WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
[resolved] Filter Suspicious Query Strings blocks timthumb images (8 posts)

  1. Ksaveras
    Member
    Posted 1 year ago #

    Using 3.4.7 plugin version.
    Filter Suspicious Query Strings when is enabled, it blocks images that are generated by timthumb
    URL example:

    /wp-content/themes/echelon/lib/scripts/timthumb/thumb.php?src=http://mydomainisnotimportant.tld/wp-content/uploads/2013/01/it-solutions.jpg&w=588&h=200&zc=1&q=100

    I get 403 - Forbidden

    Please add rule to pass links that are used in themes and check if timthumb link contains same domain as defined in WP: pass when image is link with my sitelink and forbid when link is not my sitelink:

    OK should be for this

    /wp-content/themes/echelon/lib/scripts/timthumb/thumb.php?src=http://mydomain.tld/wp-content/uploads/2013/01/it-solutions.jpg&w=588&h=200&zc=1&q=100

    BLOCK this:

    /wp-content/themes/echelon/lib/scripts/timthumb/thumb.php?src=http://hackersdomainoranother.tld/wp-content/uploads/2013/01/it-solutions.jpg&w=588&h=200&zc=1&q=100

    http://wordpress.org/extend/plugins/better-wp-security/

  2. Ksaveras
    Member
    Posted 1 year ago #

    something like this:

    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*mysite.tld.*
  3. You should turn off "filter suspicious query string" if you intend to use timthumb. I will not correct this in the plugin due to the number of sites I still fix that were compromised via timthumb. This is definitely one of those features that might need to be turned off in some sites.

  4. alex.paris
    Member
    Posted 1 year ago #

    Isn't there a way to disable this just for thumb.php? like in htaccess? for example, to allow requests from img.youtube.com or other custom sites?

  5. Okoth1
    Member
    Posted 1 year ago #

    Of course there is. Remove from htaccess

    RewriteCond %{QUERY_STRING} http\: [NC,OR]

  6. alex.paris
    Member
    Posted 1 year ago #

    thats awesome. Now... will this conflict with the plugin?

  7. Okoth1
    Member
    Posted 1 year ago #

    No it doesn't conflict with the plugin, but the disadvantage is that you have to remind yourself removing this line every time you update the plugin. I just found out myself that I forgot, so visitor's time on site dropped.

  8. Jesús Franco
    Member
    Posted 1 year ago #

    Thanks for sharing your tips Okoth1 and Ksaveras, I've not deleted the whole rule filtering QUERY STRINGS starting with http, but only those not pulled by the timthumb script specific to the theme I'm using, for best reference, I've used this:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    
    RewriteCond %{QUERY_STRING} ^http\://(www\.)?example\.com/wp-content/uploads/(.*)(jpe?g|png|tiff?) [NC]
    RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-content/themes/MYTHEME/timthumb.php
    RewriteRule ^(.*)$ - [F,L]
    # We use only http protocol, thus blocking anything starting w/https
    RewriteCond %{QUERY_STRING} ^https\: [NC]
    RewriteRule ^(.*)$ - [F,L]
    
    </IfModule>

    I'm trying to limit this way the vulnerabilities introduced by timthumb, and understanding how to allow specific plugins/themes still working, without disabling entirely features offered by Better WP Security.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic