Want more timely Centmin Mod News Updates?
Become a Member

Wordpress Problem with timthumb security

Discussion in 'Blogs & CMS usage' started by ethanpil, Jan 27, 2016.

  1. ethanpil

    ethanpil Active Member

    173
    55
    28
    Nov 8, 2015
    Ratings:
    +101
    Local Time:
    11:56 AM
    I migrated an older site over to centminmod recently and discovered one of the galleries not working properly. I have already double checked the chown folders confirming nginx:nginx

    When I checked the gallery images, I see the images not loaded from this url, nginx returns 403 Forbidden

    Code:
    http://site.com/wp-content/plugins/media-grid/classes/timthumb.php?src=/home/nginx/domains/site.com/public/wp-content/uploads/imagefile.jpg&w=275&h=275&a=c&q=85&zc=1&cc=FFFFFF
    The log file says: "access forbidden by rule"
    How can i find what rule? Does anyone have an idea?


    Code:
    2016/01/26 19:09:52 [error] 2818#2818: *1016 access forbidden by rule, client: 1.1.1.1, server: site.com, request: "GET /wp-content/plugins/media-grid/classes/timthumb.php?src=/home/nginx/domains/site.com/public/wp-content/uploads/IMGP7920.jpg&w=275&h=275&a=c&q=85&zc=1&cc=FFFFFF HTTP/1.1", host: "site.com", referrer: "http://site.com/about-bio/"
    2016/01/26 19:09:52 [error] 2818#2818: *1017 access forbidden by rule, client: 1.1.1.1, server: sharonehakman.com, request: "GET /wp-content/plugins/media-grid/classes/timthumb.php?src=/home/nginx/domains/site.com/public/wp-content/uploads/IMG_8579.jpg&w=275&h=275&a=c&q=85&zc=1&cc=FFFFFF HTTP/1.1", host: "site.com", referrer: "http://site.com/about-bio/"
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:56 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    is timthumbs still used ? thought that was a security risk ? you ran into centmin.sh menu option 22 wordpress installers auto setup wpsecure include files /usr/local/nginx/conf/wpsecure_${vhostname}.conf where ${vhostname} is your domain.com name

    see Wordpress - Social login plugin trouble | Centmin Mod Community for an example of the problem AND solution which blocks php files from being executed in wp-content directory

    also check file permissions https://community.centminmod.com/posts/22077/

    solution you can add an exclusion for specific directory/file you want to permit https://community.centminmod.com/posts/22278/ & https://community.centminmod.com/posts/22356/

    i.e. in wpsecure_${vhostname}.conf include file add an exclusion location context match above the existing # Block PHP files location context
    Code:
    location ~ ^/wp-content/plugins/media-grid/classes/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
      deny all;
    }
    
     
  3. ethanpil

    ethanpil Active Member

    173
    55
    28
    Nov 8, 2015
    Ratings:
    +101
    Local Time:
    11:56 AM
    Thanks for the advice, that did the trick, although the instructions in the referenced thread need to be updated.

    I had to put the exception near the top of the file for it to work, not above the section per the other post. My wpsecure_domain.com.conf now looks like below. I will cross post to the other thread as well, since it was confusing.

    Code:
    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
    }
    
    #Exception for mediagrid timthumb
    location ~ ^/wp-content/plugins/media-grid/classes/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Block PHP files in content directory.
    location ~* /wp-content/.*\.php$ {
      deny all;
    }
    
    # Block PHP files in includes directory.
    location ~* /wp-includes/.*\.php$ {
      deny all;
    }
    
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
      deny all;
    }
    
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
    return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)$ {
    return 444;
    }
    
    #disallow
    location ~* (w00tw00t) {
    return 444;
    }
    
    location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
    
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:56 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    indeed subtle differences in wpsecure from 123.09beta01 :)