PDF viewer for WordPress – 403 error

[Leon]

Hi,

This may be really simple… I have a PDF plugin viewer that opens a PDF in a new browser window (or the same window) when a link is clicked. An example URL would be: www.mysite.co.uk/blog/wp-content/plugins/pdf-viewer-for-wordpress/web/viewer.php. When this happens i get a 403 page forbidden error? How do i fix this?

Thanks!

[AITpro Admin]

Check your BPS Pro Security Log and post the 403 log entry for the PDF viewer for WordPress plugin so I can see what is being blocked.

Also I checked the website domain name that is used in your forum user account email and that website is in maintenance mode.  Depending on how the site is being put in maintenance mode could affect the BPS Pro Plugin Firewall.  ie the BPS Pro Plugin Firewall may not work correctly depending on how that site is being put in maintenance mode and would have to be turned off until the site goes Live (is no longer in maintenance mode).

BPS Pro Troubleshooting Steps
http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

[Leon]

Hi,

I think i need to add a plugin to the whitelist and create a rule? The site should not be in maintenance mode (i’ll check again) The log is:

[403 GET / HEAD Request: November 5, 2014 8:11 am]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 87.xxx.112.58
Host Name: 87-xxx-112-58.spitfireuk.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.examplesite.com/userguide/demo_client_site_v1/equipment-manuals/
REQUEST_URI: /userguide/demo_client_site_v1/wp-content/plugins/pdf-viewer-for-wordpress/web/viewer.php?file=http://www.examplesite.com/userguide/demo_client_site_v1/wp-content/uploads/2014/10/BW_CCM662_info_sheet.pdf
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36

[Leon]

I’m still having issues with this…. tried adding this to the whitelist rule but does not work. plugins/pdf-viewer-for-wordpress/web/viewer.php? Is the fact it opens the pdf in a new browser window an issue?

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

The URL/Query string is simulating a typical RFI hacking attempt.

1.  Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box:  CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2.  Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

IMPORTANT!!!:  Edit the code below after copying it to the BPS Custom Code text box and replace “example.com” with your actual website domain name.

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (viewer\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*example.com.*
RewriteRule . - [S=1]

[Leon]

Great!
I have no idea what that does but it works!
Thanks for the support.

[AITpro Admin]

What the whitelist rule does is only allows your website unrestricted access to the viewer.php file.  Since the file should only be called from your website and by your website since your website is the Referer then this whitelists the viewer.php file in a way that is completely safe to do.  ie it cannot be exploited since the Referer condition MUST match your website domain name.

[guy te watson]

I am getting this same “PDF viewer for WordPress – 403 error” I implemented the above CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code and now I am getting the below error and my domain will not come up.

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@desktoprevealer.net and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

What file changed and how Do I change it back on do this fix without this happening again. I cannot find a .htaccess file in the root.  I created a fresh wp-config.php file to see if that would help and it did not.  So what is the file(s) that were changed when implementing this fix and what may have gone wrong and how do I do it right?

Thanks!
In Christ
guy te

[AITpro Admin]

You need to delete the root htaccess file.  If you do not see the root htaccess file then make sure whatever you are using to view files with has “show hidden files” checked/allowed. htaccess files are hidden files.  After deleting your root htaccess file log back into your site and correct or delete your bad/invalid code that you added/created.  Post a Security Log entry for what is being blocked so I can see what needs to be whitelisted.

If you accidentally added the custom code in the wp-admin htaccess file (wp-admin Custom Code) then delete the /wp-admin/.htaccess file, login to your site and correct or delete your bad/invalid htaccess code.

[guy te watson]

I deleted and reinstall BPS and removed the Custom Code I put in. Now BPS is not enabling the secure htaccess file.  I get this message

BPS Pro Alert! Your site may not be protected by BulletProof Security
The BPS version: BULLETPROOF PRO x.x SECURE .HTACCESS line of code was not found at the top of your Root htaccess file.
The BPS version line of code MUST be at the very top of your Root htaccess file.
Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

When I click to activate the root folder bps mode button I get the below and it never says the file is successfully enabled.
htaccess Files Disabled: Root htaccess file writing is disabled.

The Setup Wizard comes up with this:
PRe Install:
mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: No
htaccess Files Disabled: Existing BPS htaccess files have been deleted and new BPS htaccess files will not be created. All BPS htaccess features are disabled.
Plugin Firewall cURL Scanning is Turned Off. No cURL Scans were performed by the Wizard.

Setup Wizard:
htaccess Files Disabled: Plugin Firewall htaccess file was not created.
Plugin Firewall cURL Scanning is Turned Off. No cURL Scans were performed by the Wizard.

How Do I get this stuff working?
In Christ
guy te

[AITpro Admin]

Enable htaccess files on the Setup Wizard Options page.  Re-run the Pre-Installation Wizard and Setup Wizard.

[guy te watson]

Now it is enabled Here is the security log on the blocked file

[403 GET Request: June 19, 2016 5:54 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: xxx.xxx.xxx.xxx
Host Name: pool-xxx-xxx-xxx-xxx.pghkny.fios.verizon.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://example.com/jim-r-trust/
REQUEST_URI: /themencode-pdf-viewer-sc/?file=http://example.com/wp-content/uploads/2016/06/pdf-viewer-for-wordpress-license.pdf&settings=111111111&lang=en-US
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

Note: This solution is for a different PDF Viewer plugin called: PDF viewer for WordPress (ThemeNcode code canyon) Plugin.

1.  Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box:  CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2.  Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

IMPORTANT!!!:  Edit the code below after copying it to the BPS Custom Code text box and replace “example.com” with your actual website domain name.
Your domain name is: deskxxxxx.net. Replace: example.com with deskxxxxx.net

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (themencode-pdf-viewer-sc|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*example.com.*
RewriteRule . - [S=1]

[guy te watson]

Whoops Me Mistake. I forgot to change the example.com. Now it works after changing that.  Can we xxxx out my IP address stuff in the posting. Can I edit them to X out that info. I forgot to when posting.

[AITpro Admin]

Great!  Thanks for confirming the whitelist rule worked.  I will edit out any IP addresses and domain names from your forum replies.

[Author]

Posts