WordPress.org

Support

Support » Plugins and Hacks » [Resolved] [Plugin: BulletProof Security] Version .46.5 incompatible with Shortcode Exec PHP plugin

[Resolved] [Plugin: BulletProof Security] Version .46.5 incompatible with Shortcode Exec PHP plugin

Viewing 8 replies - 1 through 8 (of 8 total)
  • fwchapman
    Participant

    @fwchapman

    P.S. I should add that the Shortcode Exec PHP plugin still works in the sense that my shortcodes still function. I just can’t access the administrative page to edit my shortcodes while BPS .46.5 is running.

    Plugin Author AITpro
    Participant

    @aitpro

    Ok thanks for pointing out that there is some sort of conflict going on. I will put this plugin in testing and see exactly what threat BPS is seeing and why BPS is blocking it. Thanks.

    fwchapman
    Participant

    @fwchapman

    Thank you, Ed! It’s much appreciated. -Fred

    Plugin Author AITpro
    Participant

    @aitpro

    I am still testing, but i wonder if it is something really silly like this – “exec” is blocked explicitly in the BPS filters and the name of this plugin contains “exec” and the query string contains the word “exec”. The php exec function is of course one of the most used php functions in hacker’s scripts because it does this – Execute an external program. LOL

    Anyway open up your root .htaccess file, find this section of .htaccess code and remove “exec” from the Query String filter. I am still testing….

    RewriteCond %{QUERY_STRING} (execute|exec|sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    …and if that works you could move exec up to the SQL Injection condition…

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|exec|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (execute|sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    `

    Plugin Author AITpro
    Participant

    @aitpro

    Yep it was just that silly thing. As an afterthought i added the php function “exec” to the explicit filter. I probably did that because every single hacker script i play around with uses the php exec function. it was not a good idea. A prepared statement in MySQL uses EXECUTE so there is really no good reason to block “exec” explicitly. If you want you can either remove “exec” entirely or just for the heck of it add it to the SQL Injection filter (it won’t do anything really there). Anyway protecting a site against “exec” should be done in your php.ini file and not in an .htaccess file anyway so it can be dumped altogether. You will need to remove it from both your Root .htaccess file and your /wp-admin .htaccess file. I will get rid of this altogether in bps .46.6. Thanks.

    FYI – in your custom php.ini file you should add exec to your disable_functions directive
    …and these php functions as well
    disable_functions = system, exec, passthru, shell_exec, show_source, popen, pclose, pcntl_exec

    I see these php functions in every single hacker script i play with. 😉

    fwchapman
    Participant

    @fwchapman

    Thanks very much, Ed! I removed “exec” from both .htaccess files, and Shortcode Exec PHP now works perfectly once again. I also took your advice about the php.ini file. Thanks for that, too! -Fred

    Plugin Author AITpro
    Participant

    @aitpro

    Cool. Yeah i will also hear complaints about “execute” being blocked as well. Really what should be there is –execute (with hyphens) to block the MySQL command line option. oh well it happens. 😉

    fwchapman
    Participant

    @fwchapman

    Ed, on this Thanksgiving Day, I am truly thankful for wonderful plugin developers like you. You were kind enough to respond to my bug report within a matter of minutes. That kind of incredible service to the WordPress community makes my job as a web consultant a whole lot easier!

    Thanks again,

    Fred

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘[Resolved] [Plugin: BulletProof Security] Version .46.5 incompatible with Shortcode Exec PHP plugin’ is closed to new replies.