Home › Forums › BulletProof Security Free › Images not displaying, timthumb theme images, thumbnail images
Tagged: Theme, Theme Images, Theme Thumbnailer script, Thumbnailer, timthumb
- This topic has 39 replies, 5 voices, and was last updated 10 years, 1 month ago by AITpro Admin.
-
AuthorPosts
-
jenaParticipant
Yes I have like this
# bns featured category Plugin skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/bns-featured-category/ [NC] RewriteRule . - [S=13] # all-in-one event calendar Plugin skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/all-in-one-event-calendar/ [NC] RewriteRule . - [S=14] # wpmu theme usage info Plugin skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wpmu-theme-usage-info/ [NC] RewriteRule . - [S=15] # wp-ui Plugin skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-ui/ [NC] RewriteRule . - [S=16] # addthis Plugin skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/addthis/ [NC] RewriteRule . - [S=17] # easyblogging info Plugin skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/easyblogging/ [NC] RewriteRule . - [S=18] # leadpages Plugin skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/leadpages/ [NC] RewriteRule . - [S=19] # Theme style script skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/themes/grandcollege_v1-08/stylesheet/ie-style\.php [NC] RewriteRule . - [S=20] # Theme style script skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/themes-ai1ec/vortex/font/League_Gothic-webfont\.eot [NC] RewriteRule . - [S=21]
AITpro AdminKeymasterYou have the order reversed. Put 21 at the top and go in descending order. The Skip rules mean this. For S=21 skip 21 RewriteRules. So that is why they need to be in descending order.
S=21 S=20 S=19 etc
After you change the skip rules in BPS Pro Custom Code then be sure to save your changes and then go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
jenaParticipantI did the whitelisting you mentioned above but still get the same security logs
I edited root htaccess file and added a code like this
RewriteCond %{REQUEST_URI} (ie-style\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
>>>>>>>>>>> 403 GET or HEAD Request Error Logged - September 10, 2013 - 11:26 am <<<<<<<<<<< REMOTE_ADDR: 206.74.42.69 Host Name: 206.74.42.69 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http: //transtechacademy.com/celebrating-champions-making-an-investment/ REQUEST_URI: /wp-content/themes/grandcollege_v1-08/stylesheet/ie-style.php?path=http://transtechacademy.com/wp-content/themes/grandcollege_v1-08 QUERY_STRING: HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C)
AITpro AdminKeymasterThe other method is to add a skip/bypass rule. It is very important that you have the order of the skip/bypass rules correct. The highest skip rule comes first, then the next highest skip rule, etc. The order is in descending order: 21, 20, 19, 18, etc.
# Theme style script skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/themes/grandcollege_v1-08/stylesheet/ie-style\.php [NC] RewriteRule . - [S=20]
jenaParticipantYes I did this as the first step and rearranged in descending order but still get the error.
AITpro AdminKeymasterOk send me a temporary Admin login to this website so I can see what the issue is. info [at] ait-pro [dot] com. Thanks.
AITpro AdminKeymasterDiagnosis of the problem. That link is not valid. It points to a location that is not a valid location for that type of link. So this is not something that you need to whitelist and is instead a mistake somewhere that needs to be fixed either in your settings or the coding of the theme.
When I Deactivate Root Folder BulletProof Mode the 403 Forbidden error turns into a 404 Not Found error because the link is not valid/does not point to a valid location for that type of link.
BPS will try and handle bad links, but will log these as a 403 error, Unless you use the BPS 404 code in your 404.php template file. That is not the real issue. The real issue is that link is not valid.
Here are some examples so that you can see exactly what I am saying.
