utf8 characters in URI causing 403

Resolved flyfisher842
(@flyfisher842)

11 years ago

http://www.bestflyrods.com/shop.php/SEARCH-1-84/search_results.html?st=Simms+Women%27s+Superlight+Short

http://www.bestflyrods.com/shop.php/SEARCH-1-12/search_results.html?st=Simms+Graphic+T-shirt+-+Angler%27s+Choice+Short+Sleeve %27 on these

http://www.bestflyrods.com/shop.php/SEARCH-1-48/search_results.html?st=Simms+FlyAway+Shirt+(Discontinued) The first ( on this one)

http://www.bestflyrods.com/shop.php/SEARCH-1-24/search_results.html?st=Simms+Women%27s+FlyAway+Shirt

http://www.bestflyrods.com/shop.php/SEARCH-1-12/search_results.html?st=Simms+Women%27s+Rivershed+Cardigan

Are examples of the 221+ 403 errors being returned on the searches. somewhere in the BPS regular filters are some that cause a 403 based on the %27 and the first ( in the URI. I suspect that similar code was used by the affiliate that was making the datafeed these came from.

I need help in doing a redirect to my domain root or to a redirect match 410 or help in fixing the filter that is 403 the utf8 stuff.

I have good redirect that will go to my domain root when the utf8 is removed.

What a pain all because someone has to be an english teacher in making uri.

https://ww.wp.xz.cn/plugins/bulletproof-security/

Viewing 7 replies - 1 through 7 (of 7 total)

Plugin Author AITpro
(@aitpro)

11 years ago

Yep, %27 is the URL encoded single quote code character which is explicitly blocked in the BPS root htaccess Query Strings Exploit code. To whitelist/allow %27 in Query Strings see this forum topic: http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

Thread Starter flyfisher842
(@flyfisher842)

11 years ago

That took care of all but the links with a (words) in them. How to fix the ( filter and my risk by fixing it like the others.

Plugin Author AITpro
(@aitpro)

11 years ago

Yep, you will also need to whitelist/allow round brackets/parentheses ( and ).
See this forum topic: http://forum.ait-pro.com/forums/topic/allowing-parentheses-in-query-strings/#post-10589

Important Note: You will need to combine both your single quote code character/apostrophe and round bracket code character/parentheses code together so that both are whitelisted/allowed.

Plugin Author AITpro
(@aitpro)

11 years ago

The security line of code which is being modified is not stated in that forum link above, which I will update in a minute.

The security line of code for round brackets is this one.
Before:
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
After:
RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]

Thread Starter flyfisher842
(@flyfisher842)

11 years ago

Looking at the filters one at a time, I am starting to understand what they filter but not the reason. Except assume a lot of them are XSS and SQL injection filters.

Thanks for your help with these issues. This will help clean up some more junk on my webmaster tools.

Thread Starter flyfisher842
(@flyfisher842)

11 years ago

Forgot to close the thread.

Plugin Author AITpro
(@aitpro)

11 years ago

By default WordPress already filters out html characters that are considered dangerous and can be exploited: “, ‘, <, >, (, ) etc…. Example: when you create a Post your URL will not contain any of these characters. WordPress also filter strings and will automatically URL encode strings that should be encoded. So BPS adds an extra layer of insurance and in some cases there are methods to inject or poison things so these BPS filters are actually useful.

The reason is simple: everything that has the possibility of being exploited should be sanitized or not allowed and known attack vector patterns should not be allowed.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘utf8 characters in URI causing 403’ is closed to new replies.