Forum Topic: issue with G5 blacklist

Forum: .htaccess Forum : Security • Posted by Peter Mumford • Updated:

I've been using the G5 blacklist on multiple sites since mid-summer, all running wordpress. Recently I've been having issues with one site that returns 403s when accessing certain admin screens. This URL, reached when making a new menu, gives me 403s when logged in as admin:

http://topheavypilesofbooks.com/wordpress/wp-admin/nav-menus.php?action=edit&menu=0

I found that disabling the rewrite rule section like this solves the problem. I just hash tag line 20:

#RewriteRule .* - [F]

Is there a better way to tweak the G5 list?

7 Replies to “issue with G5 blacklist”

Jeff Starr
Posted by Jeff Starr

Hi Peter,

It looks like the its the menu matching on line 9 that's causing the issue. To fix, replace the RewriteRule that you had commented out, and then change line 9 from this:

RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]

..to this:

RewriteCond %{QUERY_STRING} (mod|path|tag)\=\.?/? [NC,OR]

Let me know how it goes!

Posted by Peter Mumford •

yup, that solves the issue.

One more question: looking through my server logs, I see LOTS of requests for uploadify in various forms ? I think this is a common script with vulnerabilities. They were all denied fortunately. But I don't see the term uploadify in your blacklist. Did you blacklist those requests some other way?

Jeff Starr
Posted by Jeff Starr

It's possible.. I haven't seen any uploadify requests that I can recall from memory, so something in the requests may already be blocked by the 5G/6G. What does a typical request-string look like?

Posted by Peter Mumford •

typically its fishing for uploadify.php, hoping that its in some plugin. This is typical:

/wordpress/wp-content/plugins/gpress/gpress-admin/fieldtypes/image_upload/scripts/uploadify.php 1 -

I have many similar 403s in my logs.

Jeff Starr
Posted by Jeff Starr

Hmm very interesting.. it doesn't look like the 5G is blocking that type of request, but something is.. it could be the user-agent or some other aspect of the request getting blocked, or more than likely it's denied by some default server configuration (at least on Apache servers).

Either way thanks for the info, I've added this to the list for upcoming 6G :)

Posted by Peter Mumford •
Jeff Starr
Posted by Jeff Starr

Ahh, excellent infos - will be put to good use!