This link is a simulated RFI hacking link and it is valid because it points to a file: no-agent-photo.jpg
/wp-content/themes/SmoothV4.1/thumbnail.php?src=http://dean-smithrealty.com/wp-content/uploads/agents/no-agent-photo.jpg&w=146&h=196&zc=1&q=70&cropfrom=topcenter
This link is a simulated RFI hacking link and it is valid because it points to a file: The-10-SuperHuman-Commandments-www.superhumansecret.com_.jpg
/wp-content/themes/itheme2/themify/img.php?src=http: //www.superhumansecret.com/wp-content/uploads/2013/04/The-10-SuperHuman-Commandments-www.superhumansecret.com_.jpg&w=622&h=274
This link is a simulated RFI hacking link and it is valid because it points to a file: Parris_Gina-01a_4.jpg
/wp-content/themes/GinaParis/thumb.php?src=http://ginaparrisentertainment.com/files/2012/03/Parris_Gina-01a_4.jpg&w=77&h=60&zc=1&q=80&bid=3
Neither of these links below are valid because they do not point to a file. In order for the link to be valid it must point to a file – it cannot point to a folder name when the link is a simulated RFI hacking attempt against your site. This is bad coding practice period. This is not just something that BPS Pro finds bad – this is bad coding practice in general. Either there are mistakes made in your settings or the coding is bad in the theme or plugin.
This link is not valid. It points to a folder and not a file. In order to be valid the link MUST point to a file and not a folder.
/wp-content/themes/grandcollege_v1-08/stylesheet/ie-style.php?path=http://transtechacademy.com/wp-content/themes/grandcollege_v1-08
This link is not valid. It points to a folder and not a file. In order to be valid the link MUST point to a file and not a folder.
/wp-content/themes/modernize/stylesheet/ie-style.php?path=http://symbiota.com/wp-content/themes/modernize
jenaParticipantThere is a new problem.
Whatever new file I add to # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
gets removed while generating secure htaccess file again.I had added new files here
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
But they are removed affter I re generate secure htaccess file after adding custom code to CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
AITpro AdminKeymasterThen you have either saved the Custom Code to the wrong Custom Code text box or you have not saved your Custom Code first before activating BulletProof Mode again.
You stated that you have added that Custom Code to this Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
You would need to add that Custom Code to the Timthumb Forbid Custom Code text box instead.
See these instructions on how to do this correctly: http://forum.ait-pro.com/forums/topic/images-not-displaying-after-bulletproof-security-free-plugin-was-enabled-and-configured/#post-3828
jenaParticipantI notice that for some steps, messages are not displayed in one of the sites. Like while taking backup in autorestore section it doesn’t shows any message whether backup is done or not like it shows for other sites.
Also while creating secure htaccess file it doesn’t display any message.
AITpro AdminKeymasterFor Network/Multisite you should ONLY be doing things with BPS Pro on the Primary site of the Network/Multisite site and not in subsites. All BPS Pro alerts, messages and everything else is now displayed to only Administrators. I believe there is also a condition that checks if you are on the Primary site and will Only display messages on the Primary site since that is the ONLY site you should be doing anything with BPS Pro settings or anything else regarding BPS Pro.
jenaParticipantI mean it works on all other multisites except one.
Yes I am talking about primary site.
AITpro AdminKeymasterDo you have the latest/most current version of BPS Pro installed on that Network/Multisite site?
See the Whats New link for BPS Pro 7.0
Dashboard Status Displays and Alerts:
All Dashboard Status Displays and Alerts are now only display to Administrators. Editors, Authors, Contributors and Subscribers will not see any alerts or the Dashboard Status Display.
http://forum.ait-pro.com/forums/topic/bulletproof-security-pro-version-release-dates/
AITpro AdminKeymasterEmail Question:
No more hacks, I also updated my timthumb but now BPS blocks it, so I followed advice to the .htaccess root file and added but my thumbnails still show invalid permission
[website domain name removed for privacy]/wp-content/themes/intelligible/timthumb.php?src=[website domain name removed for privacy]/wp-content/uploads/2012/02/xcelatit_29455079_org.jpg&h=120&w=273&zc=1&q=90
can you please help me? thank you
Rob
AITpro AdminKeymasterUse the OPTION 2 Custom Code solution to whitelist Theme Timthumb scripts: http://forum.ait-pro.com/forums/topic/images-not-displaying-after-bulletproof-security-free-plugin-was-enabled-and-configured/#post-3828
Your skip/bypass/whitelist code is:
# Theme Thumbnailer script skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/themes/intelligible/timthumb\.php [NC] RewriteRule . - [S=13]
-
AuthorPosts
- You must be logged in to reply to this topic.