Topic: Images not displaying, timthumb theme images, thumbnail images

Images not displaying, timthumb theme images, thumbnail images

Tagged: Theme, Theme Images, Theme Thumbnailer script, Thumbnailer, timthumb

This topic has 39 replies, 5 voices, and was last updated 9 years, 9 months ago by AITpro Admin.

Viewing 10 posts - 31 through 40 (of 40 total)

← 1 2 3

Author

Posts
March 2, 2014 at 12:56 am #13499
x
Participant
I have followed your instructions from http://forum.ait-pro.com/forums/topic/images-not-displaying-after-bulletproof-security-free-plugin-was-enabled-and-configured/#post-3828 It has not fixed the issue which is described in the post which preceded it, could you please help me? I followed the instructions exactly.
```
CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES:
Add personal plugin/theme skip/bypass rules here
ONLY add valid htaccess code below or text commented out with a pound sign #

# Theme Thumbnailer script skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/themes/itheme2/themify/img\.php [NC]
RewriteRule . - [S=13]

CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE:
Add additional Referers and/or misc file names
You MUST copy and paste the entire TIMTHUMB FORBID RFI section of code from your root .htaccess file into this text box first. You can then edit and modify the code in this text window and save your changes.

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (img\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*shaunhillphotography.co.uk.* [OR]
RewriteCond %{HTTP_REFERER} ^.*shaunhill.net.*
RewriteRule . - [S=1]
```
Does it make a difference that timthumb is not a plugin in it’s strictest installation sense, rather a file included within the theme I have installed? shaunhillphotography.co.uk/httpdocs/wp-content/themes/acoustic/lib/utils/timthumb.php
March 2, 2014 at 6:47 am #13504
AITpro Admin
Keymaster
You would need to create a theme skip/bypass rule for your theme (acoustic Theme) and not the (itheme Theme) theme. Timthumb.php is already included in the Timthumb and MISC RFI rule so you would not add it again.
```
# Theme Thumbnailer script skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/themes/acoustic/lib/utils/ [NC]
RewriteRule . - [S=13]
```
March 2, 2014 at 11:21 am #13508
x
Participant
Hello there, thank you for your reply. Well spotted.

It hasn’t worked, but I added img\.php to the end. Is there any advantage to this or is this incorrect?:
```
# Theme Thumbnailer script skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/themes/acoustic/lib/utils/img\.php [NC]
RewriteRule . - [S=13]
```
March 2, 2014 at 12:44 pm #13513
AITpro Admin
Keymaster

That would be incorrect since the img.php file does not exist on your website. Check your BPS Security Log and post the log entry that is related to this issue/problem.
March 2, 2014 at 11:15 pm #13533
x
Participant
This is what shows:
```
BPS SECURITY / HTTP ERROR LOG
==============================
==============================

>>>>>>>>>>> 403 GET or Other Request Error Logged - 13/07/2013 - 10:43 PM <<<<<<<<<<<
REMOTE_ADDR: 86.135.47.200
Host Name: host86-135-47-200.range86-135.btcentralplus.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/riva-slider-pro/timthumb.php?src=http://www.shaunhillphotography.co.uk/wp-content/plugins/riva-slider-pro/styles/skins/default/shadow.bak&h=0&w=960&zc=1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
```
I have amended the custom code as you have instructed.
March 3, 2014 at 6:35 am #13535
AITpro Admin
Keymaster
Try a plugin skip/bypass rule for the Riva Slider Pro plugin.

1. Add this skip/bypass rule below to this BPS Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES: Add personal plugin/theme skip/bypass rules here
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
NOTE: If your WordPress installation is in a subfolder then add the WordPress subfolder name to the skip/bypass rule. Example: /MyWordPressFolderName/wp-content/plugins/riva-slider-pro/
```
# Riva Slider Pro skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/riva-slider-pro/ [NC]
RewriteRule . - [S=13]
```
March 3, 2014 at 9:51 am #13542
x
Participant
Thank you for your reply.

So can I add that one in addition to the other like this:
```
# Theme Thumbnailer script skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/themes/acoustic/lib/utils/ [NC]
RewriteRule . - [S=14]
# Riva Slider Pro skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/riva-slider-pro/ [NC]
RewriteRule . - [S=13]
```
March 3, 2014 at 10:01 am #13544
AITpro Admin
Keymaster

Update: The problem is that the Referer is blank. The TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE security code in the BPS Root htaccess checks that the Referer is your website in order to allow the timthumb script to only be loaded by/from your website and not loaded/called remotely.

Nope. The Security Log entry shows exactly what the issue/problem is. It has nothing to do with your Theme and has to do with the Riva Slider Pro plugin timthumb script simulating an RFI hacking attack against your website. This is fairly common with all plugins and themes that use the timthumb script. The general nature and design of the timthumb script itself is that it appears to be attacking your website using an RFI hacking method. That is just what is with the timthumb script.

You only need to add the plugin skip/bypass rule I posted above and nothing else.
March 4, 2014 at 12:02 am #13552
x
Participant

Thank you for your reply. Unfortunately that has not resolved the issue.
March 4, 2014 at 6:11 am #13555
AITpro Admin
Keymaster

Update: The Riva Slider Pro plugin was installed and tested on one of our test sites and no problems or errors occurred. So something is fubar with how the timthumb.php script is being called on your website since the Referer log field is blank when it should contain your website domain name instead of being blank.

It appears that this is a Premium/Paid plugin. If you would like for us to test this plugin then send the plugin in a zip file to info [at] ait-pro [dot] com. After testing, the plugin will be deleted from our testing site, email and computers.
Author

Posts

Viewing 10 posts - 31 through 40 (of 40 total)

← 1 2 3

You must be logged in to reply to this topic.

BulletProof Security Forum

Images not displaying, timthumb theme images, thumbnail images

Search Forums

Topic Tags