WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: Members Only] Bypassed by adding variable to url (22 posts)

  1. mrgreen
    Member
    Posted 6 years ago #

    This plugin can easily be bypassed by adding ?blah="wp-login.php" or even just ?wp-login.php to the end of the url.

    http://wordpress.org/extend/plugins/members-only/

  2. hami
    Member
    Posted 6 years ago #

    Thank you mrgreen - well spotted! I used a very poorly thought preg_match on the URL. I've fixed this in version 0.4 which I will release tonight.

    If you want to manually fix the plugin in the meantime change this line of code:

    if ($currenturl == $redirection || $currenturl == $redirection.'/' || preg_match("/wp-login.php/i", $_SERVER["REQUEST_URI"]) || preg_match("/wp-register.php/i", $_SERVER["REQUEST_URI"]) || preg_match("/wp-admin/i", $_SERVER["REQUEST_URI"]))

    to this:

    if ($currenturl == $redirection || $currenturl == $redirection.'/' || preg_match('/http:\/\/[^\/]+\/wp-login\.php/', $currenturl) || preg_match('/http:\/\/[^\/]+\/wp-register\.php/', $currenturl) || preg_match('/http:\/\/[^\/]+\/wp-admin/', $currenturl))

    / Hami

  3. hami
    Member
    Posted 6 years ago #

    Members Only 0.4 uploaded to the SVN. Should be available very shortly.
    http://wordpress.org/extend/plugins/members-only/

    / Hami

  4. hami
    Member
    Posted 6 years ago #

    It's available - everyone please update. Thank you again mrgreen for spotting this.

    / Hami

  5. hami
    Member
    Posted 6 years ago #

    The fix in 0.4 did work as intended as you could still add the full url of wp-login.php as a variable and bypass the check.

    I've released 0.4.1 with actually fixes the flaw. The preg-match now uses parse_url to only check only the path of the url and nothing else. All users using Members Only should upgrade to version 0.4.1 as soon as possible to avoid this flaw being taken advantage of.

    / Hami

  6. hami
    Member
    Posted 6 years ago #

    I've improved the security again with version 0.4.2. I've replaced all preg_match and replaced with strpos except checking for wp-admin URLs and also parse the URL first. That should be the end of variable hacks.

    If also added checking for 404 pages, they now redirect to the login page too. This involved a changing when the plugin is called from init back to wp_head otherwise 404 pages can't be redirected.

    If this causes problems, like the 'Cannot modify header information' error you can change this back to init but a 404 page will be able to be seen as normal.

    / Hami

  7. tatgirl
    Member
    Posted 6 years ago #

    ok, then where can we download version 0.4.2?

  8. actionisjackson
    Member
    Posted 6 years ago #

    we are getting this ERROR! please help

    Warning: Cannot modify header information - headers already sent by (output started at /home/7946/domains/oururl.com/html/wp-content/themes/default/header.php:2) in /home/7946/domains/oururl.com/html/wp-content/plugins/members-only/members-only.php on line 97

  9. hami
    Member
    Posted 6 years ago #

    Have you edited/modified your header.php or viewed either the plugin or header.php in an online editor?

    If so can you send me your header.php to labs@andrewhamilton.net as I think it could be the infamous white space problem - which is either a space or a blank line in your header.php (or the plugin) before or after <?php and ?>. If you send it to me I'll have a look.

    If you opened up the plugin in an editor, can you try replacing it with a copy straight from the zip (i.e. without opening it first) and see if the problem persists.

    / Hami

  10. hami
    Member
    Posted 6 years ago #

    Can you also let me know what other plugins your using?

    / Hami

  11. Chris
    Member
    Posted 6 years ago #

    It's still not secure. If you load a post by the permalink (/archives/%year%/%monthnum%/%postname%/) login is completely bypassed.

  12. hami
    Member
    Posted 6 years ago #

    Hi Chris,

    Can you clarify further. On both my WordPress testbeds I can't seem to replicate this problem.

    http://mydomain.tld/2008/02/hello-world/ correctly redirects to http://mydomain.tld/wp-login.php?redirect_to=/2008/02/hello-world/

    http://mydomain.tld/archives/2008/02/hello-world/ first redirects to http://mydomain.tld/2008/02/hello-world/ then to http://mydomain.tld/wp-login.php?redirect_to=/2008/02/hello-world/

    Without permalinks http://mydomain.tld/?p=1 correctly redirects to http://mydomain.tld/wp-login.php?redirect_to=/?p=1

    In your situation this could be one of three things. Firstly you need to have <?php wp_head(); ?> somewhere inbetween <head> and </head> in your header.php for your theme in order for the plugin to work. I'm guessing this is your problem, rather than the second option which is double-check that Members Only is turned on in it's settings page, or the third option double-check your not logged in to your site.

