Support » Plugins and Hacks » BulletProof Security » Juicebox and BPS – 403 error

  • Resolved Skippy

    (@skippyotf)


    BPS and Juciebox don’t seem to be playing nice. I have posted on this at the Juicebox support site and now I’m over here. That thread is at this link:

    http://juicebox.net/forum/viewtopic.php?pid=1597#p1597

    Here’s what’s up:

    On the edit post page, when I click on the icon to insert a Juicebox gallery a box opens and instead of the Juicebox controls I get:

    When leaving http://204eastsouth.com/skippy/wp-admin/post.php?post=3739&action=edit
    and trying to find /skippy/wp-content/plugins/wp-juicebox/jb-config.php?
    from the IP address: 184.96.163.52
    running Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 AlexaToolbar/alxf-2.17
    you stumbled upon a 403 error.

    Here is my current htaccess:

    [240 line .htaccess file moderated. Please use the pastebin]

    How does one make JB & BPS play nice? Thanks.

    http://wordpress.org/extend/plugins/bulletproof-security/

Viewing 15 replies - 1 through 15 (of 28 total)
  • Plugin Author AITpro

    (@aitpro)


    ok it looks like juicebox is a remote posting type of software and the error message indicates that you need to allow the post.php file to do remote posting so try this skip/bypass rule.

    1. Go to the BPS Edit/Upload/Download page.
    2. Click on the “Your Current wp-admin htaccess File” tab.
    3. Scroll down in that .htaccess file until you see this code…

    # Allow wp-admin files that are called by plugins
    # Fix for WP Press This
    RewriteCond %{REQUEST_URI} (press-this\.php) [NC]
    RewriteRule . - [S=1]
    
    ...and add the post.php file name to the skip/bypass rule after press-this\.php file name as shown below.
    
    # Allow wp-admin files that are called by plugins
    # Fix for WP Press This
    RewriteCond %{REQUEST_URI} (press-this\.php|post\.php) [NC]
    RewriteRule . - [S=1]

    Plugin Author AITpro

    (@aitpro)


    If the above skip/bypass does not solve the issue then you may also need to add this skip/bypass rule in your root .htaccess file, which would go directly above skip/bypass rule #12.

    # Juicebox skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-juicebox/ [NC]
    RewriteRule . - [S=13]

    Or maybe just allowing the jb-config.php file to be called remotely would take care of the issue as shown below in the Miscellaneous remote file security filter. You would need to allow the juicebox site or any additional sites remote access to this file as shown below.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (jb-config\.php\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteRule . - [S=1]

    None of that worked.

    I don’t have

    # Allow wp-admin files that are called by plugins
    # Fix for WP Press This
    RewriteCond %{REQUEST_URI} (press-this\.php) [NC]
    RewriteRule . - [S=1]

    So I added that code where I thought it should go.

    Here is my .htaccess file as of now. Possibly I have things in the wrong place. My htaccess knowledge is limited.:

    <script src=”http://pastebin.com/embed_js.php?i=6FdjukbZ”></script>

    And I don’t know how to use pastebin so I’ll try again.

    http://pastebin.com/6FdjukbZ

    And just to check. After changing the .htaccess file, I am reloading the edit post page for testing. Is that sufficient? Do I need to log out then back in or anything like that?

    Thanks -Skippy

    Plugin Author AITpro

    (@aitpro)


    Are you looking at the right .htaccess file?

    The wp-admin .htaccess is the one you want to look at for the first fix i posted above and not your root .htaccess file.

    1. Go to the BPS Edit/Upload/Download page.
    2. Click on the “Your Current wp-admin htaccess File” tab.
    3. Scroll down in that .htaccess file until you see this code…

    And no you do not need to do anything besides just adding the .htaccess code. The change will be instantaneous.

    I just looked at your pastebin code and you have added the code to your root .htaccess file so delete that code and then you want to edit your wp-admin .htaccess file and try the first fix i posted.

    Also you literally copy and pasted the example i gave you. What you want to do is actually put your real information here and then you want to remove the # signs because those mean that the line of code is commented out, not in effect, not active.

    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*

    Example:
    Your actual website domain is this….

    RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.*

    …and then any other website domains that you want to allow to access your website files remotely you would add their domain name. When you have more than one site besides your own that you want to allow remote access to files you need to use the [OR] flag. This says allow websiteA OR websiteB OR websiteC. And the last website would not have an [OR] flag because there are no more “or” conditions since it is the last one/condition.

    RewriteCond %{HTTP_REFERER} ^.*websiteA.com.* [OR]
    RewriteCond %{HTTP_REFERER} ^.*websiteB.com.* [OR]
    RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.*

    And just an FYI for anyone who is wondering or curious about not using an [OR] flag. When you do not use [OR] then an “and” condition is implied/assumed.

    Example:
    conditionA “and”
    conditionB “and”
    conditionC “and”
    …then do something here if all the conditions match…

    Yes, apparently my ability to follow directions was impared yesterday.

    Ok, I did add the first bit of code to the wp-admin .htaccess file.

