Support » Plugin: User Avatar » [Plugin: User Avatar] Heads Up – BulletProof Security Blocks custom avatars

  • Resolved AITpro

    (@aitpro)


    This is just a heads up to let you know that BPS blocks custom avatar images. I did testing and standard avatar images display fine. The URL simulates an RFI hacking attempt so BPS blocks the URL.

    This skip/bypass .htaccess rule resolves the issue:

    Edit your root .htaccess file with the BPS built-in editor, find the timthumb htaccess code and add the user-avatar-pic.php file to the image thumbnailer (timthumb) skip/bypass rule.

    # TimThumb Forbid RFI By Host Name But Allow Internal Requests
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (user-avatar-pic\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteRule . - [S=1]

    http://wordpress.org/extend/plugins/user-avatar/

  • The topic ‘[Plugin: User Avatar] Heads Up – BulletProof Security Blocks custom avatars’ is closed to new replies.