to whitelist ip addresses of content uploaders for several sites every couple weeks just just so they can do their job.

    wfalaa

    (@wfalaa)

    8 years, 5 months ago

    Hi,
    Sorry for my late reply, I have double-checked this one for you with the team and I can confirm that it’s on our list of improvements, but unfortunately, we don’t have a specific date set for when it will be available.

    I understand how it’s annoying to keep whitelisting your users’ IP addresses, so I think you could -temporarily- turn off the XSS: Cross Site Scripting rule from the Firewall Rules until you finish building your website, I know this will let the Firewall be less protective, but at least the rest of rules will continue working and as I mentioned this is just temporary.

    Thanks.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Whitelist Param – Wildcard/Regex Url or Global’ is closed to new replies.