WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Events Manager's TimThumbs are blocked (403 error) (14 posts)

  1. Daedalon
    Member
    Posted 1 year ago #

    In the latest dev version of Events Manager (5.3.6.6) there's a new and updated TimThumb to fix virtual directory issues.

    When using the secure root .htaccess file generated by BulletProof security 0.48, as soon as Events Manager is updated to latest dev 5.3.6.6, all TimThumb-generated images stop working. The same TimThumb URLs that returned an image now return a "403 Forbidden" error.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Post the timthumb error from your BPS Security Log.

  3. Daedalon
    Member
    Posted 1 year ago #

    >>>>>>>>>>> 403 GET or Other Request Error Logged - keskiviikko 27.3. - 21:29 <<<<<<<<<<<
    REMOTE_ADDR: [IP]
    Host Name: [DNS]
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/events-manager/includes/thumbnails/timthumb.php?src=http://[SITEROOT]/wp-content/uploads/2013/03/[filename].jpg&h=58&w=58
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    The Events Manager plugin coding/Request URI is simulating an RFI hacking attempt against your website. To whitelist this plugin do the steps below...

    Copy this .htaccess code (if your WordPress installation is in a subfolder then add your WordPress subfolder name in the path) to the BPS Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.

    # Events Manager skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/events-manager/ [NC]
    RewriteRule . - [S=13]

    Example WordPress subfolder path name: MyWordPressFolderName

    # Events Manager skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/MyWordPressFolderName/wp-content/plugins/events-manager/ [NC]
    RewriteRule . - [S=13]
  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Did this skip/bypass rule solve the issue? If so, please resolve this Thread. Thanks.

  6. Daedalon
    Member
    Posted 1 year ago #

    Thank you for the tip. The next moment we have to try it is next week after Easter. I'll report back then and resolve the thread if it works.

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok since this is going to take a while I will resolve the Thread now. Please post back whenever. I will still receive an email notification when you post again even though the Thread is resolved. Thanks.

  8. Daedalon
    Member
    Posted 1 year ago #

    We updated Events Manager from dev version 5.3.6.6 to stable 5.3.7 that includes the same TimThumb changes. Applied the fix in this thread with curious results.

    No more BPS error log messages, but the problem persisted. Using an empty .htaccess file didn't help either, so it seems that the fix works, but the problem has now moved further up. Doesn't seem to be a BPS issue at the moment.

  9. Marcus
    NetWebLogic Support
    Posted 1 year ago #

    Sorry for the false alarm @AITPro, but this may very well be a problem on our side afterall. Thx for investigating regardless.

    I think this can be assumed resolved unless the next update (or dev version), doesn't improve the situation

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok keep me posted. Also this is a pretty standard coding practice above to retrieve timthumb thumbnail images so it is not any sort of coding issue/problem with Events Manager and is just a "what is what" thing. Each person would add whatever whitelisting rule they wanted to add for their particular website on a case by case basis.

  11. Daedalon
    Member
    Posted 1 year ago #

    Events Manager 5.3.7 has some custom fixes for TimThumb, which may be the cause. They're now investigating the issue on their end.

    Hopefully the end result ensures no whitelisting is required, so that the next version of EM and current BPS will co-operate out-of-the-box, like with previous EM versions.

  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    It is a standard thing that timthumb thumbnailer scripts are blocked by BPS. This occurs pretty much in every single plugin or theme that uses a timthumb script. This is simply because of the method itself used to retrieve the images. There is nothing wrong about this standard image retrieval method and it just so happens that this method matches s standard RFI hacking method/pattern/rule.

    By whitelisting on a case by case basis you are not decreasing your website's security in any way since there are overlapping security rules/filters in BPS that protect against an external RFI hacking attempt.

    Example:

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php|tt\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*foo.com.*
    RewriteRule . - [S=1]

    So by whitelisting the Events Manager plugin folder for allowing Internal timthumb scripts to do what they need to do then you are still protected by the rule/filter above from External RFI hacking methods.

  13. Marcus
    NetWebLogic Support
    Posted 1 year ago #

    fyi, we don't allow retrieval from external sites ;)

  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, that is now standard coding in all timthumb scripts and I assume you probably have added additional security measures. ;) Just wanted to explain the basics and reassure Daedalon or any one else who sees this Thread. ;)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic