WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] IMPORTANT PERMANENT CHANGE TO BPS!!! (6 posts)

  1. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    BPS .46.5 is forbidding thumbnailer scripts by default. To allow thumbnailer scripts on your website see the root .htaccess file for instructions on allowing thumbnailer scripts on your website. If your Theme or any of your Plugins are using a Thumbnailer script such as TimThumb, phpThumb, Thumb or variations of these thumbnailer scripts then you should check (ask the author, creator or Google it) and make sure that you have a recently patched version of the thumbnailer script that you are using. A Zero Day Vulnerability exists in older versions of these thumbnailer scripts and your website will get hacked if you are using an older version of a thumbnailer script. Thumbnailer scripts are automatically seen by BPS as a threat, exploit or vulnerability because of the general nature of these scripts.

    Problem: Images are no longer displaying after upgrading BPS.

    Solution: BPS is no longer allowing thumbnailer scripts to display images by default. The reason for this is that if you do not have a patched or current version of the timthumb.php thumbnailer script then your website WILL DEFINTELY GET HACKED. Once you are sure that your thumbnailer scripts are current versions of timthumb.php or any other thumbnailer scripts (thumbs.php, thumb.php or phpThumb.php) that are being used in your Theme or Plugins, then open your Currently Active Root .htaccess file in the BPS File Editor and change this rule from Forbidden to a Skip rule. See below. This is a permanent change and all future versions of BPS will automatically block thumbnailer scripts. We apologize for this inconvenience, but we would rather hear complaints about having to do this extra step then hearing that your website has been hacked because you did not patch or replace your thumbnailer scripts. Thank you.

    # ALLOW THUMBNAILER SCRIPTS TO DISPLAY IMAGES
    # By default BPS is forbidding allowing these thumbnailer scripts filename requests
    # This will Log lots of hacking attempts on your website in your BPS Pro Error Log
    # If you are using one of these thumbnailer scripts on your website and you want to allow
    # your thumbnailer script images to display then change [F,L] to [S=1]
    # Make sure that you have a security patched version or recent versions of these scripts
    # before changing [F,L] to [S=1] and allowing these files to be requested on your website
    # If you delete or remove the RewriteRule below you will need to change the above skip rules
    # Example: RewriteRule S=2 above will need to be changed to S=1, change S=3 to S=2, etc.
    RewriteCond %{REQUEST_FILENAME} thumb.php [NC,OR]
    RewriteCond %{REQUEST_FILENAME} thumbs.php [NC,OR]
    RewriteCond %{REQUEST_FILENAME} timthumb.php [NC,OR]
    RewriteCond %{REQUEST_FILENAME} phpthumb.php [NC]
    RewriteRule . - [F,L]

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Bumping this up to the top post by resaving.

  3. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Bumping this up to the top post by resaving.

  4. Mark (podz)
    Support Maven
    Posted 2 years ago #

    It would be more useful to:

    1. Link people directly to the new TimThumb code page
    2. To mention this in your plugins changelog
    3. To mention this in an Update to your plugin so people can see it in their blog admin.

    Please do not bump. If everyone did the place would be a mess :)

  5. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    I just get tired of answering the same question over and over and over again. ;) Yep I've got that info everywhere I think folks will "land", but yeah you are right about providing a link so here it is >>> http://www.ait-pro.com/aitpro-blog/3362/wordpress-tips-tricks-fixes/timthumb-hack-timthumb-finder-timthumb-remover-timthumb-cleaner-timthumb-exploit/

    Thank you,
    Ed

  6. Samara
    Member
    Posted 2 years ago #

    Thanks for this. Was just stopping by to check on this issue on one of our sites.

    P.S. just upgraded to PRO. Keep up the good work!!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic