Filter Suspicious Query Strings blocks timthumb images

  • Resolved ksaveras

    (@ksaveras)


    12 years, 1 month ago

    Using 3.4.7 plugin version.
    Filter Suspicious Query Strings when is enabled, it blocks images that are generated by timthumb
    URL example:

    /wp-content/themes/echelon/lib/scripts/timthumb/thumb.php?src=https://mydomainisnotimportant.tld/wp-content/uploads/2013/01/it-solutions.jpg&w=588&h=200&zc=1&q=100

    I get 403 – Forbidden

    Please add rule to pass links that are used in themes and check if timthumb link contains same domain as defined in WP: pass when image is link with my sitelink and forbid when link is not my sitelink:

    OK should be for this

    /wp-content/themes/echelon/lib/scripts/timthumb/thumb.php?src=https://mydomain.tld/wp-content/uploads/2013/01/it-solutions.jpg&w=588&h=200&zc=1&q=100

    BLOCK this:

    /wp-content/themes/echelon/lib/scripts/timthumb/thumb.php?src=https://hackersdomainoranother.tld/wp-content/uploads/2013/01/it-solutions.jpg&w=588&h=200&zc=1&q=100

    https://www.ads-software.com/extend/plugins/better-wp-security/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter ksaveras

    (@ksaveras)

    something like this:

    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*mysite.tld.*

    You should turn off “filter suspicious query string” if you intend to use timthumb. I will not correct this in the plugin due to the number of sites I still fix that were compromised via timthumb. This is definitely one of those features that might need to be turned off in some sites.

    Isn’t there a way to disable this just for thumb.php? like in htaccess? for example, to allow requests from img.youtube.com or other custom sites?

    Of course there is. Remove from htaccess

    RewriteCond %{QUERY_STRING} http\: [NC,OR]

    thats awesome. Now… will this conflict with the plugin?

    No it doesn’t conflict with the plugin, but the disadvantage is that you have to remind yourself removing this line every time you update the plugin. I just found out myself that I forgot, so visitor’s time on site dropped.

    Thanks for sharing your tips Okoth1 and Ksaveras, I’ve not deleted the whole rule filtering QUERY STRINGS starting with http, but only those not pulled by the timthumb script specific to the theme I’m using, for best reference, I’ve used this:

    <IfModule mod_rewrite.c>
RewriteEngine On

RewriteCond %{QUERY_STRING} ^http\://(www\.)?example\.com/wp-content/uploads/(.*)(jpe?g|png|tiff?) [NC]
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-content/themes/MYTHEME/timthumb.php
RewriteRule ^(.*)$ - [F,L]
# We use only http protocol, thus blocking anything starting w/https
RewriteCond %{QUERY_STRING} ^https\: [NC]
RewriteRule ^(.*)$ - [F,L]

</IfModule>

    I’m trying to limit this way the vulnerabilities introduced by timthumb, and understanding how to allow specific plugins/themes still working, without disabling entirely features offered by Better WP Security.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Filter Suspicious Query Strings blocks timthumb images’ is closed to new replies.