WordPress.org

Forums

WordPress › Support » Plugins and Hacks

BulletProof Security
[resolved] Juicebox and BPS - 403 error (29 posts)

  1. Skippy
    Member
    Posted 7 months ago #

    BPS and Juciebox don't seem to be playing nice. I have posted on this at the Juicebox support site and now I'm over here. That thread is at this link:

    http://juicebox.net/forum/viewtopic.php?pid=1597#p1597

    Here's what's up:

    On the edit post page, when I click on the icon to insert a Juicebox gallery a box opens and instead of the Juicebox controls I get:

    When leaving http://204eastsouth.com/skippy/wp-admin/post.php?post=3739&action=edit
and trying to find /skippy/wp-content/plugins/wp-juicebox/jb-config.php?
from the IP address: 184.96.163.52
running Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 AlexaToolbar/alxf-2.17
you stumbled upon a 403 error.

    Here is my current htaccess:

    [240 line .htaccess file moderated. Please use the pastebin]

    How does one make JB & BPS play nice? Thanks.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author
    Posted 7 months ago #

    ok it looks like juicebox is a remote posting type of software and the error message indicates that you need to allow the post.php file to do remote posting so try this skip/bypass rule.

    1. Go to the BPS Edit/Upload/Download page.
    2. Click on the "Your Current wp-admin htaccess File" tab.
    3. Scroll down in that .htaccess file until you see this code...

    # Allow wp-admin files that are called by plugins
# Fix for WP Press This
RewriteCond %{REQUEST_URI} (press-this\.php) [NC]
RewriteRule . - [S=1]

...and add the post.php file name to the skip/bypass rule after press-this\.php file name as shown below.

# Allow wp-admin files that are called by plugins
# Fix for WP Press This
RewriteCond %{REQUEST_URI} (press-this\.php|post\.php) [NC]
RewriteRule . - [S=1]

  3. AITpro
    Member
    Plugin Author
    Posted 7 months ago #

    If the above skip/bypass does not solve the issue then you may also need to add this skip/bypass rule in your root .htaccess file, which would go directly above skip/bypass rule #12.

    # Juicebox skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-juicebox/ [NC]
RewriteRule . - [S=13]

    Or maybe just allowing the jb-config.php file to be called remotely would take care of the issue as shown below in the Miscellaneous remote file security filter. You would need to allow the juicebox site or any additional sites remote access to this file as shown below. 

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (jb-config\.php\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteRule . - [S=1]

  4. Skippy
    Member
    Posted 7 months ago #

    None of that worked.

    I don't have

    # Allow wp-admin files that are called by plugins
# Fix for WP Press This
RewriteCond %{REQUEST_URI} (press-this\.php) [NC]
RewriteRule . - [S=1]

    So I added that code where I thought it should go.

    Here is my .htaccess file as of now. Possibly I have things in the wrong place. My htaccess knowledge is limited.:

    <script src="http://pastebin.com/embed_js.php?i=6FdjukbZ"></script>

  5. Skippy
    Member
    Posted 7 months ago #

    And I don't know how to use pastebin so I'll try again.

    http://pastebin.com/6FdjukbZ

  6. Skippy
    Member
    Posted 7 months ago #

    And just to check. After changing the .htaccess file, I am reloading the edit post page for testing. Is that sufficient? Do I need to log out then back in or anything like that?

    Thanks -Skippy

  7. AITpro
    Member
    Plugin Author
    Posted 7 months ago #

    Are you looking at the right .htaccess file?

    The wp-admin .htaccess is the one you want to look at for the first fix i posted above and not your root .htaccess file.

    1. Go to the BPS Edit/Upload/Download page.
    2. Click on the "Your Current wp-admin htaccess File" tab.
    3. Scroll down in that .htaccess file until you see this code...

    And no you do not need to do anything besides just adding the .htaccess code. The change will be instantaneous.

    I just looked at your pastebin code and you have added the code to your root .htaccess file so delete that code and then you want to edit your wp-admin .htaccess file and try the first fix i posted.

    Also you literally copy and pasted the example i gave you. What you want to do is actually put your real information here and then you want to remove the # signs because those mean that the line of code is commented out, not in effect, not active.

    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*

    Example:
    Your actual website domain is this....

    RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.*

    ...and then any other website domains that you want to allow to access your website files remotely you would add their domain name. When you have more than one site besides your own that you want to allow remote access to files you need to use the [OR] flag. This says allow websiteA OR websiteB OR websiteC. And the last website would not have an [OR] flag because there are no more "or" conditions since it is the last one/condition.

    RewriteCond %{HTTP_REFERER} ^.*websiteA.com.* [OR]
RewriteCond %{HTTP_REFERER} ^.*websiteB.com.* [OR]
RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.*

    And just an FYI for anyone who is wondering or curious about not using an [OR] flag. When you do not use [OR] then an "and" condition is implied/assumed.

    Example:
    conditionA "and"
    conditionB "and"
    conditionC "and"
    ...then do something here if all the conditions match...

  8. Skippy
    Member
    Posted 7 months ago #

    Yes, apparently my ability to follow directions was impared yesterday.

    Ok, I did add the first bit of code to the wp-admin .htaccess file.

    The second code to the root .htaccess.

    Those did not fix it.

    I then added the third bit of code like thus:

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (jb-config\.php\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteRule . - [S=1]

    To both .htaccess files (one at at time, not both files at once, as I wasn't clear which you wanted me to put that in) and that just broke BPS plugin.

    Thanks for your assistance and your patience with my screw-ups. It's been a long week already. :)

  9. AITpro
    Member
    Plugin Author
    Posted 7 months ago #

    Yep have those days too. ;)

    Ok I see a mistake in the code you posted above. Add a # sign in front of the code as shown below to comment out that line of code.

    ...
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.* [OR]
...

    The only code that would be modified in the wp-admin .htaccess file would be this code shown below. Even though the root and the wp-admin .htaccess files look similar they are completely different in what code you can and cannot add to them. The root .htaccess file allows you to add pretty much any .htaccess code to it that you want. The wp-admin .htaccess file is very restrictive on what code you can add to it because the /wp-admin folder is protected with authentication - your login and also you would not want to add any rewriting coding in your /wp-admin .htaccess file. ;)

    # Allow wp-admin files that are called by plugins
# Fix for WP Press This
RewriteCond %{REQUEST_URI} (press-this\.php|post\.php) [NC]
RewriteRule . - [S=1]

    Does Juicebox have a WordPress plugin that i can download and test?

    Oh this also needs to be corrected. You have the example code commented out. You would need to actually enter real information here - the domain name that you want to allow and then uncomment that line of code by removing the # sign

    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*

    Example:

    RewriteCond %{HTTP_REFERER} ^.*Add-the-domain-name-for-juicebox-here.com.*

  10. AITpro
    Member
    Plugin Author
    Posted 7 months ago #

    Also another alternative is to choose to not have this additional website security protection that protects your website against remote file hacking, Remote posting, RFI attacks, etc.

    You would simply just use AutoMagic to create new .htaccess files and activate all BulletProof Modes and then just comment out the 1 line of code in your root .htaccess file shown below by adding a # sign in front of it. Obviously i do not recommend this, but that choice is entirely up to you. ;)

    # RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.*

  11. AITpro
    Member
    Plugin Author
    Posted 7 months ago #

    @Skippy - i am having Steven look at this thread from the Juicebox Forum so this info below is for Steven to look at. Thanks.

    @Steven - Actually i am thinking that a better approach would be to add a Whitelist skip/bypass rule. Something like this below. What i would need to know is a constant that will not change such as an IP address to Whitelist or a URI or domain, etc. Once i have that constant or set of conditions than i can create a working Whitelist skip/bypass rule.

    # Whitelist Juicebox skip/bypass
RewriteCond %{REMOTE_ADDR} ^xxx.xx.xx.xx
RewriteRule . - [S=13]

...or maybe...

# Whitelist Juicebox skip/bypass
RewriteCond %{HTTP_REFERER} ^.*juicebox.com.*
RewriteRule . - [S=13]

...or maybe using a URI condition...

  12. AITpro
    Member
    Plugin Author
    Posted 7 months ago #

    Wow went way too deep on this one. LOL

    Steven at Juicebox has created this skip/bypass rule and tested it and confirmed that a typical plugin skip/bypass rule works fine.

    # Juicebox skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-juicebox/ [NC]
RewriteRule . - [S=13]

  13. AITpro
    Member
    Plugin Author
    Posted 7 months ago #

    @Skippy - please add the working Juicebox skip/bypass rule and resolve this thread. Thanks.

  14. Skippy
    Member
    Posted 7 months ago #

    I hate to break this to ya, but it doesn't work. I've tested it on 2 different sites running BPS.

    The other site tells me

    You don't have permission to access /wp-content/plugins/wp-juicebox/jb-config.php on this server.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    and the main site says

    When leaving http://204eastsouth.com/skippy/wp-admin/post.php?post=3739&action=edit
and trying to find /skippy/wp-content/plugins/wp-juicebox/jb-config.php?
from the IP address: 174.16.48.85
running Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 AlexaToolbar/alxf-2.17
you stumbled upon a 403 error.

    On both sites if I create a default .htaccess file then activate "default mode WP Default htaccess file" then Juicebox works fine.

    If I create a secure htaccess file then activate BulletProof Mode then add the code above to the current root htaccess file it doesn't work.

  15. Skippy
    Member
    Posted 7 months ago #

    Regarding your earlier post, yest Juicebox does have a WordPress plugin. If you haven't found it already it's here:

    http://www.juicebox.net/support/wp-juicebox/

  16. Skippy
    Member
    Posted 7 months ago #

    Hold the press. The code Steven posted on the Juicebox support forum works.

    # Juicebox skip/bypass rule
RewriteCond %{REQUEST_URI} ^/skippy/wp-content/plugins/wp-juicebox/ [NC]
RewriteRule . - [S=13]

    Does the trick.

