WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Exploits ?! (10 posts)

  1. Bucki
    Member
    Posted 2 years ago #

    Hi

    I installed a plugin calles S6 Scan and it came up with the following errors:

    ERROR 1

    Open user-edit.php file for editing
    Find the line that begins with 'wp_enqueue_script('user-profile');"
    Append the next lines with the following:

    if ( current_user_can('edit_user',$user_id ) == FALSE )
        wp_die(__( 'Forbidden' ) );

    Save
    Done

    ================

    ERROR 2

    Edit the wp-comments-post.php file
    Find the line, that begins with "/** Sets up the WordPress Environment. */"
    Prepend that line with the next code:

    if ( ! isset( $_SERVER[ "HTTP_REFERER" ] ) )
        		die();
    
        	$referrer_url = $_SERVER[ "HTTP_REFERER" ];
        	$server_name = str_replace( "." , "\." , $_SERVER[ "HTTP_HOST" ] );	/*	Escape the dots for following regexp search */
        	$server_name = str_replace( '/' , '\/' , $server_name );	/*	Escape the '/' for following regexp search */
    
        	$referr_pattern = "/^((http(s)?):\/\/)?(www.)?$server_name/";
    
        	if ( ! preg_match( $referr_pattern, $referrer_url ) )
        		die();

    Save
    Done

    ==============================

    Wondering if this is just "crap" and fake or is it for real!?
    Shall I be worried ... apparently it is vulnerable to security threats.

    Any suggestions?

  2. It's crap -- don't ever use anything that asks you to edit core WP files; it leaves your installation far more vulnerable to security issues in the future because it messes with your ability to keep up with future updates.

    Beyond that, the first snippet checks that users have the permissions they already need to have to even be on that page. And the second requires that comments actually have to be coming from your site -- which can be done much more safely with something like Cookies for Comments.

    Where did you find this delightful plugin?

  3. Bucki
    Member
    Posted 2 years ago #

    Hi

    The plugin can be found on WordPress Plugins called S6 Scan!
    I wanted to see if my site is open to any exploits because some site state that even 3.4.2 is vulnerable :( and dont want my site to be hacked.

    But yeh there are soooo many plugins out there, unless u know every bit of coding, otherwise ppl like me wont know what the plugin does behind the scenes :(

  4. Bucki
    Member
    Posted 2 years ago #

    Besides the coding above was provided by the S6 Scan.
    In other words, it asked me to follow the steps above!

  5. ClaytonJames
    Member
    Posted 2 years ago #

    @Bucki

    Could you be kind enough to leave a link to that exact plugin so I can download it? I can't find it, and I would like to take a look at it. Thank you!

  6. Bucki
    Member
    Posted 2 years ago #

  7. ClaytonJames
    Member
    Posted 2 years ago #

    Thanks!

    [edit] Just some more info for you if you didn't already see it. The support conversations for the plugin are interesting reading.

    http://wordpress.org/support/plugin/6scan-protection

    I find this response particularly thought provoking.

    http://wordpress.org/support/topic/plugin-6scan-security-what-exactly-is-a-one-time-fix?replies=2

  8. Bucki
    Member
    Posted 2 years ago #

    Clayton

    Yeh, I removed that plugin
    Just hoping it didnt do anything bad :( hmmmm

  9. Eeeh, it's one of those things which is really generally bad advice (they should be submitted 'fixes' to core), but as Amy said, they're adding a second (unneeded) layer to the code. It falls under 'Plugins I think are unnecessary and not doing it best, but to each their own.'

  10. Bucki
    Member
    Posted 2 years ago #

    Hmmmmm I dont know really but when I saw this site;
    http://core.trac.wordpress.org/ticket/21917
    http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html

    Made me think that even 3.4.2 is not secure enough, hence why I looked up for alternative security check. hmmm

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.