I have a website where I wrapped phpbb3 inside wordpress. It works pretty well, although when I added this security recommendation to my .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>
it is causing 403 errors when users try to use the search form on some of the forum pages. This is the way the search is presented (as an example):
<div class="search-box">
<form method="post" id="forum-search" action="./search.php?fid[]=5">
<fieldset>
<input class="inputbox search tiny" type="text" name="keywords" id="search_keywords" size="20" value="Search this forum…" onclick="if (this.value == 'Search this forum…') this.value = '';" onblur="if (this.value == '') this.value = 'Search this forum…';" />
<input class="button2" type="submit" value="Search" />
<input type="hidden" value="5" name="fid[]" />
</fieldset>
</form>
</div>
Comes back as "forbidden". When I take out that section of .htaccess, it works fine. I know the very basics about .htaccess and can't figure out why that code is causing a 403 on that section of HTML/PHP.
Any ideas would be appreciated...thanks...
It is causing a 403 because you are returning 403 in your htaccess, the F flag in your rewrite rules is going this.
There's probably a reason why you'd want to do this. The first rule blocks requests via HEAD, TRACE, DELETE, and TRACK methods. The second rule blocks requests with a bunch of possible query strings and *if you are missing the wordpress_logged_in cookie*. So if you don't have a cookie named wordpress_logged_in_, then you'll get a 403.
Related
I am trying to come up with an htaccess code that will allow me to redirect users on all mobile devices going to webpage that begins with www.example.com/blog or example.com/blog to specific page - pretty much the same link with the following extension: /mobile.
so that websites for mobile devices become:
www.example.com/blog -> www.example.com/blog/mobile
example.com/blog -> example.com/blog/mobile
How can I do that?
You can place this rule in your site root .htaccess:
RewriteEngine On
RewriteCond %{HTTP:x-wap-profile} !^$ [OR]
RewriteCond %{HTTP:Profile} !^$
RewriteRule ^blog/?$ /$0/mobile [L,NC,R=302]
This is assuming you don't have a .htaccess inside blog/ directory.
If you already have a blog/.htaccess then use this rule in blog/.htaccess
RewriteEngine On
RewriteCond %{HTTP:x-wap-profile} !^$ [OR]
RewriteCond %{HTTP:Profile} !^$
RewriteRule ^/?$ /blog/mobile [L,R=302]
If above header don't work then use user agent based checks:
RewriteCond %{HTTP_ACCEPT} "text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "sony|symbian|nokia|samsung|mobile|windows ce|epoc|opera" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "mini|nitro|j2me|midp-|cldc-|netfront|mot|up\.browser|up\.link|audiovox"[NC,OR]
RewriteCond %{HTTP_USER_AGENT} "blackberry|ericsson,|panasonic|philips|sanyo|sharp|sie-"[NC,OR]
RewriteCond %{HTTP_USER_AGENT} "portalmmm|blazer|avantgo|danger|palm|series60|palmsource|pocketpc"[NC,OR]
RewriteCond %{HTTP_USER_AGENT} "smartphone|rover|ipaq|au-mic,|alcatel|ericy|vodafone\/|wap1\.|wap2\.|iPhone|android"[NC]
RewriteRule ^blog/?$ /$0/mobile [L,NC,R=302]
how do i redirect users to my mobile page ?
i am using this code on htaccess
RewriteEngine on
RewriteCond %{QUERY_STRING} !^desktop
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|googlebot-mobile|iemobile|iphone|ipod|#opera mobile|palmos|webos" [NC]
RewriteCond %{HTTP_USER_AGENT} "acs|alav|alca|amoi|audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|opwv" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|w3cs|wap-|wapa|wapi" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "wapp|wapr|webc|winw|winw|xda|xda-" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "up.browser|up.link|windowssce|iemobile|mini|mmp" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "symbian|midp|wap|phone|pocket|mobile|pda|psp" [NC]
RewriteRule ^$ http://example.com/mobile [L,R=302]
it works for only if i go to site.com it will redirect me to http://example.com/mobile
but i want it to be like, even if i go to http://example.com/page1.php or any other pages it should redirect me to http://example.com/mobile for all mobile users.
please help me with this
Well, just change
RewriteRule ^$ http://example.com/mobile [L,R=302]
to
RewriteRule ^/?(.*)$ http://example.com/mobile [L,R=302]
or maybe
RewriteRule ^/?(.*)$ http://example.com/mobile/$1 [L,R=302,QSA]
To redirect to a different hostname (sometimes called a "subdomain"), as asked in the comment below, you can do that:
RewriteRule ^/?(.*)$ http://m.example.com/$1 [L,R=302,QSA]
And a general remark: I think a http-301 does make more sense than a http-302 for this situation...
