Compatibility: Subscribe To Comments Reloaded

The solution is here > https://forum.ait-pro.com/forums/topic/erroe-403-with-the-plugin-subscribe-to-comments-reloaded/

Looks like we missed adding this fix to Setup Wizard AutoFix. This fix will be added to Setup Wizard AutoFix in the next BPS plugin version release.

Oops actually this fix has already been added in BPS 3.0. ?? The first time this problem was reported was a week ago.

Hi @aitpro, I am the author of StCR. I read your solution in your forum. Have you tried to make the exploit by using that query string? On the backend I have sanitize the information coming from that query string.

Regards.!!

When is the BPS 3.0 release? By the way, thank you.

Actually, I already have that code in there already in 2.9 but I never noticed it until now. But it didn’t work. Still getting the 403 Forbidden.

@imtino – hmm there must be something else that is being blocked as well that is probably not being logged in the BPS Security Log. Try adding a plugin skip/bypass rule for the Subscribe To Comments Reloaded plugin. Leave the RFI security rules commented out since that is definitely going to be blocked as an RFI attack. If the plugin skip/bypass rule does not work then we will test the Subscribe To Comments Reloaded plugin to figure out what else is being blocked.

1. Copy the plugin skip/bypass rule below to this BPS Root Custom Code text box: 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the Security Modes page and click the Root folder BulletProof Mode Activate button.

# Subscribe To Comments Reloaded skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/subscribe-to-comments-reloaded/ [NC]
RewriteRule . - [S=13]

@reedyseth – The Query String itself is being blocked. The Query String matches a BPS RFI security rule: https://www.example.com/?page=https://hackersite.com/evilscript.php. There is actually nothing exploitable in your code and instead it just matches a common hacker attack vector – Remote File Inclusion (RFI).

Still 403 Forbidden

If no quick solution then I will uninstall the plugin. I can live without it but I can’t live without BPS. I love BPS. I can’t believe it’s free. I have tested about 4 or 5 well known security plugins BPS by far is the best. Secured and light-weight (fast). Well, it was a little confusing in the beginning but once passed that it’s peace of mind that you can sleep well at night.

Hmm ok we will need to install and test the Subscribe To Comments Reloaded plugin to figure out what is going on. For now you will either need to deactivate BPS Root folder BulletProof Mode or if you feel like experimenting then you can try manually editing the BPS Root htaccess file to figure out what other BPS root htaccess code is blocking something in the Subscribe To Comments Reloaded plugin. My guess would be some other security rule or rules in the BPS Query String Exploits section of code needs to be commented out. To confirm that and isolate the problem code, use this code below in place of the existing BPS Query String Exploits code.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

That last code works. Should I keep it like that?

Yeah for now it is ok to do this temporary workaround. I will have a permanent solution for you tomorrow morning around 10am PST.

Awesome!

@aitpro

There is actually nothing exploitable in your code and instead it just matches a common hacker attack vector – Remote File Inclusion (RFI).

If this is causing too much trouble to users I can schedule a development time to replace the url by a post id, but only 2 users on my users base complaint about it. I think that your patch will do the trick ??

@reedyseth first thank you for your plugin and appreciate you commenting to help. I just wanted to point out this for you that might get you to think about it a little bit.

I am not an expert with WordPress or any coding. I am still a newbie after all these years. That’s because I only work on the SEO side. I’ve learned things along the way these few years. I now starting to custom things more each day. But still no expert. Just want to custom and do a lot of googling.

But if this was a few years ago, after trying your plugin. I would have thought oh it didn’t work. I uninstalled and moved on to something else. That’s how it would have been. I wouldn’t take the time to comment for support and so on.

Anyways, just a thought. You might have lost more users without knowing. Users that didn’t bother to find a solution. But moved on to thing that work on first install.

Again, thank you for your plugin it’s working well. I think I will end up on your support forum later if I have more question like I am think right now is the a way not have the manage page or link but unsubscribe link only that provided in the email only or right on the comment form itself.