Adding '?mshot=true' will bypass maintenance mode.

  • Resolved Zachary DuBois

    (@zachary-dubois)


    10 years, 9 months ago

    I have figured out that if you add the option ?mshot=true to any URL when your site is in maintenance mode, it will allow anyone to bypass the maintenance mode. I know that this is supposed to be used for WordPress.com’s screenshot service but, is a major flaw in the purpose of the plugin. I have noticed the following hostnames using this URL option under WordFence live activity on my sites:

    • *.sat.wordpress.com
    • *.static.reverse.ltdomains.com

    You should fix this flaw so it will allow the screenshot service from only WordPress.com through and keep all others out.
    – Thanks

    http://wordpress.org/extend/plugins/ultimate-maintenance-mode/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Kramarz

    (@kramarz)

    10 years, 9 months ago

    lol, that’s a BIG issue indeed… please fix 🙂

    Thread Starter Zachary DuBois

    (@zachary-dubois)

    10 years, 9 months ago

    Make sure in google webmaster tools you set Google not to crawl those URL peramiters.

    Plugin Author John Turner

    (@johnnytee)

    10 years, 9 months ago

    Google won’t crawl it unless it has that param. You have to allow the mshot or it will take a screenshot of the maintenance page. I’ll look at user agent detection.

    Thread Starter Zachary DuBois

    (@zachary-dubois)

    10 years, 9 months ago

    Google will crawl it because it has the link from WordPress. It notified me of the new pattern detected via email. You would rather google get a 503 service temporarily unavailable that unfinished pages on your site.

    Thread Starter Zachary DuBois

    (@zachary-dubois)

    10 years, 8 months ago

    Will this be fixed? It is really a big issue if you need to take your site down for maintenance after a security break in or such.

    SeedProd

    (@seedprod)

    10 years, 8 months ago

    You have to allow mshot through to take get a screenshot. I’ll make it so if you use a custom background that mshot is blocked. Thx

    SeedProd

    (@seedprod)

    10 years, 8 months ago

    This has been fixed in 1.5.2 . A unique identify is not passed to identify mshots.

    Thread Starter Zachary DuBois

    (@zachary-dubois)

    10 years, 8 months ago

    Sweet! Thanks!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Adding '?mshot=true' will bypass maintenance mode.’ is closed to new replies.