    The only difference I see is the "^/skippy/" but that seems to be critical.

    However, the same trick does not seem to work on the other website. Go figure . . . ? The only difference is that on my main site WordPress is in a sub-directory. On the other site WordPress is installed in the top level directory.

  17. AITpro
    Member
    Plugin Author
    Posted 7 months ago #

    Request URI is equal to file path so you just need to enter the correct file path for each site. If you look at all the other standard plugin skip/bypass rules in your root .htaccess files for each site you will see the correct file path to use.

  18. bucephale4x4
    Member
    Posted 2 months ago #

    Hy Member,

    I have install BulletProof Security, and this has block Simpleviewer. As i wanted to skip to Juicebox-Lite, I install it and get the same error on trying to insert a gallery. I have try to fix with this post but not working.
    Any help, please consider i am french and not web developer!

    You don't have permission to access /wp-content/plugins/wp-juicebox/jb-config.php on this server.

    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

  19. AITpro
    Member
    Plugin Author
    Posted 2 months ago #

    Juicebox is a separate codebase to Simpleviewer with a different design and feature set. The error appears to be wp-juicebox and not a simpleviewer file path.

    Add this skip/bypass rule to BPS Custom Code - CUSTOM CODE PLUGIN FIXES: Add ONLY personal plugin fixes code here - text box, click Save Root Custom Code button, click the AutoMagic buttons and activate Root folder BulletProof Mode again.

    # Juicebox skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-juicebox/ [NC]
RewriteRule . - [S=13]

  20. bucephale4x4
    Member
    Posted 2 months ago #

    thank's ember.
    But where is the AutoMagic buttons!

  21. bucephale4x4
    Member
    Posted 2 months ago #

    Ok I have done all the procedure carefully. Without result. I still have same error:

    You don't have permission to access /wp-content/plugins/wp-juicebox/jb-config.php on this server.

    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
    ??? What's more?

  22. AITpro
    Member
    Plugin Author
    Posted 2 months ago #

    Next check to make sure this issue/problem is related to BPS and also check your BPS Security Log.

    1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
    2. Activate Default Mode on the Security Modes page.
    3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
    4. Test your plugin or theme. Is the issue/problem still occurring at this point?
    5. Restore your .htaccess files using BulletProof Security built-in Restore.

    If you see an error directly related to Juicebox in your BPS Security Log then post that error here.

  23. bucephale4x4
    Member
    Posted 2 months ago #

    Done 1 to 4 . Test JuiceBox workperfect. Done 5 error come back same.
    previous.

    BPS SECURITY / HTTP ERROR LOG
    ==============================
    ==============================

    >>>>>>>>>>> 403 GET or Other Request Error Logged - 7 avril 2013 - 4:18 <<<<<<<<<<<
    REMOTE_ADDR: 190.141.228.145
    Host Name: 190.141.228.145
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: parez.fr/
    REQUEST_URI: /
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0

  24. AITpro
    Member
    Plugin Author
    Posted 2 months ago #

    This error does not appear to be related to Juicebox since juicebox is not in the Request URI log entry.

    Go to the BPS Edit/Upload/Download page, click on Your Current Root htaccess File tab, scroll down in the file contents/code until you see this section of code in your Root .htaccess file...

    # PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES
# IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
# Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.

    Do you see the Juicebox skip/bypass rule directly below this code above?

    You should see this...

    # Juicebox skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-juicebox/ [NC]
RewriteRule . - [S=13]

  25. bucephale4x4
    Member
    Posted 2 months ago #

    I see it in the current Root >htaccess file, but not same place:

    # IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
    # END WordPress
    # This removes all of the BPS security code and replaces it with just the default WP htaccess code
    # To restore this file use BPS Restore or activate BulletProof Mode for your Root folder again.

    # CUSTOM CODE BOTTOM - Your Custom .htaccess code will be created here with AutoMagic
    # Juicebox skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-juicebox/ [NC]
    RewriteRule . - [S=13]

    # BLOCK HOTLINKING TO IMAGES

  26. AITpro
    Member
    Plugin Author
    Posted 2 months ago #

    Ok then the issue/problem is that you need to cut the Juicebox custom code from the - CUSTOM CODE BOTTOM - Your Custom .htaccess code will be created here with AutoMagic - text box and paste it into the - CUSTOM CODE PLUGIN FIXES: Add ONLY personal plugin fixes code here - text box, click Save Root Custom Code button, click the AutoMagic buttons and activate Root folder BulletProof Mode again.

  27. bucephale4x4
    Member
    Posted 2 months ago #

    All done...
    GREAT , YOU did it. The JuiceBox setting is on.

    I am going to publish a gallery.
    Thanks a lot. \
    If any advise more. I wait your answer before closed the post.

  28. AITpro
    Member
    Plugin Author
    Posted 2 months ago #

    BPS will no longer block any Juicebox scripts since you have created that skip/bypass rule for Juicebox so that is now permanently "fixed". Thanks.

  29. bucephale4x4
    Member
    Posted 2 months ago #

    and post closed.

    Thank's for all.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags