Support

Search results for ""

Sorry, no results found. Perhaps you would like to search the documentation?
All Topics
jfroelich

Getting 403 Forbidden when searching posts

With the Admin Columns Pro plugin enabled, when I am logged into WordPress, viewing list of posts, type in a search and click the Search Posts button on the posts list page, the server responds with a 403 forbidden error. With the plugin disabled, the post search works as expected. A few months ago this issue did not occur, but I had removed the plugin. Now I am trying to enable it. Everything else runs smoothly except for this strange search issue resulting in 403.

Any advice would be appreciated.

Side note: my webhost switched from apache to lightspeed if that is at all related. In that switch they may have changed folder and file perms. It looks like everything is 755 right now.

5 years, 10 months ago
Stefan van den Dungen Gronovius
Developer

Thanks for your feedback,
I’ve heard this issue before and it seems to be related to the JSON encode string we add to the URL when performing a search action. One client told me the following:

‘In my case, I had to deactivate the ModSecurity option in Cpanel’

We did not have time yet to dive further into this issue, but it seems to be related that in this case ModSecurity recognizes the URL as malicious and throws a 403 error. If you could check on your server if you have ModSecurity installed or something similar that analyses URL’s for malicious content that would be great. And if you found anything, it would be great if you can share that with us, so we can do some further research for this issue, as we’re not able to reproduce it yet. Please contact me at support@admincolumns.com if you have any information that can help us.

5 years, 10 months ago
jfroelich

Thanks for your prompt response. I will eventually research the issue. I am not aware of any ModSecurity running on the web server.

It is unfortunate, considering this is a paid purchase and now the plugin must remain disabled.

Regards,
Josh

5 years, 10 months ago
Stefan van den Dungen Gronovius
Developer

Hi Josh,

Please let me know if you’re able to find the cause if the issue and if you were able to fix it for your environment.
If you’re not able to fix it and you don’t see any other use of our plugin, you may ask for a refund. If you don’t use the Smart Filtering feature, you could also disable it through the screen options menu (right top of overview page) and the default search should also work again.

5 years, 10 months ago
jfroelich

I have not been able to research this issue, I am quite busy, I have simply disabled the plugin for now.

I will check if disabling the smart filtering avoids the issue for now.

5 years, 10 months ago
jfroelich

Alright, enabling the plugin and having every user disable the Enable Smart Filtering option on every list page avoids the 403 error for now.

Thank you for your help. Sorry I cannot provide more information right now.

5 years, 10 months ago
support63

Hi STEFAN,

Do you know if there’s any workaround without turning off the smart filtering? Our client’s website is hosted on a shared-hosting server and we don’t have access to the Apache’s security let along turning off the ModSecurity module?

Any guidances on the issue will be greatly appreciated!

We really enjoy using the plugins so far, it’s a game-changer. Thanks for the lovely plugin.
Look forward to your reply.

Kind Regards,
Calvin

5 years, 9 months ago
Stefan van den Dungen Gronovius
Developer

At this moment we know that this issue is caused by security settings of some servers.
We have a ticket for this on our Github
https://github.com/codepress/admin-columns-issues/issues/1187

But unfortunately, we don’t yet found a way how we can alter the way we are using Smart Filtering, the feature that is causing the issue in combination with the server security settings. Thanks to some customers, we have heard some workarounds that involves changing settings on server level:

– Disabling ModSecurity option (in Cpanel) -> This is quite global and can probably be fine-grained by allowing some URL’s or IP’s
– Whitelist the IP in your security module, have a look at WAF settings as mentioned in the Github Ticket.

Since we cannot reproduce the issue on one of our own servers, I can only forward these solutions without knowing how to implement that on your specific environment.
Another workaround would be to disable Smart Filtering in the screen options menu (top right on overview) but that is of course only an option if you’re not using Smart Filtering at the moment.

5 years, 9 months ago
Eric

I had a similar issue and was able to track down the cause and implement a solution. Hopefully this will help others who are running into this issue.

The URL that ACP uses to apply the filters contains some query parameters that are common in MySQL queries, specifically “select” and “and”.

https://example.com/wp-admin/edit.php?s&post_status=all&post_type=example&ac-rules=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%225cb0c6c042171%22%2C%22field%22%3A%225cb0c6c042171%22%2C%22type%22%3A%22integer%22%2C%22input%22%3A%22select%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%2254%22%2C%22formatted_value%22%3A%22example%22%7D%5D%2C%22valid%22%3Atrue%7D&m=0&filter_action=Filter&action=-1&paged=1&action2=-1

Most WordPress security plugins, including All In One WP Security, will block all MySQL commands in query parameters. You would need to disable that feature or alter the settings it applies to .htaccess.

In AIO WP Security this setting can be found under WP Security > Firewall > 6G Blacklist Firewall Rules : Enable Legacy 5G Firewall protection.

You can also look in your .htaccess file for a line like the one below. Commenting it out should allow filtering to work again.

RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]

5 years, 7 months ago

You must be logged in to reply to this topic.