Support > Elxis 4.x/5.x DEV

Visits (Referrals) from WeChat app are blocked by Elxis Defender

(1/1)

seadhna:
Hi there,
if users share links to any Elxis website in the the Chinese "everything app" WeChat, the visitor is unable to visit the website and receives an error message. This has started happening just in the past few weeks.

Sample security log:

2023-09-06 14:27:39 GMT [IP ADDRESS REMOVED FROM THIS FORUM TOPIC]
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090621) XWEB/8379 Flue
REFERER: https://weixin110.qq.com/
GET /video-challenge/gallery.html
REFCODE: DEFG-0002 Request blocked, Method: AGENT, Rule: (0x67, Reason: Unacceptable character

This happens on all Elxis websites tested. The only known fix is to turn off Elxis Defender.

Sample Email report:

Elxis Defender blocked an attack to your site!
Reference code: SEC-DEFG-0002

Elxis Defender report
Rules:  general
Match where:    AGENT
Regex match number:     3
Match rule:     (0x67
Reason:         Unacceptable character

Requested URI:  /video-challenge/2023.html
IP address:    REMOVED FROM THIS MESSAGE
Hostname:       REMOVED FROM THIS MESSAGE
HTTP Referrer:  https://weixin110.qq.com/
User agent:     Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090621) XWEB/8379 Flue
Date (UTC):     2023-09-06 14:27:16
Site URL:       REMOVED FROM THIS MESSAGE

This is only happening in the WeChat app, which also works as a browser. If users copy the link to a different browser, there is no error. However, normally users will click directly on links inside the app.

Does anyone have any idea why this might be happening?

The URL in the address bar does not appear to have any unacceptable characters - it looks normal.

seadhna:
It seems like Elxis Defender does not like this part of the User Agent? (0x67

webgift:
Hello,
this is a really unacceptable character indeed.
Disabling Elxis Defender at all is not a suggested option.
I believe that it's not even a great idea to disable the rule triggered on Elxis Defender. I would report that on WeChat technical team to exclude that kind of characters from URLs inside their app.

datahell:
You can disable this specific filter. Open this file:
includes/libraries/elxis/defender/general.rules.php

And comment the third rule:
//array('URI,QUERY,POST,AGENT', '[^a-z0-9]0x[0-9a-f][0-9a-f]', 'Unacceptable character'),

Alternatively, you can keep this line but only remove the AGENT part:
array('URI,QUERY,POST', '[^a-z0-9]0x[0-9a-f][0-9a-f]', 'Unacceptable character'),

Note that after an update your changes will be lost. So, alternatively you can do this:
Copy all "general" filters in "custom" filters file. On custom.rules.php comment the third line as before.
Go to Elxis settings and in Defender disable general filters and enable custom filters.

Now Elxis defender works as before but without the 3nd rule, or with the AGENT removed. Also after an update your changes will be preserved.

Note on Elxis Defender error code
Reference code: SEC-DEFG-0002

SEC: Security, reason for the alert
DEFG: Source, Defender General filters
0002: Rule number 3 (the rules are 0 indexed. The first rule is 0, the second 1, the third 2, etc)

seadhna:
Thanks! We'll reach out to the WeChat folks and hopefully they can fix this on their end for a more permanent long-term solution.

Navigation

[0] Message Index