Easy Pagination Plugin thumbnail images 403 error

[AITpro Admin]

Email Question:

Hi there,

On my wife’s blog I am trying to get a plugin from RightHere called Easy pagination to work plugins.righthere.com/easy-pagination/. It seems to use a script to create thumbnails on the fly. Each thumbnail creation is triggering a security log entry (as per ex below) so I think BPS is blocking them.

I have tried:

/easy-pagination/images/thumbnail.php?(.*)

/easy-pagination/images/thumbnail.php?w=85&h=85&zc=1&src=http://example.com/wp-content/uploads/(.*)

/easy-pagination/images/thumbnail.php?w=85&h=85&zc=1&src=http://example.com/wp-content/uploads/2013/05/Foundation-300x199.jpg

But none seem to work in the Firewall settings
I even deleted the UAEG .htaccess file thinking that could be the culprit

>>>>>>>>>>> 403 GET or Other Request Error Logged - mai 17, 2013 - 2:21   <<<<<<<<<<<
REMOTE_ADDR: xx.xx.xx.xx
Host Name: xxxxxxx
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: xx.xx.xx.xx
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: [website domain name removed for privacy]/?p=1253&preview=true
REQUEST_URI: /wp-content/plugins/easy-pagination/images/thumbnail.php?w=85&h=85&zc=1&src=http: //[website domain name removed]/wp-content/uploads/2013/05/Foundation-300x199.jpg
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31

Does this need some type of bypass rule to work?

[AITpro Admin]

Try this whitelist rule first…

/easy-pagination/images/thumbnail.php

If it does not work try this…

/easy-pagination/images/(.*).php

If it does not work try this…

/easy-pagination/(.*).php

[J Garner]

I tried them all in the order above and keep on getting the error.

Wouldn’t the fact that the page calls the image URL,
i.e.

/wp-content/plugins/easy-pagination/images/thumbnail.php?w=85&h=85&zc=1&src=http: //[website domain name removed]/wp-content/uploads/2013/05/Foundation-300x199.jpg

be the part that is creating the problem as all the rules end with .php in all cases above whereas the error example has the trailing ‘?’ then the URL to the image folder?

Thanks

[AITpro Admin]

Nope, that is not it because what is being matched would be this – /plugin-folder-name/plugin-script.php.  It does not matter if anything comes after this pattern – it would already match.

Maybe this does not have to do with the Plugin Firewall or there are actually 2 things that need to be whitelisted.

1. Copy this .htaccess code to the this Custom Code text box: CUSTOM CODE PLUGIN FIXES:
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# Easy Pagination skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/easy-pagination/ [NC]
RewriteRule . - [S=13]

[AITpro Admin]

To isolate exactly what is causing the issue you can do these standard BPS Pro troubleshooting steps.

http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

[J Garner]

I got to step 5 deactivating everything and the thumbnails system worked.

I then reactivated Root Bulletproof htaccess
Then the Firewall htaccess
Then wp-admin folder htaccess
Then the UAEG htaccess

But having put everything back in place and having deleted the WP Super Cache for the page it all still worked and at each step above reactivating and putting things back the thumbnails still worked.

So I guessed that this could be about creating the thumbnails so I added a new one and of course it didn’t show up but the others showed up fine with their thumbnails!

[J Garner]

One other thing is that checking the security log only the last thumbnail is coming up as an issue so all the others seem to work fine now that (I guess) the other initial thumbnails have been created…

[AITpro Admin]

So deactivating UAEG seemed to be what was blocking this plugin from creating thumbnails?  Did you reactivate UAEG to confirm this?

[J Garner]

OK so I tested everything one by one
Deleting only the UAEG uploads htaccess file with everything else working didn’t prevent the error
Deleting only the Firewall htaccess file with everything else working didn’t prevent the error
Deleting only the wp-admin htaccess file with everything else working didn’t prevent the error
Deleting the root htaccess file prevented the error from occuring

[AITpro Admin]

Ok did you test the skip/bypass rule in your root .htaccess file that I posted?

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

Never mind I see what the issue is now.
1. Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

IMPORTANT!!!: Edit the code below after copying it to BPS Custom Code and replace “example.com” with your actual website domain name.

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (thumbnail\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*example.com.*
RewriteRule . - [S=1]

[J Garner]

I have saved the bypass rule and it appears in the custom code when I look at the plugin area but it does not appear in the secure htaccess file or the root htaccess file!

[AITpro Admin]

Never mind see my last post.  You need to whitelist the thumbnail.php file name in the security filter I posted above.

[J Garner]

Obsolete BPS no longer uses this feature: 

Finally, that worked 🙂
BTW can I also add that to the secure.htaccess file so that if I recreate the root htaccess file it carries that through?
Shall I delete the bypass rule? Any idea why that didn’t get copied through to the root htacess file?

[AITpro Admin]

Yep, of course.  I spaced out and made a mental assumption (tunnel vision) about the timthumb.php file and did not see that it had been renamed to a different name – thumbnail.php.

Unfortunately, for now this is a manual edit that would have to be done again if you create a new Master .htaccess file.  The next version of BPS Pro will have several new Custom Code Text boxes so that any edits will be saved permanently and will always be written by [obsolete-removed] to your root .htaccess file.

Yes, delete the other skip/bypass rule.

The Custom Code steps are:  Add your Custom Code to the text box, click the save button to save it, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button. Just saving custom code to Custom Code saves it to your Database and does not do anything else.

[Author]

Posts