Home › Forums › BulletProof Security Pro › krpano Panorama Viewer – facebook open graph
- This topic has 8 replies, 2 voices, and was last updated 8 years, 9 months ago by
AITpro Admin.
-
AuthorPosts
-
Paulin Halenria
ParticipantHello,
On my website, I use to have URL like https: //vue-360.com/stock/player.swf?xml=http://www.vue-360.com/stock/orval/abbaye/structure.xml
It generates a 403 from bps pro. I don’t have any idea where I have to allow this.
I’ve tried to addRewriteCond %{REQUEST_URI} (stock\/player\.swf|player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
and also tried
RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
But always got the 403 error
The Firewall is not yet activated.
Thanks.AITpro Admin
KeymasterIs this a plugin or are you doing this directly with your own custom code and connecting to facebook open graph?
Paulin Halenria
ParticipantIt’s my own code.
In the logs I have this kind of records
HTTP_REFERER: https: //s-static.ak.facebook.com/common/referer_frame.php
REQUEST_URI: /stock/player.swf?xml=https://www.vue-360.com/stock/guerlange/eglise-autel/facebook.xmlThe player.swf is the one from krpano.com
AITpro Admin
KeymasterYou will need to whitelist the Referer as well as the player.swf file since this is simulating an RFI hacking attempt against your website.
1. Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE # Use BPS Custom Code to modify/edit/change this code and to save it permanently. # Remote File Inclusion (RFI) security rules # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F] # # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php) RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).* RewriteCond %{HTTP_REFERER} ^.*(vue-360.com|facebook.com).* RewriteRule . - [S=1]
Paulin Halenria
ParticipantGreat. It’s working. And by the way, I’ve just understood how to use the Custom Code section. Don’t need to remove the “HEAD” manually everywhere now.
Really great product.
Still have two questions, but will create two threads.
Paulin Halenria
ParticipantI don’t know if it’s useful to answer to an old subject but I’ll give a try.
So, today, I have again error in my logs
HTTP_REFERER: https: //www.vue-360.com/stock/player.swf?xml=https: //www.vue-360.com/stock/thionville/exposition/facebook.xml REQUEST_URI: /stock/thionville/exposition/facebook.xml QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
And in my custom code I have
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE # Use BPS Custom Code to modify/edit/change this code and to save it permanently. # Remote File Inclusion (RFI) security rules # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F] # # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php) RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).* RewriteCond %{HTTP_REFERER} ^(.*vue-360.com.*|.*facebook.com.*|.*guerlange.be.*|.*panophoto.org.*) RewriteRule . - [S=1]
AITpro Admin
KeymasterOk then try a skip/bypass rule for the /stock folder.
1. Copy this code to this Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.# stock Flashplayer folder skip/bypass RewriteCond %{REQUEST_URI} ^/stock/ [NC] RewriteRule . - [S=13]
If that does not work then try one of the other 3rd Party Application fixes here
http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPressPaulin Halenria
ParticipantThanks it worked !
AITpro Admin
KeymasterGreat! Thanks for confirming that it worked.
-
AuthorPosts
- You must be logged in to reply to this topic.