How to fix the Remote OS Command Injection in wordpress site

Resolved Sakthivel
(@saravanankanagaraj)

4 years, 9 months ago

We have recently run the ZAP tool against our site. now we are getting the Remote OS Command Injection issue. Can you please share the idea to fix this issue. or suggest a plugin that helps to fix this issue.

Thanks,

Viewing 10 replies - 1 through 10 (of 10 total)

Plugin Author Sami Ahmed Siddiqui
(@sasiddiqui)

4 years, 8 months ago

Hi @saravanankanagaraj

Thank you for reaching out. I don’t know any plugin that helps you to prevent/secure from Remote OS Command Injection. I think, you should contact to your Hosting server and they might help you regarding this.

Incase, you will find or already found any solution then please share it here so it may help others.

Thanks and Regards,
Sami
Thread Starter Sakthivel
(@saravanankanagaraj)

4 years, 8 months ago
Hi @sasiddiqui ,

Thanks for your reply,

I think you may have an idea to remove the specific query string from the URL, Can you please share the idea to fix it.

I just want to remove the below parameter from the URL so that we can fix the issue.
ver=1619437815%27%7Ctimeout+%2FT+15
p=41475%27%3Bsleep+15%3B%27

https://www.example.com/blog?ver=1619437815%27%7Ctimeout+%2FT+15
https://www.example.com/blog?p=41475%27%3Bsleep+15%3B%27

https://ibb.co/1MC6HKs

Also,

Please tell me how to remove the below characters from the URL.
~ . ” % @ & * $ – # ~ . ” % + , `

Thanks,
Saravanan
- This reply was modified 4 years, 8 months ago by Sakthivel.
- This reply was modified 4 years, 8 months ago by Sakthivel.
Thread Starter Sakthivel
(@saravanankanagaraj)

4 years, 8 months ago

Hi @sasiddiqui ,

Please tell me is there any hook is available to add the below special character to include a list to block these items from the url,

‘
;
~
+
=
/
”
$
%
*`

Regards,
Saravanan
Thread Starter Sakthivel
(@saravanankanagaraj)

4 years, 8 months ago
Hi @sasiddiqui ,

https://www.example.com/wp-content/cache/autoptimize/css/autoptimize_single_462157d56066e48c0613a5ac8e33853c.css?ver=1619437815%27%7Ctimeout+%2FT+15%3Cscript%3E

It’s not working when the file url has special characters like <>,

Please share the idea to fix the issue.
.css
.js

Regards,
Saravanan
- This reply was modified 4 years, 8 months ago by Sakthivel.
Plugin Author Sami Ahmed Siddiqui
(@sasiddiqui)

4 years, 8 months ago

Hi @saravanankanagaraj

`I just want to remove the below parameter from the URL so that we can fix the issue.
ver=1619437815%27%7Ctimeout+%2FT+15
p=41475%27%3Bsleep+15%3B%27

https://www.example.com/blog?ver=1619437815%27%7Ctimeout+%2FT+15
https://www.example.com/blog?p=41475%27%3Bsleep+15%3B%27`

Please add the following code in your theme functions.php file or in any custom plugin (If you have any).
https://gist.github.com/samiahmedsiddiqui/ce912765e3d098da39ba561955e0bf6f#file-remove-url-params-redirect

Before making this changes, make sure to get a backup of the site so incase if you will have any issues then you can rollback.

Please tell me is there any hook is available to add the below special character to include a list to block these items from the url,

Currently, there is no available hook. I will add it in the new version. If you don’t mind can you please add this as feature request in GitHub?
https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues/new

Let me know your feedback.

Thanks and Regards,
Sami

Thread Starter Sakthivel
(@saravanankanagaraj)

4 years, 8 months ago

Hi @sasiddiqui ,

Thanks for the help. I have given feature requests on Github.
Provided code is working fine on the page URL like,
https://www.example.com/blog?ver=1619437815%27%7Ctimeout+%2FT+15

But that’s not works for the below CSS file URL, can you please let me know why this not works for this case.
https://www.example.com/wp-content/cache/autoptimize/css/autoptimize_single_462157d56066e48c0613a5ac8e33853c.css?ver=1619437815%27%7Ctimeout+%2FT+15

Thanks,
Saravanan

Plugin Author Sami Ahmed Siddiqui
(@sasiddiqui)

4 years, 8 months ago

Hi @saravanankanagaraj

But that’s not works for the below CSS file URL, can you please let me know why this not works for this case.
https://www.example.com/wp-content/cache/autoptimize/css/autoptimize_single_462157d56066e48c0613a5ac8e33853c.css?ver=1619437815%27%7Ctimeout+%2FT+15

Provided code only works on the WordPress URLs/Permalink but not on the physical file URLs whether it is CSS, JS, Image etc. To cover everything, you need to remove/handle the params from the server-side like .htaccess not from the WordPress.

Thanks and Regards,
Sami
Thread Starter Sakthivel
(@saravanankanagaraj)

4 years, 8 months ago
HI @sasiddiqui ,

Thanks for your suggestion I used the below directives in htaccess file. It’s worked for me. I have ensured on my side. Can you please confirm while removing these parameters from the URL is cause any problem?
```
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^ver=[^&]+&?(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^p=[^&]+&?(.*) [NC]
RewriteRule ^ %{REQUEST_URI}?%1 [R=302,L]
</IfModule>
```
Regards,
Saravanan
- This reply was modified 4 years, 8 months ago by Sakthivel.
- This reply was modified 4 years, 8 months ago by Sakthivel.
Plugin Author Sami Ahmed Siddiqui
(@sasiddiqui)

4 years, 8 months ago

Hi @saravanankanagaraj

ver is used with CSS and JS files in WordPress and p is used as default WordPress permalink. I just recommend to remove them from the URL when it comes with any extension specially p to avoid any collision from the WordPress permalinks.

I think this is what you already have done (Only removing with extension). Just make sure to run any crawler on your website and see whether you are having any 404 on your website or not after doing this change.

Thanks and Regards,
Sami

Thread Starter Sakthivel
(@saravanankanagaraj)

4 years, 8 months ago

Hi @sasiddiqui ,

Thanks for your support.

Regards,
Saravanan

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘How to fix the Remote OS Command Injection in wordpress site’ is closed to new replies.