HTML5 compliant PDF Viewer for WordPress – 403 error

Home Forums BulletProof Security Pro HTML5 compliant PDF Viewer for WordPress – 403 error

This topic contains 3 replies, has 2 voices, and was last updated by  AITpro Admin 1 year, 2 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #32457

    AITpro Admin
    Keymaster
    [403 GET Request: February 19, 2017 - 23:18]
    BPS: .54.4
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 2a02:1810:0406:2d00:759d:2758:cad4:02ca
    Host Name: ptr-4chfqzwj07mclb7kju.18120a2.ip6.access.telenet.be
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 2a02:1810:0406:2d00:759d:2758:cad4:02ca
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: https://ninavanrompaey.be/resume/
    REQUEST_URI: /wp-content/plugins/pdf-viewer/stable/web/viewer.html?file=https://ninavanrompaey.be/wp-content/uploads/2017/01/NinaVanRompaey-CV.pdf
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.54 Safari/537.36

    Problem: The method used by this plugin to view PDF files simulates an RFI hacking attempt against a website.

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    Solution: Create an RFI Misc Skip/Bypass rule for the viewer.html file.

    1. Copy the code below to this Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE: Add additional Referers and/or misc file names.
    IMPORTANT! Change the HTTP_REFERER example.com domain name in the code below to your actual domain/website name after you copy this code to BPS Custom Code.
    2. Save your new custom code by clicking the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    #
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (viewer\.html|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*example.com.*
    RewriteRule . - [S=1]
    #32458

    Didier Ludwig
    Participant

    Why do I get this and other posts by email though I haven’t subscribed?

    #32459

    AITpro Admin
    Keymaster

    I was not aware that BuddyPress/bbPress is doing that.  You are the first person to ever mention that.  You are only supposed to get email notifications for forum topics that you are subscribed to.  I will have to do some BuddyPress/bbPress testing and see why that might be happening.

    When did this problem start occurring?  There was a bbPress capabilities bug that occurred around December 7, 2016.  So maybe that has something to do with it?

    #32466

    AITpro Admin
    Keymaster

    I have tested logging in with a standard participant user account and everything is working fine. ie I only receive emails for any forum topics were I have chosen the “Notify me of follow-up replies via email” checkbox option that you see in every/all forum topics.  I checked your bbPress Profile and everything looks ok.  I’m not really sure what else I can check since everything appears to be working normally. 😉

    Try this and see if it works > Select the “no” option for all emails and save your settings.  Then select the “yes” option for any email options you want and save your settings.  Kind of a “kick the jukebox” fix.  ha ha ha.

    bbPress Profile > Settings > Email
    yes or no options to send emails

    A member mentions you in an update using “@user-account-name”
    A member replies to an update or comment you’ve posted

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.