TimThumb – Image Thumbnailer

[Timbo]

Hello again,

I’m having some trouble with TimThumb. Firstly, I’m using the latest version, and I have disabled external sites.

I’m using a content management plugin which I desperately need, but it can only refer to images with their full URL. My TimThumb links looks like this: http://www.mydomainhere.com/wp-content/tt/tt.php?src=http://www.mydomainhere.com/wp-content/uploads/etc/pic.jpg

The above results in a BPS Pro 403 Error. If I manually change the “src” to a local reference say “tt.php?src=/wp-content/uploads/etc/pic.jpg” it works fine.

I’ve identified the problem being in the Website Root Folder htaccess file (as when I deactivate Root Folder BulletProof Mode TimThumb starts working again).

Unfortunately it is not possible for me to change the “src” to a local reference, it needs to be the full URL. Is there a line I could add to the htaccess file to allow references back to my own domain name?

Thanks in advance.

-Timbo

[AITpro Admin]

The link / URL structure is simulating an RFI hacking method and the root .htaccess file security filters are blocking this.  I am not sure if this skip/bypass rule will work, but try this first.  This skip/bypass rule would go above skip/bypass rule #12 and would be skip/bypass rule #13

# uploads/etc folder allow simulated RFI Hack
RewriteCond %{REQUEST_URI} ^/wp-content/uploads/etc/(.*)$ [NC]
RewriteRule . - [S=13]

If the skip/bypass rule above does not work then another option would be to put a RewriteEngine Off .htaccess file in the /uploads/etc folder.  You will find a RewriteEngine Off .htaccess file here – /wp-content/plugins/bulletproof-security/admin/htaccess/RewriteEngineOff.htaccess.  Download it to your computer and then upload it to /wp-content/uploads/etc/ and rename it to just .htaccess.

[AITpro Admin]

Nope neither of these methods above would work.  Try this instead.  Add the tt.php file as shown below in your TimThumb Skip/Bypass rule.  Who is buried in Grant’s Tomb again?  Spaced out on another one jeez.  😉

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php|tt\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*foo.com.*
RewriteRule . - [S=1]

[Timbo]

Thanks for the suggestions, but no luck unfortunately. I did however find the lines which are causing me trouble:

#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
#RewriteCond %{QUERY_STRING} http\: [NC,OR]

As you can see I’ve commented them out.

So, ah… how can I make an exception while maintaining security? Is it possible to add an exception for these rules for my domain only, or am I better off accepting the risk.

Thanks again for your help, I know this is not directly related to BPS Pro, so your help is truly appreciated.

Oh, I also may have misled you with my earlier post, the images are located in a folder similar to the following:
tt.php?src=http://www.mydomainname.com/wp-content/uploads/2013/01/pic.jpg&h=150&w=150
not
tt.php?src=http://www.mydomainname.com/wp-content/uploads/etc/pic.jpg&h=150&w=150

So the directory is dynamic (derived from the date uploaded).

-Timbo

[Timbo]

Perfect!

We both missed it, I swear I renamed my script back to timthumb.php to test.

You hardly missed it, your solved my issue within a few hours of me posting it. Not just one, but two issues resolved MUCH quicker than expected. Both of my issues (so far) were related to 3rd party scripts, a lot of support services close the support ticket and wash their hands of the issue when that is the case.

You my friend, provide excellent customer service. You have earned a loyal customer, and I will strongly recommend BPS Pro and your fantastic support every chance I get.

-Timbo

[AITpro Admin]

Email Question:

Hello
new update broken some of functionalities with images, possibly timtumb rules are the problem. Theme has broken slideshow on home page and thumbs in portfolio, [domain name removed for privacy], portfolio I fixed uncommenting thimtumb rules in htaccess but slideshow on home page still not working. Any suggestions ?

>>>>>>>>>>> 403 Error Logged - February 15, 2013 - 1:58 pm <<<<<<<<<<<
REMOTE_ADDR: 190.167.38.15
Host Name: 15.38.167.190.d.dyn.codetel.net.do
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: [domain URL removed for privacy]
REQUEST_URI: /wp-content/themes/natural/lib/timthumb.php?src=http://www.example.com/wp-content/uploads/01_Cayo-Levantado_www.bio-samana.org_.jpg&w=1170&h=400&zc=1
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0

[AITpro Admin]

Check the timthumb security filters and make sure that your correct domain name is being whitelisted

RewriteCond %{HTTP_REFERER} ^.*your-domain-name.com.*

[Mark]

Hi there – if I may hijack the thread for a similar problem…  I’ve been wrangling with this for quite some time this morning and I’m at a loss.  Glad to see that this thread is recently active:   I am trying to use TimThumb to get/resize images from a Pinterest thread (working on a  customization of the Pinterest RSS widget).  For the life of me I can’t get past the 403 error.  I have tried modifying the ‘current root’ htaccess file with the following:

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
#RewriteCond %{HTTP_REFERER} ^.*frompapertoplate.com.* [OR]
#RewriteCond %{HTTP_REFERER} ^.*pinterest.com.*

It’s commented out now, but those last two lines, when uncommented, don’t help.  Here is an example URL i’m trying to load: http://www.frompapertoplate.com/wp-content/plugins/pinterest-rss-widget/timthumb.php?src=http://media-cache-ec7.pinterest.com/192x/de/fa/72/defa7211508f1263ee8573001bb3dcb9.jpg

That section of the htaccess confuses me – I can’t tell if it’s to allow other sites to access files on MY site, or if it’s allowing my site (or more specifically the timthumb.php file) to retrieve files from OTHER sites.  I also added ‘pinterest’ to the lines that immediately follow (which include youtube and wikimedia) but that didn’t seem to do anything either, so I removed it.

Any help getting timthumb to retrieve images from just pinterest (or for the benefit of others, whitelisting a single domain) would be most appreciated. And yes, I did add pinterest to the ‘allowed sites’ array in timthumb and ‘allow_external’ is also true. Thanks in advance!

[AITpro Admin]

Try a standard htaccess skip / bypass rule and see if that works.  This skip/bypass rule goes above skip/bypass rule #12 and is skip/bypass rule #13.  Test this code in your root .htaccess file and if it works copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# pinterest-rss-widget skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/pinterest-rss-widget/ [NC]
RewriteRule . - [S=13]

[Mark]

Thanks Admin for your quick response. I stepped away from my computer after sending the above post and when I returned, it seems timthumb IS working, and all I did was leave the two ‘RewriteCond’ uncommented. I was trying to access the timthumb script directly when I was getting the 403 errors, but when I refreshed my homepage (with the widget included) the thumbnails from pinterest were showing, so I guess the instructions in the htaccess file were sufficient. Perhaps there was some cacheing issues at play. I appreciate your help!

[AITpro Admin]

Yep caching will do that.  😉  I tend to forget this as well.  Glad to hear all is well.  Thanks for confirming the Referer Whitelist method works for you.

[Author]

Posts