Marmoset Viewer – 403 error

Home Forums BulletProof Security Free Marmoset Viewer – 403 error

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #30492
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    Question was posted on the wp forum site:  https://wordpress.org/support/topic/marmoset-viewer-403-error?replies=2#post-8706024. Copied and answered here:

    So I just installed a plugin called “Marmoset Viewer” and wanted to try it out to directly face a 403 Forbidden Error Page when adding the shortcode that the plugin gives you. The Security logs this:

    [403 GET Request: 01/08/2016 - 20:54]
    Event Code: PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: IP
    Host Name: d51528A9D.access.telenet.be
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.rafaeldejongh.com/WP/jango-fetts-westar-34/
    REQUEST_URI: /WP/wp-content/plugins/marmoset-viewer/mviewer.php?width=100%&height=&autostart=0&transparantbg=&id=http:/www.rafaeldejongh.com/WP/wp-content/uploads/2016/07/westar-34.mview
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

    I’ve already added the following code under “Custom code Plugin/Theme skip/Bypass Rules:”

    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/marmoset-viewer/ [NC]
    RewriteRule . - [S=13]

    But that didn’t work either, not sure if I’m doing wrong but my question is, is there any way around this so I can keep using this plugin alongside BPS?

    Thanks in advance.

    Best regards,
    Rafaël De Jongh
    ________________________________
    Answer|Solution:
    The Request URI is simulating an RFI hacking attempt against your website.

    Requires a Timthumb Misc File whitelist rule: Requires whitelisting the mviewer.php file in the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE security code.
    1. Copy the code below to this Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE: Add additional Referers and/or misc file names.
    IMPORTANT! Change the HTTP_REFERER example.com domain name in the code below to your actual domain/website name after you copy this code to BPS Custom Code.
    2. Save your new custom code by clicking the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    #
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (mviewer\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*example.com.*
    RewriteRule . - [S=1]

    This additional Custom Code whitelisting solution may or may not be needed. If you are seeing 500 errors after using the solution above then use this additional solution.

    1. Copy the modified REQUEST METHODS FILTERED htaccess code below to this BPS Root Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED.
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    Additional problem caused by Cloudflare:
    https://wordpress.org/support/topic/marmoset-viewer-403-error?replies=21#post-8786033

    So the Cloudflare Thumbnail problem was caused by the .mview file being parsed as a Content-Type: text/plain which had some problems with the Cloudflare Service as it is actually binary data.

    So they suggested me to configuring the Apache origin to serve .mview files with the content-type of application/octet-stream.

    After setting that custom type and cleared the cache the thumbnails started working!

    So yea so far so good and most if not all problems are currently solved!

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.