I want to remove index.php in the url if there is no querystring.
My .htaccess is:
RewriteCond %{QUERY_STRING} ^$
RewriteRule index.php http://www.domain.fr [R=301,L]
RewriteRule ^(.*)/(.*)/$ index.php?category=$1®ion=$2 [L,QSA]
www.domain.fr/index.php => ok, redirects well to www.domain.fr
www.domain.fr/index.php?i=1 => ok, no redirection
www.domain.fr/category/region/ (if entered manually in the url) => ok, no redirection
www.domain.fr/category/region/ (if posted via a php form) => redirect (and shouldn't) to www.domain.fr
Here is my php form:
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
<select id="category" name="category">..</select>
<input id="send" name="send" type="submit" value="search" />
</form>
and the code of this form (at the top of the page):
if(isset($_POST['send'])){
$category = $_POST['category'];
$region = $_POST['region'];
header('Location: http://www.domain.fr/$category/$region/');
exit;
}
If I remove the cond RewriteCond %{QUERY_STRING} ^$ the php form redirects well to www.domain.fr/category/region, but if I put the cond it redirects always to www.domain.fr,
any idea ?
Your order of rules is the problem, keep your rules like this:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^domain\.fr$ [NC]
RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=302,NE,L]
RewriteCond %{THE_REQUEST} /index\.php[^?] [NC]
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^index\.php$ / [R=302,L]
RewriteRule [A-Z] ${lc:%{REQUEST_URI}} [R=302,L]
RewriteRule .* - [E=SD:${vhost:%{HTTP_HOST}}]
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ - [L]
RewriteRule ^([^/]+)/([^/]+)/?$ index.php?category=$1®ion=$2 [L,QSA]
RewriteRule ^([^/]+)/?$ index.php?category=$1 [L,QSA]
Anubhava I've found the answer!!!
the problem was just about the php form, it's needed to remove:
<?php echo $_SERVER['PHP_SELF'];?>
The solution is simply:
<form method="post" action="">
but than kyou very much Anubhava!
I want to receive own site's url as $_GET parameter in few of my pages but don't want any other url to pass as $_GET parameter on any webpages. For this the .htaccess code with few other measures mentioned here.:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert|union|declare).* [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$
RewriteCond %{HTTP_REFERER} !^http://mysite\.com(.*)$
RewriteRule ^(.*)$ - [F,L]
</IfModule>
Even after adding
RewriteCond %{HTTP_REFERER} !^http://mysite\.com(.*)$
at the 3rd line from end, if I try to pass any url of my website as GET parameter in any of my webpages like including http (ex: 'http://mysite\.com'), it returns 403 error.
Here is the way I am trying to access my site's url as GET parameter:
'http://mysite\.com/abc_page?url=http://mysite\.com/efg_page'
Please point me what I am doing wrong with the above code. The code was actually added by Word Press Better Security Plugin and I added RewriteCond %{HTTP_REFERER} !^http://mysite\.com(.*)$ to allow url of my own website.
'\' added before .com because stackoverflow does not allow to use mysite.com name to place inside body.
Here is an example of $_POST data from paypal's IPN:
cmd=_notify-validate
&test_ipn=1
&payment_type=instant
&payment_date=18%3A49%3A30+Nov+01%2C+2010+PDT
&payment_status=Completed
&address_status=unconfirmed
&payer_status=unverified
&first_name=John
&last_name=Smith
&payer_email=buyer
%40paypalsandbox.com
&payer_id=TESTBUYERID01
&address_name=John+Smith
&address_country=United+States
&address_country_code=US
&address_zip=95131
&address_state=CA
&address_city=San+Jose
&address_street=123%2C+any+street
&business=seller%40paypalsandbox.com
&receiver_email=seller%40paypalsandbox.com
&receiver_id=TESTSELLERID1
&residence_country=US
&item_name=something
&item_number=AK-1234
&quantity=1
&shipping=3.04
&tax=2.02
&mc_currency=USD
&mc_fee=0.44
&mc_gross=10
&mc_gross_1=10
&txn_type=web_accept
&txn_id=30112149
¬ify_version=2.1
&custom=10points
&charset=windows-1252
&verify_sign=AFcWxV21C7Zyy8mw-cdzleMW.oxFXxXE
When I try to send this with my .htaccess file I get an 403 error.
.htaccess:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule .* - [F]
How do I change the .htaccess file to make it allow the $_POST data?
You can enable logging on the rewrite engine. (Just for debugging.) You will see the exact rule where is dies.
Possibly this line:
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
I believe that is matching on any full stop following by an alpha-numeric character in the query string. Seems like that would fail requests like "shipping=3.04"
Found the sinner:
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]