    Obviously if this isn't the case please let me know and I'll try and track down the problem.

    / Hami

  13. Chris
    Member
    Posted 6 years ago #

    Ok, it's on, it's configured and at least now I'm getting an error:

    Warning: Cannot modify header information - headers already sent by (output started at /home/*/public_html/journal/wp-content/themes/*/header.php:11) in /home/*/public_html/journal/wp-content/plugins/members-only.php on line 97

    Line 11 in my theme's header.php is:

    <title><?php bloginfo('name'); ?><?php if ( is_single() ) { ?>» journal <?php } ?><?php wp_title(' » ',true); ?></title>

    So, I don't doubt that it works, it's just not working for me. I'll report back if I find the specified issue.

  14. hami
    Member
    Posted 6 years ago #

    Hi Chris,

    I think this maybe the infamous white space problem that you get when sending the header command. Check whether there is a blank line or space either before the first <?php or after the last ?> in your header.php.

    / Hami

  15. Chris
    Member
    Posted 6 years ago #

    BTW I'm using wp 2.5. I turned all other plugins off but this one switched to the default wp theme and it's still not working and I'm still getting an error:

    Warning: Cannot modify header information - headers already sent by (output started at /home/*/public_html/journal/wp-content/themes/default/header.php:2) in /home/*/public_html/journal/wp-content/plugins/members-only.php on line 97

  16. hami
    Member
    Posted 6 years ago #

    Thanks Chris, maybe I have a white space in the plugin - I'll have a triple-check for it and upload a new one today as 0.4.3 fixes a bug with redirecting to specific page.

    A few people get this problem but the vast majority don't. The other thing in common could be the host (and their PHP configuration), is the * in your path a four digit number by chance?

    In the meantime you can change where the plugin is called to get around this issue.

    Change this line...
    add_action('wp_head', 'members_only');

    to this...
    add_action('init', 'members_only');

    / Hami

  17. hami
    Member
    Posted 6 years ago #

    Actually Chris, can you try changing that line to this instead?
    add_action('template_redirect', 'members_only');

    I hoping that might fix the issue (for those that have it) for good - fingers crossed.

    / Hami

  18. stebesplace
    Member
    Posted 6 years ago #

    Hami, that last line:

    add_action('template_redirect', 'members_only');

    Worked when I put it in the plugin and re-uploaded it. You should make this change to the current release (as of today, April 4, 2008).

    Thanks!

  19. hami
    Member
    Posted 6 years ago #

    This is now fixed in the new version (0.5).

    / Hami

  20. mrgreen
    Member
    Posted 6 years ago #

    hami,

    Thanks for fixing the variable bypass problem so quickly!

  21. Chris
    Member
    Posted 6 years ago #

    Sorry for not responding, been away...

    Anywaste, I uploaded the new version now I get this error:

    Warning: require(/home/---/public_html/wp-config.php) [function.require]: failed to open stream: No such file or directory in /home/---/public_html/wp-login.php on line 2

    Fatal error: require() [function.require]: Failed opening required '/home/---/public_html/wp-config.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/---/public_html/wp-login.php on line 2

    My config file is located here: /home/---/public_html/journal/wp-config.php So I'm unsure why it's being looked for in the blog url not the installation url.

  22. hami
    Member
    Posted 6 years ago #

    Hey Chris,

    That sounds like your WordPress install has gone screwy and your file permissions have gone a rye. The error is basically saying it can't find wp-config.php, but that could mean the permissions are wrong for the file. The correct permissions should be rw-r--r-- or 644.

    I assume removing Members Only doesn't fix this issue?

    I pretty confident this is nothing to do with my plugin as I have it installed on multiple WordPress testbeds running several versions. Try reinstalling WordPress or checking all the files are there with the correct permissions.

    / Hami

Topic Closed

This topic has been closed to new replies.

About this Topic