WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
Bug(s) in Nginx config generation (1 post)

  1. wilei
    Member
    Posted 1 year ago #

    I just noticed, that there is kind a major bug in Better WP Securitys code. That bug lies in part of code, which is responsible for nginx config generation.

    I'm testing B-WP-S in my multi-install env, which is running with nginx; and I'm quite familiar with nginx. So I did B-WP-S configuration and copied nginx config (generated by it) to be part of my current conf. And I started to check what it does.

    That code does, as a last thing an if-comparison:
    if ($susquery = 4321) { return 403; }
    but I can't find how and when it sets number 4 to part os susquery variable. So I take a look to it's source. And there is a major bug.

    In file inc/admin/common.php line 635 last char of line is ; (semicolon). It should be . (dot). Because of this bug following line drops away from nginx conf and that if (mentioned above) newer succees:
    if ($args !~ "^action=rp") { set $susquery 4$susquery; }

    In otherhand, there is two myterious variables in nginx conf, $rule_2 and $rule_3. There is one situation when these get other value than their default, 0. And it is when there is no logged_in -cookie, but even then, neither of these two variables are used anywhere in conf...

    And as last note. There are two rewrite rules, to deny requests to wp-includes and wp-admin/includes. These shoud not be rewrites; location -rules are way beter and faster, by returning 403 directly.

    PS. Conf is also inconsistent. Some of "strings" are inside quotes (if ($rule_0 = "3210")) and some not (if ($susquery = 4321)). ;)

    http://wordpress.org/extend/plugins/better-wp-security/

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags