Exclude URL from BPS QUERY STRING EXPLOITS

  • Resolved isaacl

    (@isaacl)


    9 years, 5 months ago

    We have a backend URL that is getting a 403 error when an apostrophe (%27) is included in a search/query on that page, but have another, almost identical page, that isn’t having that issue.
    That page/directory is protected by a htaccess password and only used internally, so it should work to just exclude that directory or page, rather than remove the rule fully.
    Is there any way way to exclude a specific directory or page from the QUERY STRING EXPLOITS rules?
    Thanks a lot!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author AITpro

    (@aitpro)

    9 years, 5 months ago

    To allow and not block apostrophe’s/single quote code characters in the backend wp-admin area use this solution: https://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372

    Since this is a backend whitelist rule, you can safely allow all apostrophe’s in the backend of your site.

    Thread Starter isaacl

    (@isaacl)

    9 years, 5 months ago

    Thanks for the reply.

    The actual page is in a separate directory, and just being loaded by an internal page – any ideas for what to do in that case?

    Thanks a lot!

    Plugin Author AITpro

    (@aitpro)

    9 years, 5 months ago

    Then you are going to have to create some kind of custom htaccess code/rule for that. The BPS Query Strings Exploit code cannot have any modifications done to it besides disabling/commenting out security rules/filters. So basically you would have to comment out the BPS Query Strings Exploit security rule for apostrophes and then create a new block of code to deal with/handle apostrophes. I believe that would be too complicated to mess with and not worth the effort. So I wouldn’t bother with doing that. Allowing apostrophes does not decrease your overall security significantly. There are overlapping security rules for exactly the reason where someone would need to remove/comment out a particular rule or rules.

    • This reply was modified 9 years, 5 months ago by AITpro.
    • This reply was modified 9 years, 5 months ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    9 years, 5 months ago

    Typo|Correction: Allowing apostrophes does not decrease your overall security significantly.
    I left out “not” from the sentence above.

    Thread Starter isaacl

    (@isaacl)

    9 years, 5 months ago

    Thanks a lot, will just remove that one then (already tested it, and it works after only removing it from the QUERY_STRING line, as long as that’s fine.

    I had seen other posts where you had mentioned that it is one of the things that can be more dangerous, but as long as this shouldn’t affect too much.

    Thanks a lot for all your help and hard work on the plugin, and for keeping us safe!

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Exclude URL from BPS QUERY STRING EXPLOITS’ is closed to new replies.