Firewall blocks another plugin from loading

Resolved PolyWogg
(@polywogg)

8 years, 4 months ago

I’m running the latest WP and AiOWP Security. For sake of simplicity, let’s say it is installed at: http://www.mydomain.com

My hoster allows Softaculous installs, and I recently installed Piwigo Gallery at: http://www.mydomain.com/mygallery (note that WP is in the root, other installs go below that … which means AIOWPS affects the root directory for all installs). Could be a conflict, but it isn’t, everything works.

Except I installed the Piwigo Media plugin in WP which is supposed to go to http://www.mydomain.com/mygallery and get the list of available albums, etc., and it doesn’t find the gallery. Just pops up in an endless loop looking for the folder.

I disabled all other plugins, works fine; enabled AIOWPS, doesn’t work.

Tweaked AIOWPS and it’s a firewall issue (security enabled is fine).

I don’t want to disable ALL the firewall settings, but is there a way to tell it is okay to read that subfolder or for the firewall to ignore that plugin?

Paul

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Contributor wpsolutions
(@wpsolutions)

8 years, 4 months ago

Did you find the specific firewall rule which is causing that behaviour? If so which is it?

Thread Starter PolyWogg
(@polywogg)

8 years, 4 months ago

I haven’t narrowed it down yet, but I’ve eliminated some possibilities.

It seems to be a sub-rules that can tell the difference between

http://www.domain.com/gallery and
domain.com/gallery.

The firewall rule is blocking anything with the full domain name in it, but without the www part, it slips by somehow.

I don’t see anything specifically in the firewall rules, though. I have Basic engaged.

It’s not Directory Contents, that works.
It’s not Trace and Track, that works.

Still trying things one by one.

Thread Starter PolyWogg
(@polywogg)

8 years, 4 months ago

Have eliminated:

Basic
– Basic firewall
– XMLRPC
– Pingback
– Debug log

Advanced
– Directory contents
– Trace and Track
– Proxy Comment Posting
– Advanced Character String Filter

AH-HAH! It conflicts with the bad query string setting.

PolyWogg
Plugin Contributor mbrsolution
(@mbrsolution)

8 years, 4 months ago
Hi @polywogg, I am glad you found the conflicting settings.

The following information is added in the plugin by the developers in regards to this feature.

This feature will write rules in your .htaccess file to prevent malicious string attacks on your site using XSS.
NOTE: Some of these strings might be used for plugins or themes and hence this might break some functionality.
You are therefore strongly advised to take a backup of your active .htaccess file before applying this feature.

The following is written to the .htaccess file. You might like to investigate what part of the following code is causing the conflict.
```
#AIOWPS_DENY_BAD_QUERY_STRINGS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ftp:     [NC,OR]
RewriteCond %{QUERY_STRING} http:    [NC,OR]
RewriteCond %{QUERY_STRING} https:   [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(request|insert|union|declare|drop) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
#AIOWPS_DENY_BAD_QUERY_STRINGS_END
```
During the investigation, simply disable this feature. If you can’t work out what part of the code is causing this conflict, you will have to make sure you don’t enable this feature in the plugin. If you do find out what part of the code is conflicting, then you can add the amended code to the Custom Rules tab under Firewall.

Let us know if you need more help.

Kind regards
- This reply was modified 8 years, 4 months ago by mbrsolution.
Thread Starter PolyWogg
(@polywogg)

8 years, 4 months ago

Awesome, thanks. If I had to guess, I would say it is

RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]

as it does seem to just go into an infinite loop (if I’m understanding what that command does). And it kind of seems to match a bit…if I do http://www.mydomain.com, it would match “localhost” in that list. However, if I do mydomain.com, it doesn’t seem to match it, and so it lets it through. Again, if I understand that command properly (no guarantees!).

In the meantime, rather than add the rule, which might get me messed up, I think I’ll just leave that part alone 🙂 It’s working, it’s all good.

Thanks again. I wish I had found the error 3 years ago when it first “appeared”. If I hadn’t switched to AIO recently, and found the same bug when I reinstalled Piwigo and started using it again, I never would have been able to narrow it down. Worst case scenario now, if someone has the same error, they might trip over the posts and find the problem/solution.

PolyWogg

Plugin Contributor mbrsolution
(@mbrsolution)

8 years, 4 months ago

I am glad to see that you have found a workaround/ solution for your issue. I will mark this support thread as resolved.

You are most welcome to open up another ticket in the future if you wish to revisit this issue again and perhaps even point to this support thread.

Enjoy the plugin.

Kind regards

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Firewall blocks another plugin from loading’ is closed to new replies.