Support » Plugin: Marmoset Viewer » 403 Forbidden Error Page using the plugin BPS

  • So I just installed and wanted to try it out to directly face a 403 Forbidden Error Page. This has to do with Bullet Proof Security I think which logs this:

    [403 GET Request: 01/08/2016 - 20:54]
    Event Code: PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: IP
    Host Name: d51528A9D.access.telenet.be
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.rafaeldejongh.com/WP/jango-fetts-westar-34/
    REQUEST_URI: /WP/wp-content/plugins/marmoset-viewer/mviewer.php?width=100%&height=&autostart=0&transparantbg=&id=http:/www.rafaeldejongh.com/WP/wp-content/uploads/2016/07/westar-34.mview
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

    So my question is, is there any way around this so I can keep using this plugin alongside BPS?

    Thanks in advance.

    Best regards,
    Rafaël De Jongh

    https://wordpress.org/plugins/marmoset-viewer/

Viewing 15 replies - 1 through 15 (of 18 total)
  • Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    Dear,

    I just got back from the authors from BPS and they provided the following solution which works as a sharm:

    http://forum.ait-pro.com/forums/topic/marmoset-viewer-403-error/

    Might be handy to include this in some kind of FAQ/Info in case other users of your plugin are running in the same problem with BPS! What of course would be even better if it would be possible would be to alter the url so it wouldn’t get flagged with other security plugins either!

    If I also directly might add something then it would be a general class to the iframe that would get inserted in the most, so you can directly attach some css to, something like class=”marmo”?

    Either way thanks.

    Best regards,
    Rafaël De Jongh

    Plugin Author revoxis

    (@revoxis)

    Hey Rafael, Thank you for figuring this out and posting the solution. Ive added it to the readme.

    If i’m correct you want to add a class to the iframe? so you can control the iframe? or do you want to control what is inside the iframe?.

    Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    You are correct I’m referring to the Iframe indeed, I personally added it myself now so I can change the height with VW as that’s something that isn’t accepted as an iframe height by default.

    The user could pretty much put a div around the shortcode but that’s just a wasted div, so having the option to perhaps add a generic class to the Iframe OR even better that the user can set them theirselves in the shortcode like:

    [marmoset URL=”URLTOMVIEW.mview” ID=”USERSETID” CLASS=”USERSETCLASS” autoStart=”1″]

    So changing the ID tag which is currently the url to the mview to URL, the ID tag would then be used for a custom set ID by the user and the CLASS as well as the ID, something the user can set inside the tag to have an additional class/id to control the shortcode.

    Having an all around general class for the Iframe would already be pretty good.

    Thanks in advance!

    Best regards,
    Rafaël De Jongh

    Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    I’ve also noticed another problem where WordPress tries to find a thumbnail for the mviewer but obviously can’t resulting in a 500 error:

    http://www.rafaeldejongh.com/wp-content/uploads/2016/07/westar-34.mview?thumb=1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)

    Is this something you can look into or is it my webhost causing a problem? Or has this to do with BPS again?

    Thanks in advance for further information.

    Plugin Author revoxis

    (@revoxis)

    Hey Rafael, ill look into it regarding the CLASS and ID.

    Did you solve the last issue? as this topic is marked as resolved?

    Best Regards!

    Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    @revoxis

    No that last error I just posted yesterday, I think I marked the thread as “resolved” before I posted that.

    Plugin Author revoxis

    (@revoxis)

    Im not sure why you get a 500 error… 500 errors are usually caused by the server and related to the server. for example my url is:

    http://www.revolutionart.nl/wp-content/uploads/2015/08/m590_shotgun.mview?thumb=1

    and the page itself http://www.revolutionart.nl/project/mossberg-590/

    Not a single error regarding the thumb. Either its BPS or something is up with your Server. Since BPS is a security plugin it could be that BPS is trying to block it for some reason, even tho it still works (well the url the thumb itself isn’t showing up) You may want to check BPS or ask it on their forums. Can’t do much about that either tho since thats how Marmoset renders the thumbs into their viewer.

    Let me know!

    Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    Hmm indeed, I’ll ask around and see what I can come up with.

    I did notice on your portfolio that you did had a blurred preview image of the marmoset viewer when it’s not active, however this doesn’t seem to be the case for me: http://www.rafaeldejongh.com/pokeballs/ (at the bottom of the page).

    So I assume this has to do something with the thumb image getting a 500 error?

    Plugin Author revoxis

    (@revoxis)

    Yes thats because the thumb url is blocked so he can’t show the blurred thumbnail in your viewer.

    Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    Thoughts so, alright I’ll look into it. If it’s indeed another bypass BPS has to create I’ll let you know, if something else then I’ll post it here as well!

    Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    Okay so further information it was indeed by another part of the code where the author also gave me a bypass to try out which seems to solve that error code as well.

    1. Copy the modified REQUEST METHODS FILTERED htaccess code below to this BPS Root Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED.
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    # RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    # RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    That said however, the thumbnails are acting quite strangely as from time to time they seem to work for like a minute or two and then after that period they stop working all together. No error codes or alike but that sure is strange. I’m not sure if this is related to BPS either and more thinking about my CDN Cloudflare, but I’m not too sure about that one either.

    Did you had any problems with that? Mainly I think it has something to do with the way it’s loaded and uses query strings.

    Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    Addition to the query string as that’s pretty much the cause of all these problems, I rather suggest to put the autostart/height/width/transparency and the actual URL in data-attributes rather than the query string to not only avoid caching problems with CDN and Cache Plugins but also of course avoid these kind of problems with security plugins like BPS.

    That would be really nice to actually have, in case you feel like it I could always take a crack at the code if you allow me to modify/contribute to it via Github or alike?

    Let me know what you think!

    Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    I did various tests with cloudflare regarding the thumb showing/now showing and indeed as I expected it has something to do with this.

    I think it has something to do with the query string but I’m not 100% sure so I’ll be contacting their support center for further information.

    That said BPS wise everything seems in order now!

    Plugin Author revoxis

    (@revoxis)

    Hey Rafael, thanks for sorting this stuff out.

    The problem with data attributes is that i would have to change the src=”” of the iframe to a data-url wich isn’t allowed and could possibly have a high security risk.

    Also i have no idea why BPS is so aggressive, for example i use iThemes Security and it has no problems with the plugin.

    If you can, you should try to disable BPS and see if the thumbs are working correctly or not, ive checked your site and indeed the 500 error has been resolved, however no thumbnail was visible, so it seems its still blocked.

    Thread Starter RafaelDeJongh

    (@rafaeldejongh)

    Yea BPS is one of the more stricter and also more secure security plugins out there for WordPress, I’ve had various problems in the past with hackers on other sides even with other security plugins so I tend to not try out any different security plugins anymore to be honest.

    That said with further testing I’ve noticed the thumbnail not showing is caused by Cloudflare actually. Whenever their service was paused everything worked fine but if it was turned on the thumbs stopped working.

    I indeed assume this has to do with the media queries not being parsed properly with Cloudflare, but why or how this is happening I’m unsure about.

    Regarding the data-attribute, as far as I know you don’t need to change the main src, this could be pointed to just be the main php file. The additional data attributes like data-width=”100%” for example, these could be alongside the src attribute and be used to define certain elements. It’s just a thought though, I’m sure this plugin would work for most people if they’re not using BPS/Cloudflare :p

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘403 Forbidden Error Page using the plugin BPS’ is closed to new replies.