    The second code to the root .htaccess.

    Those did not fix it.

    I then added the third bit of code like thus:

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (jb-config\.php\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteRule . - [S=1]

    To both .htaccess files (one at at time, not both files at once, as I wasn’t clear which you wanted me to put that in) and that just broke BPS plugin.

    Thanks for your assistance and your patience with my screw-ups. It’s been a long week already. 🙂

    Plugin Author AITpro

    (@aitpro)


    Yep have those days too. 😉

    Ok I see a mistake in the code you posted above. Add a # sign in front of the code as shown below to comment out that line of code.

    ...
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.* [OR]
    ...

    The only code that would be modified in the wp-admin .htaccess file would be this code shown below. Even though the root and the wp-admin .htaccess files look similar they are completely different in what code you can and cannot add to them. The root .htaccess file allows you to add pretty much any .htaccess code to it that you want. The wp-admin .htaccess file is very restrictive on what code you can add to it because the /wp-admin folder is protected with authentication – your login and also you would not want to add any rewriting coding in your /wp-admin .htaccess file. 😉

    # Allow wp-admin files that are called by plugins
    # Fix for WP Press This
    RewriteCond %{REQUEST_URI} (press-this\.php|post\.php) [NC]
    RewriteRule . - [S=1]

    Does Juicebox have a WordPress plugin that i can download and test?

    Oh this also needs to be corrected. You have the example code commented out. You would need to actually enter real information here – the domain name that you want to allow and then uncomment that line of code by removing the # sign

    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*

    Example:

    RewriteCond %{HTTP_REFERER} ^.*Add-the-domain-name-for-juicebox-here.com.*

    Plugin Author AITpro

    (@aitpro)


    Also another alternative is to choose to not have this additional website security protection that protects your website against remote file hacking, Remote posting, RFI attacks, etc.

    You would simply just use AutoMagic to create new .htaccess files and activate all BulletProof Modes and then just comment out the 1 line of code in your root .htaccess file shown below by adding a # sign in front of it. Obviously i do not recommend this, but that choice is entirely up to you. 😉

    # RewriteCond %{HTTP_REFERER} ^.*204eastsouth.com.*
    Plugin Author AITpro

    (@aitpro)


    @skippy – i am having Steven look at this thread from the Juicebox Forum so this info below is for Steven to look at. Thanks.

    @steven – Actually i am thinking that a better approach would be to add a Whitelist skip/bypass rule. Something like this below. What i would need to know is a constant that will not change such as an IP address to Whitelist or a URI or domain, etc. Once i have that constant or set of conditions than i can create a working Whitelist skip/bypass rule.

    # Whitelist Juicebox skip/bypass
    RewriteCond %{REMOTE_ADDR} ^xxx.xx.xx.xx
    RewriteRule . - [S=13]
    
    ...or maybe...
    
    # Whitelist Juicebox skip/bypass
    RewriteCond %{HTTP_REFERER} ^.*juicebox.com.*
    RewriteRule . - [S=13]
    
    ...or maybe using a URI condition...
    Plugin Author AITpro

    (@aitpro)


    Wow went way too deep on this one. LOL

    Steven at Juicebox has created this skip/bypass rule and tested it and confirmed that a typical plugin skip/bypass rule works fine.

    # Juicebox skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-juicebox/ [NC]
    RewriteRule . - [S=13]
    Plugin Author AITpro

    (@aitpro)


    @skippy – please add the working Juicebox skip/bypass rule and resolve this thread. Thanks.

    I hate to break this to ya, but it doesn’t work. I’ve tested it on 2 different sites running BPS.

    The other site tells me

    You don't have permission to access /wp-content/plugins/wp-juicebox/jb-config.php on this server.
    
    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    and the main site says

    When leaving http://204eastsouth.com/skippy/wp-admin/post.php?post=3739&action=edit
    and trying to find /skippy/wp-content/plugins/wp-juicebox/jb-config.php?
    from the IP address: 174.16.48.85
    running Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 AlexaToolbar/alxf-2.17
    you stumbled upon a 403 error.

    On both sites if I create a default .htaccess file then activate “default mode WP Default htaccess file” then Juicebox works fine.

    If I create a secure htaccess file then activate BulletProof Mode then add the code above to the current root htaccess file it doesn’t work.

    Regarding your earlier post, yest Juicebox does have a WordPress plugin. If you haven’t found it already it’s here:

    http://www.juicebox.net/support/wp-juicebox/

    Hold the press. The code Steven posted on the Juicebox support forum works.

    # Juicebox skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/skippy/wp-content/plugins/wp-juicebox/ [NC]
    RewriteRule . - [S=13]

    Does the trick.

    The only difference I see is the “^/skippy/” but that seems to be critical.

    However, the same trick does not seem to work on the other website. Go figure . . . ? The only difference is that on my main site WordPress is in a sub-directory. On the other site WordPress is installed in the top level directory.

Viewing 15 replies - 1 through 15 (of 28 total)
  • The topic ‘Juicebox and BPS – 403 error’ is closed to new replies.