WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Version .46.5 incompatible with Shortcode Exec PHP plugin (9 posts)

  1. fwchapman
    Member
    Posted 2 years ago #

    I just updated to Version .46.5 on one of my sites, and it unfortunately broke a plugin which is very important for my work: Shortcode Exec PHP. After updating, I got Not Found, 404 Error messages in the strangest places. It turned out to be an .htaccess issue. I described the problem in detail here:

    http://wordpress.org/support/topic/plugin-shortcode-exec-php-im-getting-a-not-found-404-error

    Best wishes,

    Fred Chapman

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. fwchapman
    Member
    Posted 2 years ago #

    P.S. I should add that the Shortcode Exec PHP plugin still works in the sense that my shortcodes still function. I just can't access the administrative page to edit my shortcodes while BPS .46.5 is running.

  3. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Ok thanks for pointing out that there is some sort of conflict going on. I will put this plugin in testing and see exactly what threat BPS is seeing and why BPS is blocking it. Thanks.

  4. fwchapman
    Member
    Posted 2 years ago #

    Thank you, Ed! It's much appreciated. -Fred

  5. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    I am still testing, but i wonder if it is something really silly like this - "exec" is blocked explicitly in the BPS filters and the name of this plugin contains "exec" and the query string contains the word "exec". The php exec function is of course one of the most used php functions in hacker's scripts because it does this - Execute an external program. LOL

    Anyway open up your root .htaccess file, find this section of .htaccess code and remove "exec" from the Query String filter. I am still testing....

    RewriteCond %{QUERY_STRING} (execute|exec|sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    ...and if that works you could move exec up to the SQL Injection condition...

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|exec|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (execute|sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    `

  6. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Yep it was just that silly thing. As an afterthought i added the php function "exec" to the explicit filter. I probably did that because every single hacker script i play around with uses the php exec function. it was not a good idea. A prepared statement in MySQL uses EXECUTE so there is really no good reason to block "exec" explicitly. If you want you can either remove "exec" entirely or just for the heck of it add it to the SQL Injection filter (it won't do anything really there). Anyway protecting a site against "exec" should be done in your php.ini file and not in an .htaccess file anyway so it can be dumped altogether. You will need to remove it from both your Root .htaccess file and your /wp-admin .htaccess file. I will get rid of this altogether in bps .46.6. Thanks.

    FYI - in your custom php.ini file you should add exec to your disable_functions directive
    ...and these php functions as well
    disable_functions = system, exec, passthru, shell_exec, show_source, popen, pclose, pcntl_exec

    I see these php functions in every single hacker script i play with. ;)

  7. fwchapman
    Member
    Posted 2 years ago #

    Thanks very much, Ed! I removed "exec" from both .htaccess files, and Shortcode Exec PHP now works perfectly once again. I also took your advice about the php.ini file. Thanks for that, too! -Fred

  8. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Cool. Yeah i will also hear complaints about "execute" being blocked as well. Really what should be there is --execute (with hyphens) to block the MySQL command line option. oh well it happens. ;)

  9. fwchapman
    Member
    Posted 2 years ago #

    Ed, on this Thanksgiving Day, I am truly thankful for wonderful plugin developers like you. You were kind enough to respond to my bug report within a matter of minutes. That kind of incredible service to the WordPress community makes my job as a web consultant a whole lot easier!

    Thanks again,

    Fred

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic