TimThumb – Image Thumbnailer

Home Forums BulletProof Security Pro TimThumb – Image Thumbnailer

This topic contains 10 replies, has 3 voices, and was last updated by  Timbo 1 year, 8 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #1303 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Timbo
    Participant

    Hello again,

    I’m having some trouble with TimThumb. Firstly, I’m using the latest version, and I have disabled external sites.

    I’m using a content management plugin which I desperately need, but it can only refer to images with their full URL. My TimThumb links looks like this: http://www.mydomainhere.com/wp-content/tt/tt.php?src=http://www.mydomainhere.com/wp-content/uploads/etc/pic.jpg

    The above results in a BPS Pro 403 Error. If I manually change the “src” to a local reference say “tt.php?src=/wp-content/uploads/etc/pic.jpg” it works fine.

    I’ve identified the problem being in the Website Root Folder htaccess file (as when I change it back to “Default Mode” TimThumb starts working again.

    Unfortunately it is not possible for me to change the “src” to a local reference, it needs to be the full URL. Is there a line I could add to the htaccess file to allow references back to my own domain name?

    Thanks in advance.

    -Timbo

    #1305 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    The link / URL structure is simulating an RFI hacking method and the root .htaccess file security filters are blocking this.  I am not sure if this skip/bypass rule will work, but try this first.  This skip/bypass rule would go above skip/bypass rule #12 and would be skip/bypass rule #13

    # uploads/etc folder allow simulated RFI Hack
    RewriteCond %{REQUEST_URI} ^/wp-content/uploads/etc/(.*)$ [NC]
    RewriteRule . - [S=13]

    If the skip/bypass rule above does not work then another option would be to put a RewriteEngine Off .htaccess file in the /uploads/etc folder.  You will find a RewriteEngine Off .htaccess file here – /wp-content/plugins/bulletproof-security/admin/htaccess/RewriteEngineOff.htaccess.  Download it to your computer and then upload it to /wp-content/uploads/etc/ and rename it to just .htaccess.

    #1308 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Nope neither of these methods above would work.  Try this instead.  Add the tt.php file as shown below in your TimThumb Skip/Bypass rule.  Who is buried in Grant’s Tomb again?  Spaced out on another one jeez.  ;)

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php|tt\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*foo.com.*
    RewriteRule . - [S=1]
    #1310 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Timbo
    Participant

    Thanks for the suggestions, but no luck unfortunately. I did however find the lines which are causing me trouble:

    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    #RewriteCond %{QUERY_STRING} http\: [NC,OR]
    

    As you can see I’ve commented them out.

    So, ah… how can I make an exception while maintaining security? Is it possible to add an exception for these rules for my domain only, or am I better off accepting the risk.

    Thanks again for your help, I know this is not directly related to BPS Pro, so your help is truly appreciated.

    Oh, I also may have misled you with my earlier post, the images are located in a folder similar to the following:
    tt.php?src=http://www.mydomainname.com/wp-content/uploads/2013/01/pic.jpg&h=150&w=150
    not
    tt.php?src=http://www.mydomainname.com/wp-content/uploads/etc/pic.jpg&h=150&w=150

    So the directory is dynamic (derived from the date uploaded).

    -Timbo

    #1311 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Timbo
    Participant

    Perfect!

    We both missed it, I swear I renamed my script back to timthumb.php to test.

    You hardly missed it, your solved my issue within a few hours of me posting it. Not just one, but two issues resolved MUCH quicker than expected. Both of my issues (so far) were related to 3rd party scripts, a lot of support services close the support ticket and wash their hands of the issue when that is the case.

    You my friend, provide excellent customer service. You have earned a loyal customer, and I will strongly recommend BPS Pro and your fantastic support every chance I get.

    -Timbo

    #2010 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Email Question:

    Hello
    new update broken some of functionalities with images, possibly timtumb rules are the problem. Theme has broken slideshow on home page and thumbs in portfolio, [domain name removed for privacy], portfolio I fixed uncommenting thimtumb rules in htaccess but slideshow on home page still not working. Any suggestions ?

    >>>>>>>>>>> 403 Error Logged - February 15, 2013 - 1:58 pm <<<<<<<<<<<
    REMOTE_ADDR: 190.167.38.15
    Host Name: 15.38.167.190.d.dyn.codetel.net.do
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: [domain URL removed for privacy]
    REQUEST_URI: /wp-content/themes/natural/lib/timthumb.php?src=http://www.example.com/wp-content/uploads/01_Cayo-Levantado_www.bio-samana.org_.jpg&w=1170&h=400&zc=1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
    #2012 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Check the timthumb security filters and make sure that your correct domain name is being whitelisted

    RewriteCond %{HTTP_REFERER} ^.*your-domain-name.com.*
    #2080 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Mark
    Member

    Hi there – if I may hijack the thread for a similar problem…  I’ve been wrangling with this for quite some time this morning and I’m at a loss.  Glad to see that this thread is recently active:   I am trying to use TimThumb to get/resize images from a Pinterest thread (working on a  customization of the Pinterest RSS widget).  For the life of me I can’t get past the 403 error.  I have tried modifying the ‘current root’ htaccess file with the following:

    
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    #RewriteCond %{HTTP_REFERER} ^.*frompapertoplate.com.* [OR]
    #RewriteCond %{HTTP_REFERER} ^.*pinterest.com.*

    It’s commented out now, but those last two lines, when uncommented, don’t help.  Here is an example URL i’m trying to load: http://www.frompapertoplate.com/wp-content/plugins/pinterest-rss-widget/timthumb.php?src=http://media-cache-ec7.pinterest.com/192x/de/fa/72/defa7211508f1263ee8573001bb3dcb9.jpg

    That section of the htaccess confuses me – I can’t tell if it’s to allow other sites to access files on MY site, or if it’s allowing my site (or more specifically the timthumb.php file) to retrieve files from OTHER sites.  I also added ‘pinterest’ to the lines that immediately follow (which include youtube and wikimedia) but that didn’t seem to do anything either, so I removed it.

    Any help getting timthumb to retrieve images from just pinterest (or for the benefit of others, whitelisting a single domain) would be most appreciated. And yes, I did add pinterest to the ‘allowed sites’ array in timthumb and ‘allow_external’ is also true. Thanks in advance!

    #2084 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Try a standard htaccess skip / bypass rule and see if that works.  This skip/bypass rule goes above skip/bypass rule #12 and is skip/bypass rule #13.  Test this code in your root .htaccess file and if it works copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.

    # pinterest-rss-widget skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/pinterest-rss-widget/ [NC]
    RewriteRule . - [S=13]

     

    #2085 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Mark
    Member

    Thanks Admin for your quick response. I stepped away from my computer after sending the above post and when I returned, it seems timthumb IS working, and all I did was leave the two ‘RewriteCond’ uncommented. I was trying to access the timthumb script directly when I was getting the 403 errors, but when I refreshed my homepage (with the widget included) the thumbnails from pinterest were showing, so I guess the instructions in the htaccess file were sufficient. Perhaps there was some cacheing issues at play. I appreciate your help!

    #2086 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Yep caching will do that.  ;)  I tend to forget this as well.  Glad to hear all is well.  Thanks for confirming the Referer Whitelist method works for you.

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.