PDF viewer for WordPress – 403 error

Home Forums BulletProof Security Pro PDF viewer for WordPress – 403 error

This topic contains 17 replies, has 3 voices, and was last updated by  guy te watson 1 year, 11 months ago.

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #18869

    Leon
    Participant

    Hi,

    This may be really simple… I have a PDF plugin viewer that opens a PDF in a new browser window (or the same window) when a link is clicked. An example URL would be: www.mysite.co.uk/blog/wp-content/plugins/pdf-viewer-for-wordpress/web/viewer.php. When this happens i get a 403 page forbidden error? How do i fix this?

    Thanks!

    #18872

    AITpro Admin
    Keymaster

    Check your BPS Pro Security Log and post the 403 log entry for the PDF viewer for WordPress plugin so I can see what is being blocked.

    Also I checked the website domain name that is used in your forum user account email and that website is in maintenance mode.  Depending on how the site is being put in maintenance mode could affect the BPS Pro Plugin Firewall.  ie the BPS Pro Plugin Firewall may not work correctly depending on how that site is being put in maintenance mode and would have to be turned off until the site goes Live (is no longer in maintenance mode).

    BPS Pro Troubleshooting Steps
    http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    #18880

    Leon
    Participant

    Hi,

    I think i need to add a plugin to the whitelist and create a rule? The site should not be in maintenance mode (i’ll check again) The log is:

    [403 GET / HEAD Request: November 5, 2014 8:11 am]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 87.xxx.112.58
    Host Name: 87-xxx-112-58.spitfireuk.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.examplesite.com/userguide/demo_client_site_v1/equipment-manuals/
    REQUEST_URI: /userguide/demo_client_site_v1/wp-content/plugins/pdf-viewer-for-wordpress/web/viewer.php?file=http://www.examplesite.com/userguide/demo_client_site_v1/wp-content/uploads/2014/10/BW_CCM662_info_sheet.pdf
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
    #18886

    Leon
    Participant

    I’m still having issues with this…. tried adding this to the whitelist rule but does not work. plugins/pdf-viewer-for-wordpress/web/viewer.php? Is the fact it opens the pdf in a new browser window an issue?

    #18889

    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    The URL/Query string is simulating a typical RFI hacking attempt.

    1.  Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box:  CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    2.  Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    IMPORTANT!!!:  Edit the code below after copying it to the BPS Custom Code text box and replace “example.com” with your actual website domain name.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (viewer\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*example.com.*
    RewriteRule . - [S=1]
    #18900

    Leon
    Participant

    Great!
    I have no idea what that does but it works!
    Thanks for the support.

    #18901

    AITpro Admin
    Keymaster

    What the whitelist rule does is only allows your website unrestricted access to the viewer.php file.  Since the file should only be called from your website and by your website since your website is the Referer then this whitelists the viewer.php file in a way that is completely safe to do.  ie it cannot be exploited since the Referer condition MUST match your website domain name.

    #29810

    guy te watson
    Participant

    I am getting this same “PDF viewer for WordPress – 403 error” I implemented the above CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code and now I am getting the below error and my domain will not come up.

    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.
    Please contact the server administrator, webmaster@desktoprevealer.net and inform them of the time the error occurred, and anything you might have done that may have caused the error.
    More information about this error may be available in the server error log.
    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    What file changed and how Do I change it back on do this fix without this happening again. I cannot find a .htaccess file in the root.  I created a fresh wp-config.php file to see if that would help and it did not.  So what is the file(s) that were changed when implementing this fix and what may have gone wrong and how do I do it right?

    Thanks!
    In Christ
    guy te

    #29811

    AITpro Admin
    Keymaster

    You need to delete the root htaccess file.  If you do not see the root htaccess file then make sure whatever you are using to view files with has “show hidden files” checked/allowed. htaccess files are hidden files.  After deleting your root htaccess file log back into your site and correct or delete your bad/invalid code that you added/created.  Post a Security Log entry for what is being blocked so I can see what needs to be whitelisted.

    If you accidentally added the custom code in the wp-admin htaccess file (wp-admin Custom Code) then delete the /wp-admin/.htaccess file, login to your site and correct or delete your bad/invalid htaccess code.

    #29814

    guy te watson
    Participant

    I deleted and reinstall BPS and removed the Custom Code I put in. Now BPS is not enabling the secure htaccess file.  I get this message

    BPS Pro Alert! Your site may not be protected by BulletProof Security
    The BPS version: BULLETPROOF PRO x.x SECURE .HTACCESS line of code was not found at the top of your Root htaccess file.
    The BPS version line of code MUST be at the very top of your Root htaccess file.
    Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    When I click to activate the root folder bps mode button I get the below and it never says the file is successfully enabled.
    htaccess Files Disabled: Root htaccess file writing is disabled.

    The Setup Wizard comes up with this:
    PRe Install:
    mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: No
    htaccess Files Disabled: Existing BPS htaccess files have been deleted and new BPS htaccess files will not be created. All BPS htaccess features are disabled.
    Plugin Firewall cURL Scanning is Turned Off. No cURL Scans were performed by the Wizard.

    Setup Wizard:
    htaccess Files Disabled: Plugin Firewall htaccess file was not created.
    Plugin Firewall cURL Scanning is Turned Off. No cURL Scans were performed by the Wizard.

    How Do I get this stuff working?
    In Christ
    guy te

    #29815

    AITpro Admin
    Keymaster

    Enable htaccess files on the Setup Wizard Options page.  Re-run the Pre-Installation Wizard and Setup Wizard.

    #29816

    guy te watson
    Participant

    Now it is enabled Here is the security log on the blocked file

    [403 GET Request: June 19, 2016 5:54 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: pool-xxx-xxx-xxx-xxx.pghkny.fios.verizon.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://example.com/jim-r-trust/
    REQUEST_URI: /themencode-pdf-viewer-sc/?file=http://example.com/wp-content/uploads/2016/06/pdf-viewer-for-wordpress-license.pdf&settings=111111111&lang=en-US
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
    #29817

    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    Note: This solution is for a different PDF Viewer plugin called: PDF viewer for WordPress (ThemeNcode code canyon) Plugin.

    1.  Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box:  CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    2.  Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    IMPORTANT!!!:  Edit the code below after copying it to the BPS Custom Code text box and replace “example.com” with your actual website domain name.
    Your domain name is: deskxxxxx.net. Replace: example.com with deskxxxxx.net

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (themencode-pdf-viewer-sc|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*example.com.*
    RewriteRule . - [S=1]
    #29822

    guy te watson
    Participant

    Whoops Me Mistake. I forgot to change the example.com. Now it works after changing that.  Can we xxxx out my IP address stuff in the posting. Can I edit them to X out that info. I forgot to when posting.

    #29824

    AITpro Admin
    Keymaster

    Great!  Thanks for confirming the whitelist rule worked.  I will edit out any IP addresses and domain names from your forum replies.

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.