Question was posted on the wp forum site: https://wordpress.org/support/topic/marmoset-viewer-403-error?replies=2#post-8706024. Copied and answered here:
So I just installed a plugin called “Marmoset Viewer” and wanted to try it out to directly face a 403 Forbidden Error Page when adding the shortcode that the plugin gives you. The Security logs this:
[403 GET Request: 01/08/2016 - 20:54]
Event Code: PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: IP
Host Name: d51528A9D.access.telenet.be
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.rafaeldejongh.com/WP/jango-fetts-westar-34/
REQUEST_URI: /WP/wp-content/plugins/marmoset-viewer/mviewer.php?width=100%&height=&autostart=0&transparantbg=&id=http:/www.rafaeldejongh.com/WP/wp-content/uploads/2016/07/westar-34.mview
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36I’ve already added the following code under “Custom code Plugin/Theme skip/Bypass Rules:”
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/marmoset-viewer/ [NC]
RewriteRule . - [S=13]But that didn’t work either, not sure if I’m doing wrong but my question is, is there any way around this so I can keep using this plugin alongside BPS?
Thanks in advance.
Best regards,
Rafaël De Jongh
________________________________
Answer|Solution:
The Request URI is simulating an RFI hacking attempt against your website.
Requires a Timthumb Misc File whitelist rule: Requires whitelisting the mviewer.php file in the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE security code.
1. Copy the code below to this Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE: Add additional Referers and/or misc file names.
IMPORTANT! Change the HTTP_REFERER example.com domain name in the code below to your actual domain/website name after you copy this code to BPS Custom Code.
2. Save your new custom code by clicking the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
#
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (mviewer\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*example.com.*
RewriteRule . - [S=1]