I'm trying to use the official WordPress Android app, for managing my WordPress site.
The thing is that i'm using a script for blocking malicious connections to my site. The script is ZB Block and it's doing what is supposed to do (so, it's working great). But, it also blocks WordPress app. It gives me a log entry that looks like this:
#: 48230 @: Wed, 20 Aug 2014 12:23:44 +0300 Running: 0.4.10a3 / 76e
Why blocked: POST EX POST-21. POST EX POST-22.
User Agent: wp-android/3.0.2 (Android 4.4.4; en_US; LGE Nexus 5/hammerhead)
Reconstructed URL: http:// http://www.mysitedomain /xmlrpc.php
When asking for help on the official support forum of that script, ZB Block's creator told me this:
The 2 reasons it was stopped was these:
$ax += inmatch($rawpost,'<? ','POST EX (POST-021). '); //71a split
$ax += inmatch($rawpost,'<?php','POST EX (POST-022). '); //71a changed
Why would that app be sending PHP code to the site, unless it was expecting to execute it?
If the app, under user control, or a fake app can execute php code, your site WILL be taken down just as soon as someone finds this is possible. Please ask the authors why the app is trying to send the php preamble "<?php" to your site. I would like to know this before I write any bypass. It seems an exploit of unprecedented proportions!
So, i'd like to have an explanation on why this is happening and why the app is trying to send the php preamble "<?php" to my site, in order to find the optimal solution.