[Plugin: BulletProof Security] BuddyPress and 403

Just for a basic check did you activate all BulletProof Modes? Both the Root and wp-admin BulletProof Modes must be activated together. I do not think this is the cause of the problem.

What I suspect is that the full query string contains something in it that is being blocked by one of the BPS security filters in the root .htaccess file. There are 2 approaches to fixing issues like this.

1. You can tell BPS not to apply any security filters to the forum folder

or

2. You can isolate the query string that is being blocked and create an .htaccess rule to skip / bypass the BPS security filters for that particular query string.

In order to create a query string skip / bypass rule for you I would need to see the entire query string in the URL.

or

To see examples of .htaccess bypass / skip rules you can take a look at this help post >>> https://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/

Yes, both modes are activated. When the query returns to the original page, it looks like this:

https://mysite/community/groups/fearless/forum/topic/chapter-1-questions/?

If I load that URL with BPS on, I get the 403 page. If I load that URL with BPS off, the page loads fine.

Maybe it is the question mark at the end that is being blocked?

Ok so what is the original query then?
I do not have enough information to be able to tell you what is being blocked. Is some sort of unsafe redirection occurring?
I need the whole scenario in order to determine what is not working correctly.

What exactly is occurring right here?
“When members go to reply to a forum posting in BuddyPress..”

What exactly is occurring right here? By the way you describe this it sounds like some sort of redirection is occurring here. If so, how this is being done is essential information in determining the problem.

“If you hit the back button and refresh the page, the reply is shown, so it is getting written to the db…”

If the forum is outside of WordPress you can just use a skip / bypass rule for the entire forum. Is it part of BuddyPress or not?

I do not understand this “default forum, not bbPress”

Sorry, not really sure what is being done here query-wise to redirect; it is something within BuddyPress. You reply to a forum posting and it then redirects you back to the forum, tacking on the posting ID (which is then the permalink for the reply).

Example: https://mysite/community/groups/fearless/forum/topic/chapter-1-questions/?#post-15

If I were then to delete that reply, it redirects me back to the forum with the question mark at the end, but without the original post ID.

Example: https://mysite/community/groups/fearless/forum/topic/chapter-1-questions/?

Again, not sure what the query is exactly – all I can see are the generated URLs – which in this case appears that the question mark portion is what is causing the problem. If I manually enter the URL without the question mark (even with the #post-15), the page loads fine. But the question mark is added to the URL by BuddyPress somewhere.

The forum is part of BuddyPress, so is all within WordPress. When I say it is the default forum, I am referring to the functionality within BuddyPress. BuddyPress gives you the option to have bbPress as your forum provider or use the built-in forum (part of BuddyPress) within BuddyPress groups.

Nope the question mark is not going to be the problem. A question mark just means a query string starts from this point on in the URL. So ?#post-15 means query #post-15. BPS does not block question marks.

BPS already contains this permanent BuddyPress redirect query string fix below and what i am guessing is that either something new has been done in BuddyPress or in your particular website’s case something is unique or different. This fix below pertains to BuddyPress Logouts, but the concept is the same. There is a query string that is doing a redirect after a user’s reply in your Forum. That is the query string that i need to create the skip / bypass rule. Apparently it is not being displayed to you in your browser for long enough for you to see it or maybe not at all. So what i need from you is the version of BuddyPress you are using and if it is free. If you are using anything Premium then i cannot look at the code or test it. So let me know if you have free or premium stuff and a link to download it.

# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]

Installed BuddyPress version is 1.5.5. These are all the BuddyPress related plugins installed (all free, all from the wordpress plugin repository):

BuddyPress
Version 1.5.5

BP Group Hierarchy
Version 1.3.2

BP Group Management
Version 0.5.3

BP Group Organizer
Version 1.0.4

BuddyPress Auto Group Join
Version 2.2.1

BuddyPress Automatic Friends
Version 1.6.1

BuddyPress Group Email Subscription
Version 3.1.1

BuddyPress Profile Privacy
Version 1.4.2

Private BuddyPress
Version 1.0.4

Ok so you said that the Forum is built into BuddyPress correct so i am assuming that i can test the Forum without adding the additional plugins correct?

Correct; you would use “Forums for Groups” and not “New! Site Wide Forums”

I love the new walk-through installation in BuddyPress, unfortunately i was unable to get BuddyPress installed and working correctly on my local XAMPP setup. It is a very advanced XAMPP setup so BuddyPress probably cannot handle interpreting my vhosts file correctly or maybe it is something else, but after spending an hour just trying to get BuddyPress to work i had to throw in the towel.

I notice that on installation BP wipes out the existing .htaccess code and writes new .htaccess code, which is fine and is probably done with wp rewrite flush function. No big deal here.

Ok since i cannot see this visually quickly and digging through the BuddyPress coding would take too much time that i cannot spare right now so here is an alternative solution.

Do not apply BPS security to BuddyPress Forum. This is obviously not an optimum solution, but at this time I cannot fiddle around with this. Next week i will have some time to spare to find out exactly what the issue is.

An example of the bypass / skip rule that you would use to not apply security to the BuddyPress Forum area would be something like this and it would go above skip rule #12

# BuddyPress Forum bypass / skip rule
RewriteCond %{REQUEST_URI} ^forum/ [NC]
RewriteRule . - [S=13]

Or i just thought of something else. If you can get the error from one of your log files – either Server log or php error log then it will probably contain the query string in the logged error. Once i know what the query string is then i can quickly create the bypass / skip rule for that query string.

Thanks for looking into this! Unfortunately that entry in the .htaccess file doesn’t alleviate the problem. The strange this is I cannot find any errors at all – no error_log files are being generated and when I check my Error Log in cPanel, it is blank. Checking with my web host as I’ve never seen this before.

Actually your Web Host is probably not going to look into this. This is a question for the BuddyPress folks and you would want to post in the BuddyPress Forum on the BuddyPress site.

I’ll have to look more into the error log issue. What I can say is that if I take this line out:

RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

The problem goes away. I understand that this is probably blocking a query exploit, but is there any way to just say ignore it in certain circumstances?

That security filter protects against Remote File Inclusion (RFI) and XSS hacking attempts against your website so it would not be a good idea to comment it out.

What this tells me is that BuddyPress is trying to do a redirect by adding a URL after the query to redirect back to your website using HTTP in the query string.

The string / URL would look generally something like this, which is very similar to RFI or XSS hacking attempts where a hacker adds a redirect to another site and they also add a script on the end of the redirect URL to deliver a payload.

https://www.example.com/?redirect_to=https://www.example.com/

Instead of putting your entire website at risk of being hacked, just post in the BuddyPress Forum and ask them what the query string is for Forum replies / redirect after replies.

is there any way to just say ignore it in certain circumstances?

Yes, get the query string that is used in the redirect from the BuddyPress folks. ??