Images not displaying, timthumb theme images, thumbnail images

Home Forums BulletProof Security Free Images not displaying, timthumb theme images, thumbnail images

Viewing 10 posts - 31 through 40 (of 40 total)
  • Author
    Posts
  • #13499
    x
    Participant

    I have followed your instructions from http://forum.ait-pro.com/forums/topic/images-not-displaying-after-bulletproof-security-free-plugin-was-enabled-and-configured/#post-3828 It has not fixed the issue which is described in the post which preceded it, could you please help me? I followed the instructions exactly.

    CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES:
    Add personal plugin/theme skip/bypass rules here
    ONLY add valid htaccess code below or text commented out with a pound sign #
    
    # Theme Thumbnailer script skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/themes/itheme2/themify/img\.php [NC]
    RewriteRule . - [S=13]
    
    CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE:
    Add additional Referers and/or misc file names
    You MUST copy and paste the entire TIMTHUMB FORBID RFI section of code from your root .htaccess file into this text box first. You can then edit and modify the code in this text window and save your changes.
    
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (img\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*shaunhillphotography.co.uk.* [OR]
    RewriteCond %{HTTP_REFERER} ^.*shaunhill.net.*
    RewriteRule . - [S=1]

    Does it make a difference that timthumb is not a plugin in it’s strictest installation sense, rather a file included within the theme I have installed? shaunhillphotography.co.uk/httpdocs/wp-content/themes/acoustic/lib/utils/timthumb.php

    #13504
    AITpro Admin
    Keymaster

    You would need to create a theme skip/bypass rule for your theme (acoustic Theme) and not the (itheme Theme) theme.  Timthumb.php is already included in the Timthumb and MISC RFI rule so you would not add it again.

    # Theme Thumbnailer script skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/themes/acoustic/lib/utils/ [NC]
    RewriteRule . - [S=13]
    #13508
    x
    Participant

    Hello there, thank you for your reply. Well spotted.

    It hasn’t worked, but I added img\.php to the end. Is there any advantage to this or is this incorrect?:

    # Theme Thumbnailer script skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/themes/acoustic/lib/utils/img\.php [NC]
    RewriteRule . - [S=13]
    #13513
    AITpro Admin
    Keymaster

    That would be incorrect since the img.php file does not exist on your website.  Check your BPS Security Log and post the log entry that is related to this issue/problem.

    #13533
    x
    Participant

    This is what shows:

    BPS SECURITY / HTTP ERROR LOG
    ==============================
    ==============================
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 13/07/2013 - 10:43 PM <<<<<<<<<<<
    REMOTE_ADDR: 86.135.47.200
    Host Name: host86-135-47-200.range86-135.btcentralplus.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/riva-slider-pro/timthumb.php?src=http://www.shaunhillphotography.co.uk/wp-content/plugins/riva-slider-pro/styles/skins/default/shadow.bak&h=0&w=960&zc=1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36

    I have amended the custom code as you have instructed.

    #13535
    AITpro Admin
    Keymaster

    Try a plugin skip/bypass rule for the Riva Slider Pro plugin.

    1. Add this skip/bypass rule below to this BPS Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES: Add personal plugin/theme skip/bypass rules here
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
    NOTE: If your WordPress installation is in a subfolder then add the WordPress subfolder name to the skip/bypass rule.  Example:  /MyWordPressFolderName/wp-content/plugins/riva-slider-pro/

    # Riva Slider Pro skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/riva-slider-pro/ [NC]
    RewriteRule . - [S=13]
    #13542
    x
    Participant

    Thank you for your reply.

    So can I add that one in addition to the other like this:

    # Theme Thumbnailer script skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/themes/acoustic/lib/utils/ [NC]
    RewriteRule . - [S=14]
    # Riva Slider Pro skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/riva-slider-pro/ [NC]
    RewriteRule . - [S=13]
    #13544
    AITpro Admin
    Keymaster

    Update: The problem is that the Referer is blank. The TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE security code in the BPS Root htaccess checks that the Referer is your website in order to allow the timthumb script to only be loaded by/from your website and not loaded/called remotely.

    Nope.  The Security Log entry shows exactly what the issue/problem is.  It has nothing to do with your Theme and has to do with the Riva Slider Pro plugin timthumb script simulating an RFI hacking attack against your website.  This is fairly common with all plugins and themes that use the timthumb script.   The general nature and design of the timthumb script itself is that it appears to be attacking your website using an RFI hacking method. That is just what is with the timthumb script.

    You only need to add the plugin skip/bypass rule I posted above and nothing else.

    #13552
    x
    Participant

    Thank you for your reply. Unfortunately that has not resolved the issue.

    #13555
    AITpro Admin
    Keymaster

    Update: The Riva Slider Pro plugin was installed and tested on one of our test sites and no problems or errors occurred. So something is fubar with how the timthumb.php script is being called on your website since the Referer log field is blank when it should contain your website domain name instead of being blank.

    It appears that this is a Premium/Paid plugin.  If you would like for us to test this plugin then send the plugin in a zip file to info [at] ait-pro [dot] com.  After testing, the plugin will be deleted from our testing site, email and computers.

Viewing 10 posts - 31 through 40 (of 40 total)
  • You must be logged in to reply to this topic.