krpano Panorama Viewer – facebook open graph

Home Forums BulletProof Security Pro krpano Panorama Viewer – facebook open graph

This topic contains 8 replies, has 2 voices, and was last updated by  AITpro Admin 6 years, 2 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #6725

    Paulin Halenria
    Participant

    Hello,

    On my website, I use to have URL like https: //vue-360.com/stock/player.swf?xml=http://www.vue-360.com/stock/orval/abbaye/structure.xml

    It generates a 403 from bps pro. I don’t have any idea where I have to allow this.
    I’ve tried to add

    RewriteCond %{REQUEST_URI} (stock\/player\.swf|player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

    and also tried

    RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

    But always got the 403 error
    The Firewall is not yet activated.
    Thanks.

    #6731

    AITpro Admin
    Keymaster

    Is this a plugin or are you doing this directly with your own custom code and connecting to facebook open graph?

    #6732

    Paulin Halenria
    Participant

    It’s my own code.

    In the logs I have this kind of records

    HTTP_REFERER: https: //s-static.ak.facebook.com/common/referer_frame.php
    REQUEST_URI: /stock/player.swf?xml=https://www.vue-360.com/stock/guerlange/eglise-autel/facebook.xml

    The player.swf is the one from krpano.com

     

    #6736

    AITpro Admin
    Keymaster

    You will need to whitelist the Referer as well as the player.swf file since this is simulating an RFI hacking attempt against your website.

    1. Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*(vue-360.com|facebook.com).*
    RewriteRule . - [S=1]
    #6759

    Paulin Halenria
    Participant

    Great. It’s working. And by the way, I’ve just understood how to use the Custom Code section.  Don’t need to remove the “HEAD” manually everywhere now.

    Really great product.

    Still have two questions, but will create two threads.

    #9736

    Paulin Halenria
    Participant

    I don’t know if it’s useful to answer to an old subject but I’ll give a try.

    So, today, I have again error in my logs

    HTTP_REFERER: https: //www.vue-360.com/stock/player.swf?xml=https: //www.vue-360.com/stock/thionville/exposition/facebook.xml
    REQUEST_URI: /stock/thionville/exposition/facebook.xml
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

    And in my custom code I have

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^(.*vue-360.com.*|.*facebook.com.*|.*guerlange.be.*|.*panophoto.org.*)
    RewriteRule . - [S=1]
    #9738

    AITpro Admin
    Keymaster

    Ok then try a skip/bypass rule for the /stock folder.

    1. Copy this code to this Custom Code text box:  CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # stock Flashplayer folder skip/bypass
    RewriteCond %{REQUEST_URI} ^/stock/ [NC]
    RewriteRule . - [S=13]

    If that does not work then try one of the other 3rd Party Application fixes here
    http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPress

    #9747

    Paulin Halenria
    Participant

    Thanks it worked !

    #9750

    AITpro Admin
    Keymaster

    Great!  Thanks for confirming that it worked.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.