Misc File Skip/Bypass Rule

Resolved susansiow
(@susansiow)

6 years, 11 months ago

Hi BPS,

I have reactivated BPS mode after migrated a website from A to B domain but A domain url remains and B domain url is not automatically listed in the following Custom Code box:

11. CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE:

This feature requires manual editing, correct?

Kindly advise, thanks.

Regards,
Susan

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author AITpro
(@aitpro)

6 years, 11 months ago

Yep, Custom Code requires manual editing. Edit your custom code in the 11. CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE text box, click the Save Root Custom Code button and click the Root Folder BulletProof Mode Activate button.
Thread Starter susansiow
(@susansiow)

6 years, 11 months ago
May I know what’s the purpose of whitelisting our own domain, as since it is our own domain, why it needs to be manually whitelisted?

Secondly, is the following the correct input to whitelist my own domain?
```
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*mydomain.com.*
RewriteRule . - [S=1]
```
Plugin Author AITpro
(@aitpro)

6 years, 11 months ago
That section of BPS htaccess code protects against the old Tim Thumb hack and more importantly RFI hacking attempts > https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion

The code works like this > If the referring domain is your own domain then skip [S-1] the BPS Query String section of code, which contains RFI security rules that will block RFI hacking attempts against your website. Since Requests using your own website domain are Local and not Remote Requests then the Skip Rule allows simulated RFI hacking attempts: http://your-website-domain.com/?file=http://your-website-domain.com/some-safe-file-on-your-website-domain.php. RFI stands for Remote File Inclusion.
- This reply was modified 6 years, 11 months ago by AITpro.
Thread Starter susansiow
(@susansiow)

6 years, 11 months ago
Hi BPS,

Very sorry, I can understand this:

That section of BPS htaccess code protects against the old Tim Thumb hack and more importantly RFI hacking attempts > https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion

But not this:

The code works like this > If the referring domain is your own domain then skip [S-1] the BPS Query String section of code, which contains RFI security rules that will block RFI hacking attempts against your website. Since Requests using your own website domain are Local and not Remote Requests then the Skip Rule allows simulated RFI hacking attempts: http://your-website-domain.com/?file=http://your-website-domain.com/some-safe-file-on-your-website-domain.php. RFI stands for Remote File Inclusion.

Do you mean that With the following block of codes, mydomain.com is 1) protected from external RFI hacking attempts and 2) whitelisted from internal RFI hacking attempts (RFI hacking attempts sent out from mydomain.com)?
```
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*mydomain.com.*
RewriteRule . - [S=1]
```
Please advise, thank you!
Plugin Author AITpro
(@aitpro)

6 years, 11 months ago

The keyword to focus on is “remote” in the Remote File Inclusion hacking method. If the referring website is local (your website) then the Request cannot be a Remote File Inclusion attack against your website.

Thread Starter susansiow
(@susansiow)

6 years, 11 months ago

Understood 🙂

Thank you for the great invention and kind response!

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Misc File Skip/Bypass Rule’ is closed to new replies.