Home › Forums › BulletProof Security Pro › Easy Pagination Plugin thumbnail images 403 error
Tagged: 403 error, Easy Pagination Plugin, thumbnail images
- This topic has 27 replies, 3 voices, and was last updated 10 years, 6 months ago by FDSFD.
-
AuthorPosts
-
AITpro AdminKeymaster
Email Question:
Hi there,
On my wife’s blog I am trying to get a plugin from RightHere called Easy pagination to work plugins.righthere.com/easy-pagination/. It seems to use a script to create thumbnails on the fly. Each thumbnail creation is triggering a security log entry (as per ex below) so I think BPS is blocking them.
I have tried:
/easy-pagination/images/thumbnail.php?(.*) /easy-pagination/images/thumbnail.php?w=85&h=85&zc=1&src=http://example.com/wp-content/uploads/(.*) /easy-pagination/images/thumbnail.php?w=85&h=85&zc=1&src=http://example.com/wp-content/uploads/2013/05/Foundation-300x199.jpg
But none seem to work in the Firewall settings
I even deleted the UAEG .htaccess file thinking that could be the culprit>>>>>>>>>>> 403 GET or Other Request Error Logged - mai 17, 2013 - 2:21 <<<<<<<<<<< REMOTE_ADDR: xx.xx.xx.xx Host Name: xxxxxxx HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: xx.xx.xx.xx HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: [website domain name removed for privacy]/?p=1253&preview=true REQUEST_URI: /wp-content/plugins/easy-pagination/images/thumbnail.php?w=85&h=85&zc=1&src=http: //[website domain name removed]/wp-content/uploads/2013/05/Foundation-300x199.jpg QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
Does this need some type of bypass rule to work?
AITpro AdminKeymasterTry this whitelist rule first…
/easy-pagination/images/thumbnail.php
If it does not work try this…
/easy-pagination/images/(.*).php
If it does not work try this…
/easy-pagination/(.*).php
J GarnerParticipantI tried them all in the order above and keep on getting the error.
Wouldn’t the fact that the page calls the image URL,
i.e./wp-content/plugins/easy-pagination/images/thumbnail.php?w=85&h=85&zc=1&src=http: //[website domain name removed]/wp-content/uploads/2013/05/Foundation-300x199.jpg
be the part that is creating the problem as all the rules end with .php in all cases above whereas the error example has the trailing ‘?’ then the URL to the image folder?
Thanks
AITpro AdminKeymasterNope, that is not it because what is being matched would be this – /plugin-folder-name/plugin-script.php. It does not matter if anything comes after this pattern – it would already match.
Maybe this does not have to do with the Plugin Firewall or there are actually 2 things that need to be whitelisted.
1. Copy this .htaccess code to the this Custom Code text box: CUSTOM CODE PLUGIN FIXES:
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.# Easy Pagination skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/easy-pagination/ [NC] RewriteRule . - [S=13]
AITpro AdminKeymasterTo isolate exactly what is causing the issue you can do these standard BPS Pro troubleshooting steps.
http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting
J GarnerParticipantI got to step 5 deactivating everything and the thumbnails system worked.
I then reactivated Root Bulletproof htaccess
Then the Firewall htaccess
Then wp-admin folder htaccess
Then the UAEG htaccessBut having put everything back in place and having deleted the WP Super Cache for the page it all still worked and at each step above reactivating and putting things back the thumbnails still worked.
So I guessed that this could be about creating the thumbnails so I added a new one and of course it didn’t show up but the others showed up fine with their thumbnails!
J GarnerParticipantOne other thing is that checking the security log only the last thumbnail is coming up as an issue so all the others seem to work fine now that (I guess) the other initial thumbnails have been created…
AITpro AdminKeymasterSo deactivating UAEG seemed to be what was blocking this plugin from creating thumbnails? Did you reactivate UAEG to confirm this?
J GarnerParticipantOK so I tested everything one by one
Deleting only the UAEG uploads htaccess file with everything else working didn’t prevent the error
Deleting only the Firewall htaccess file with everything else working didn’t prevent the error
Deleting only the wp-admin htaccess file with everything else working didn’t prevent the error
Deleting the root htaccess file prevented the error from occuringAITpro AdminKeymasterOk did you test the skip/bypass rule in your root .htaccess file that I posted?
AITpro AdminKeymasterUPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.
Never mind I see what the issue is now.
1. Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.IMPORTANT!!!: Edit the code below after copying it to BPS Custom Code and replace “example.com” with your actual website domain name.
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE # Use BPS Custom Code to modify/edit/change this code and to save it permanently. # Remote File Inclusion (RFI) security rules # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F] # # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php) RewriteCond %{REQUEST_URI} (thumbnail\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).* RewriteCond %{HTTP_REFERER} ^.*example.com.* RewriteRule . - [S=1]
J GarnerParticipantI have saved the bypass rule and it appears in the custom code when I look at the plugin area but it does not appear in the secure htaccess file or the root htaccess file!
AITpro AdminKeymasterNever mind see my last post. You need to whitelist the thumbnail.php file name in the security filter I posted above.
J GarnerParticipantObsolete BPS no longer uses this feature:
Finally, that worked 🙂
BTW can I also add that to the secure.htaccess file so that if I recreate the root htaccess file it carries that through?
Shall I delete the bypass rule? Any idea why that didn’t get copied through to the root htacess file?AITpro AdminKeymasterYep, of course. I spaced out and made a mental assumption (tunnel vision) about the timthumb.php file and did not see that it had been renamed to a different name – thumbnail.php.
Unfortunately, for now this is a manual edit that would have to be done again if you create a new Master .htaccess file. The next version of BPS Pro will have several new Custom Code Text boxes so that any edits will be saved permanently and will always be written by [obsolete-removed] to your root .htaccess file.
Yes, delete the other skip/bypass rule.
The Custom Code steps are: Add your Custom Code to the text box, click the save button to save it, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button. Just saving custom code to Custom Code saves it to your Database and does not do anything else.
-
AuthorPosts
- You must be logged in to reply to this topic.