Two v4.0.5 ban IP bugs….
-
Bug One
iThemes Security plugin version 4.0.5 has lost it’s ability to lockout people accessing a site through a proxy server. For example, on 3.4+ versions of the plugin banning a host with an IP address of 46.60.253.41 would add these rules to .htaccess…
Order Allow,Deny Deny from env=DenyAccess Allow from all SetEnvIF REMOTE_ADDR "^46\.60\.253\.41$" DenyAccess SetEnvIF X-FORWARDED-FOR "^46\.60\.253\.41$" DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP "^46\.60\.253\.41$" DenyAccess
Now, all it adds is this…
Order allow,deny Deny from 46.60.253.41
This is a big step backwards in security for this plugin.
Bug Two
Also, there is a bug with the way the plugin converts the wildcard format of IP addresses to CIDR format. For example, if you enter this into the ban hosts setting…
178.78.27.* 180.75.*.*
This is what comes out in the .htaccess file…
Deny from 178.78.27.0/8 Deny from 180.75.0.0/16
Anyone who understands CIDR can see that 178.78.27.0/8 is not correct and results in banning a huge range of addresses.
- The topic ‘Two v4.0.5 ban IP bugs….’ is closed to new replies.