WordPress.org

Ready to get started?Download WordPress

Forums

All In One WP Security & Firewall
[resolved] Improper header reading can block the world from logging in (4 posts)

  1. hichhiker
    Member
    Posted 3 months ago #

    Noticed that if someone will try to log in with a non-existing account, the entire internet gets blacklisted.

    Upon investigating, it looks like the reading of "X-Forwarded-For" header is done improperly. X-Forwarded-For format is supposed to be "ClientIP, ProxyIP, .." - but the code assumes that it is always just client IP. If request passes through more than one proxy, code is unable to parse the IP address, and then blocks ".*" - (making all-in-one-wp-security the easiest DOS tool ever)

    Generally, the code is unable to determine source IP in that configuration, so all logging reports IP as ".*"

    https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

  2. wpsolutions
    Member
    Plugin Author

    Posted 3 months ago #

    Ok we will fix the function which retrieves IP address such that it properly accounts for cases when multiple addresses exist when visitor is coming via proxy.

    In the meantime if you have troubles logging in due to being blocked you can disable the plugin by renaming the "all-in-one-wp-security-and-firewall" folder using FTP.

    ps: No plugin is perfect and the AIOWPS plugin is no exception, but we always do our best to continually try and improve it and fix bugs or issues.
    Instead of being dramatic, it would be nice if you could be a bit more constructive when pointing out bugs or holes.

  3. hichhiker
    Member
    Posted 3 months ago #

    Sorry, was not intending to be dramatic, just to point out exactly what was wrong in as much detail as is useful and the severity of it for those of us who are affected. (ok, so DOS comment was a bit of a cheap shot, but it was meant to be a bit tongue-in-cheek, which I guess does not always comes across proper in a forum post)

    It is probably worth mentioning that XFF is a request header, and as such is easily spoofable by client - but I do not see any alternatives. End result is even after a fix, if one knows the admin's IP address (admittedly a bit if) and this is enabled, one can easily lock admin out or bypass lockout - even if there are no proxies involved. One can also lock out everyone this way by sending a blank or unparsable XFF header. I am not sure blocking ".*" ever is a good idea.

    Perhaps a whitelist of "never lock" IPs that works in conjunction with other measures could be useful.

  4. wpsolutions
    Member
    Plugin Author

    Posted 3 months ago #

    No worries at all mate - no offence taken.

    You should find that this latest version of the plugin does a better job of extracting the IP address - especially when coming from proxy.

    This will also hopefully prevent occurrences where blocked IP turns out to be ".*"

    I also agree with your point regarding the spoofability of the XFF but as you say there aren't other options.

    Your suggestion of whitelist of "never lock" IPs is a good one and we will look into adding something like that in a future update.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.