Support » Plugins » [Plugin: Members Only] Bypassed by adding variable to url

Viewing 15 replies - 1 through 15 (of 21 total)
  • Thank you mrgreen – well spotted! I used a very poorly thought preg_match on the URL. I’ve fixed this in version 0.4 which I will release tonight.

    If you want to manually fix the plugin in the meantime change this line of code:

    if ($currenturl == $redirection || $currenturl == $redirection.'/' || preg_match("/wp-login.php/i", $_SERVER["REQUEST_URI"]) || preg_match("/wp-register.php/i", $_SERVER["REQUEST_URI"]) || preg_match("/wp-admin/i", $_SERVER["REQUEST_URI"]))

    to this:

    if ($currenturl == $redirection || $currenturl == $redirection.'/' || preg_match('/http:\/\/[^\/]+\/wp-login\.php/', $currenturl) || preg_match('/http:\/\/[^\/]+\/wp-register\.php/', $currenturl) || preg_match('/http:\/\/[^\/]+\/wp-admin/', $currenturl))

    / Hami

    Members Only 0.4 uploaded to the SVN. Should be available very shortly.

    / Hami

    It’s available – everyone please update. Thank you again mrgreen for spotting this.

    / Hami

    The fix in 0.4 did work as intended as you could still add the full url of wp-login.php as a variable and bypass the check.

    I’ve released 0.4.1 with actually fixes the flaw. The preg-match now uses parse_url to only check only the path of the url and nothing else. All users using Members Only should upgrade to version 0.4.1 as soon as possible to avoid this flaw being taken advantage of.

    / Hami

    I’ve improved the security again with version 0.4.2. I’ve replaced all preg_match and replaced with strpos except checking for wp-admin URLs and also parse the URL first. That should be the end of variable hacks.

    If also added checking for 404 pages, they now redirect to the login page too. This involved a changing when the plugin is called from init back to wp_head otherwise 404 pages can’t be redirected.

    If this causes problems, like the ‘Cannot modify header information’ error you can change this back to init but a 404 page will be able to be seen as normal.

    / Hami

    ok, then where can we download version 0.4.2?

    we are getting this ERROR! please help

    Warning: Cannot modify header information – headers already sent by (output started at /home/7946/domains/ in /home/7946/domains/ on line 97

    Have you edited/modified your header.php or viewed either the plugin or header.php in an online editor?

    If so can you send me your header.php to as I think it could be the infamous white space problem – which is either a space or a blank line in your header.php (or the plugin) before or after <?php and ?>. If you send it to me I’ll have a look.

    If you opened up the plugin in an editor, can you try replacing it with a copy straight from the zip (i.e. without opening it first) and see if the problem persists.

    / Hami

    Can you also let me know what other plugins your using?

    / Hami

    It’s still not secure. If you load a post by the permalink (/archives/%year%/%monthnum%/%postname%/) login is completely bypassed.

    Hi Chris,

    Can you clarify further. On both my WordPress testbeds I can’t seem to replicate this problem.

    http://mydomain.tld/2008/02/hello-world/ correctly redirects to http://mydomain.tld/wp-login.php?redirect_to=/2008/02/hello-world/

    http://mydomain.tld/archives/2008/02/hello-world/ first redirects to http://mydomain.tld/2008/02/hello-world/ then to http://mydomain.tld/wp-login.php?redirect_to=/2008/02/hello-world/

    Without permalinks http://mydomain.tld/?p=1 correctly redirects to http://mydomain.tld/wp-login.php?redirect_to=/?p=1

    In your situation this could be one of three things. Firstly you need to have <?php wp_head(); ?> somewhere inbetween <head> and </head> in your header.php for your theme in order for the plugin to work. I’m guessing this is your problem, rather than the second option which is double-check that Members Only is turned on in it’s settings page, or the third option double-check your not logged in to your site.

    Obviously if this isn’t the case please let me know and I’ll try and track down the problem.

    / Hami

    Ok, it’s on, it’s configured and at least now I’m getting an error:

    Warning: Cannot modify header information – headers already sent by (output started at /home/*/public_html/journal/wp-content/themes/*/header.php:11) in /home/*/public_html/journal/wp-content/plugins/members-only.php on line 97

    Line 11 in my theme’s header.php is:

    <title><?php bloginfo(‘name’); ?><?php if ( is_single() ) { ?>» journal <?php } ?><?php wp_title(‘ » ‘,true); ?></title>

    So, I don’t doubt that it works, it’s just not working for me. I’ll report back if I find the specified issue.

    Hi Chris,

    I think this maybe the infamous white space problem that you get when sending the header command. Check whether there is a blank line or space either before the first <?php or after the last ?> in your header.php.

    / Hami

    BTW I’m using wp 2.5. I turned all other plugins off but this one switched to the default wp theme and it’s still not working and I’m still getting an error:

    Warning: Cannot modify header information – headers already sent by (output started at /home/*/public_html/journal/wp-content/themes/default/header.php:2) in /home/*/public_html/journal/wp-content/plugins/members-only.php on line 97

    Thanks Chris, maybe I have a white space in the plugin – I’ll have a triple-check for it and upload a new one today as 0.4.3 fixes a bug with redirecting to specific page.

    A few people get this problem but the vast majority don’t. The other thing in common could be the host (and their PHP configuration), is the * in your path a four digit number by chance?

    In the meantime you can change where the plugin is called to get around this issue.

    Change this line…
    add_action('wp_head', 'members_only');

    to this…
    add_action('init', 'members_only');

    / Hami

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘[Plugin: Members Only] Bypassed by adding variable to url’ is closed to new replies.