krpano Panorama Viewer – facebook open graph

[Paulin Halenria]

Hello,

On my website, I use to have URL like https: //vue-360.com/stock/player.swf?xml=http://www.vue-360.com/stock/orval/abbaye/structure.xml

It generates a 403 from bps pro. I don’t have any idea where I have to allow this.
I’ve tried to add

RewriteCond %{REQUEST_URI} (stock\/player\.swf|player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

and also tried

RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

But always got the 403 error
The Firewall is not yet activated.
Thanks.

[AITpro Admin]

Is this a plugin or are you doing this directly with your own custom code and connecting to facebook open graph?

[Paulin Halenria]

It’s my own code.

In the logs I have this kind of records

HTTP_REFERER: https: //s-static.ak.facebook.com/common/referer_frame.php
REQUEST_URI: /stock/player.swf?xml=https://www.vue-360.com/stock/guerlange/eglise-autel/facebook.xml

The player.swf is the one from krpano.com

 

[AITpro Admin]

You will need to whitelist the Referer as well as the player.swf file since this is simulating an RFI hacking attempt against your website.

1. Copy the modified TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*(vue-360.com|facebook.com).*
RewriteRule . - [S=1]

[Paulin Halenria]

Great. It’s working. And by the way, I’ve just understood how to use the Custom Code section.  Don’t need to remove the “HEAD” manually everywhere now.

Really great product.

Still have two questions, but will create two threads.

[Paulin Halenria]

I don’t know if it’s useful to answer to an old subject but I’ll give a try.

So, today, I have again error in my logs

HTTP_REFERER: https: //www.vue-360.com/stock/player.swf?xml=https: //www.vue-360.com/stock/thionville/exposition/facebook.xml
REQUEST_URI: /stock/thionville/exposition/facebook.xml
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

And in my custom code I have

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (player\.swf|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^(.*vue-360.com.*|.*facebook.com.*|.*guerlange.be.*|.*panophoto.org.*)
RewriteRule . - [S=1]

[AITpro Admin]

Ok then try a skip/bypass rule for the /stock folder.

1. Copy this code to this Custom Code text box:  CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# stock Flashplayer folder skip/bypass
RewriteCond %{REQUEST_URI} ^/stock/ [NC]
RewriteRule . - [S=13]

If that does not work then try one of the other 3rd Party Application fixes here
http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPress

[Paulin Halenria]

Thanks it worked !

[AITpro Admin]

Great!  Thanks for confirming that it worked.

[Author]

Posts