stop webthumb hijackers - possible?

Started by mugwumpr, April 14, 2007, 07:52:23 AM


Hi!  I've been using the webthumb script for a few months now and I LOVE it!  Sadly, when I was checking up on one of the thumbnails in my "thumbs" folder, I discovered about 5-6 that had quite clearly come from ** sites.  Since I only run the service for myself, and I don't have any reason to link to ** sites, I have a hijacker using my bandwidth.  And, as we all know, hijackers are like vermin, where there's one, there will soon be thousands.


Is there some way to limit accepted thumbnail requests to certain IP addresses or websites?


a really fast fix if you only run it on one URL could be:

replace:   $website_url = $_REQUEST['url'];
with somthing like:  $website_url = '' . $_REQUEST['url'];

then when you load the page simpley replace: webthumb.php?url=
with: webthumb.php?url=mypage.htm&x=150&y=150

other than that you could:
Before: if ($image_type == 1) $output_format = 'gif';
$url = parse_url($website_url);
if ($url[host] = '')
//run script
//get ur own!

The above needs tome extra thought but I expect you get the drift.
Let me know how you get on, imanuk


Hi imanuk,

Thanx for the quick reply!  I actually run multiple websites on 2 servers each with their own IP, so it would need to be something that accepts multiple options, whether URL or IP.  I definitely see where you're going with that, tho.

Looks like this should have been in the "requests" section, eh?  oops.



Here what we came up with.

The code will check the site invoking website snapshot creator, and will only proceed if site is listed.
For example your site is You want to limit snapshot generator usage to only that site. Replace with below.

for one allowed site

if (!isset($_SERVER['HTTP_REFERER'])
or !strpos($_SERVER['HTTP_REFERER'],'')
) die('Permissions denied');

for two allowed sites

if (!isset($_SERVER['HTTP_REFERER'])
or !(strpos($_SERVER['HTTP_REFERER'],'') or strpos($_SERVER['HTTP_REFERER'],''))
) die('Permissions denied');

Note: this is not 100% hacker safe. Hackers can spoof referring url to make website snapshot generator believe it is running on legal site.