Bad Query Strings breaks Widgets

  • Resolved netzgestaltung

    (@netzgestaltung)


    3 years, 1 month ago

    This is a duplicate of https://www.ads-software.com/support/topic/bad-query-strings-breaks-widgets/ with more inspectation.

    AIOWS 4.4.9, WordPress 5.8.1 checking Firewall->Additional Firewall Rules->Deny Bad Query Strings causes the WordPress 5.8 Appearance->Widgets to show a 403 Forbidden error on each widget instead of the contents of the widget. Obvious solution is to uncheck that additional rule, just wanted to point this out. Surprised no one else has run into this…

    The causing problem are the addresses of the legacy widget iframe src attributes:
    widgets.php?legacy-widget-preview%5BidBase%5D=nav_menu&legacy-widget-preview%5Binstance%5D%5Bencoded%5D=YTo1OntzOjg6Im5hdl9tZW51IjtpOjEyMjk7czoxMjoid2lkZ2V0X2xvZ2ljIjtzOjIwOiIhaXNfdXNlcl9sb2dnZWRfaW4oKSI7czoxMDoidGl0bGVfbGluayI7czowOiIiO3M6MjM6InRpdGxlX2xpbmtfdGFyZ2V0X2JsYW5rIjtpOjA7czoxNToidGl0bGVfbGlua193cmFwIjtpOjA7fQ%3D%3D&legacy-widget-preview%5Binstance%5D%5Bhash%5D=65ade793669cf255d4f88b3729ce2253&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Bnav_menu%5D=1229&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Bwidget_logic%5D=!is_user_logged_in()&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btitle_link%5D=&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btitle_link_target_blank%5D=0&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btitle_link_wrap%5D=0

    if you compare with the Bad Query Strings line in .htaccess you will find the string “encode” in both of them.

    #AIOWPS_DENY_BAD_QUERY_STRINGS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ftp:     [NC,OR]
RewriteCond %{QUERY_STRING} http:    [NC,OR]
RewriteCond %{QUERY_STRING} https:   [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(request|insert|union|declare|drop) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
#AIOWPS_DENY_BAD_QUERY_STRINGS_END

    this also stopped previously the plugin “email address encoder” from working where the author was able to change the url of his setting site. i might imagine that that will not be possible here.

    this is how it looks like:

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support vupdraft

    (@vupdraft)

    Hi.

    Thank you for your comprehensive documentation on this. I will pass this onto our development team for further investigation

    Hello.
    This issue is marked as resolved, but what is the solution ?
    I still have this problem on several websites.

    Thread Starter netzgestaltung

    (@netzgestaltung)

    no. you have to disable this piece(and reenable it after work done), remove the string in .htaccess or add a custom rule instead of the disabled one (copy/paste from .htaccess with the removed string)

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Bad Query Strings breaks Widgets’ is closed to new replies.