Home › Forums › BulletProof Security Pro › krpano Panorama Viewer – facebook open graph
- This topic has 8 replies, 2 voices, and was last updated 10 years, 7 months ago by AITpro Admin.
-
AuthorPosts
-
Paulin HalenriaParticipant
Hello,
On my website, I use to have URL like https: //vue-360.com/stock/player.swf?xml=http://www.vue-360.com/stock/orval/abbaye/structure.xml
It generates a 403 from bps pro. I don’t have any idea where I have to allow this.
I’ve tried to addRewriteCond %{REQUEST_URI} (stock\/player\.swf|player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
and also tried
RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
But always got the 403 error
The Firewall is not yet activated.
Thanks.AITpro AdminKeymasterIs this a plugin or are you doing this directly with your own custom code and connecting to facebook open graph?
Paulin HalenriaParticipantIt’s my own code.
In the logs I have this kind of records
HTTP_REFERER: https: //s-static.ak.facebook.com/common/referer_frame.php
REQUEST_URI: /stock/player.swf?xml=https://www.vue-360.com/stock/guerlange/eglise-autel/facebook.xmlThe player.swf is the one from krpano.com
AITpro AdminKeymasterYou will need to whitelist the Referer as well as the player.swf file since this is simulating an RFI hacking attempt against your website.
1. Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE # Use BPS Custom Code to modify/edit/change this code and to save it permanently. # Remote File Inclusion (RFI) security rules # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F] # # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php) RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).* RewriteCond %{HTTP_REFERER} ^.*(vue-360.com|facebook.com).* RewriteRule . - [S=1]
Paulin HalenriaParticipantGreat. It’s working. And by the way, I’ve just understood how to use the Custom Code section. Don’t need to remove the “HEAD” manually everywhere now.
Really great product.
Still have two questions, but will create two threads.
Paulin HalenriaParticipantI don’t know if it’s useful to answer to an old subject but I’ll give a try.
So, today, I have again error in my logs
HTTP_REFERER: https: //www.vue-360.com/stock/player.swf?xml=https: //www.vue-360.com/stock/thionville/exposition/facebook.xml REQUEST_URI: /stock/thionville/exposition/facebook.xml QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
And in my custom code I have
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE # Use BPS Custom Code to modify/edit/change this code and to save it permanently. # Remote File Inclusion (RFI) security rules # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F] # # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php) RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).* RewriteCond %{HTTP_REFERER} ^(.*vue-360.com.*|.*facebook.com.*|.*guerlange.be.*|.*panophoto.org.*) RewriteRule . - [S=1]
AITpro AdminKeymasterOk then try a skip/bypass rule for the /stock folder.
1. Copy this code to this Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.# stock Flashplayer folder skip/bypass RewriteCond %{REQUEST_URI} ^/stock/ [NC] RewriteRule . - [S=13]
If that does not work then try one of the other 3rd Party Application fixes here
http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPressPaulin HalenriaParticipantThanks it worked !
AITpro AdminKeymasterGreat! Thanks for confirming that it worked.
-
AuthorPosts
- You must be logged in to reply to this topic.