Abigailm
Forum Replies Created
-
Forum: Plugins
In reply to: [WP-SpamShield] security alertI can show you a number of (good) shared web hosts that allow access to the site via IP Address
That would require the site in the shared environment to have its own dedicated IP.
From: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
V. PROOF OF CONCEPT
————————-If an attacker sends a request similar to the one below to a default WordPress
installation that is accessible by the IP address (IP-based vhost):—–[ HTTP Request ]—-
POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56user_login=admin&redirect_to=&wp-submit=Get+New+Password
————————
Wordpress will trigger the password reset function for the admin user account.
Because of the modified HOST header, the SERVER_NAME will be set to
the hostname of attacker’s choice.Each site owner will need to asses their own site security issues individually.
Seems to me that the logical course of action would be to advise web site owners as to how to test their own site configuration. It’s easy enough to construct a post request in the form of [IP]/[directory]//wordpress/wp-login.php?action=lostpassword and see where it routes.
Forum: Plugins
In reply to: [WP-SpamShield] security alertI appreciate your efforts to suggest a mitigation to users, but I have determined that my sites are not subject to this vulnerability because of hosting configuration (so no fix needed) and I do not want to modify htaccess files unnecessarily on multiple sites.
In any case, my only point is that WordPress has not patched this and apparently does not see a patch as a high priority. By “there is nothing I can do” I simply meant that I can’t influence when and if WordPress will ever patch this vulnerability — and given that my sites are not vulnerable, there is no need for me to make configuration changes.
Here’s a good article that sums up why most security experts seem unconcerned:
http://www.securitynewspaper.com/2017/05/05/wordpress-zero-day-expose-password-reset-emails/These complex exploitation scenarios are most likely the main reason why the WordPress team has not prioritized patching this issue until now. The same opinion is shared by security experts from Sucuri, a vendor of web-based security products, recently acquired by GoDaddy.
“The vulnerability exists, but is not as critical as advertised for several reasons,” said Sucuri vulnerability researcher Marc Montpas. “The whole attack relies on the fact that the victim’s email is not accessible at the time the attack is occurring, which greatly reduces the chance of a successful attack.”
His colleague, Denis Sinegubko, also shared his thoughts on the issue. “After a brief reading and assuming the attack works, it has limited impact as it requires an individual site to be accessible by IP address, so will not work for most sites on shared servers. Only for poorly configured dedicated servers.”
(I noted in bold the reason it would not apply to my sites, which are in shared or virtual hosted environments).
Forum: Plugins
In reply to: [WP-SpamShield] security alertFirst of all, I appreciate the alert – as a site manager for multiple WP installations, I am happy to know of potential problems, no matter what the source. However, I also was confused at first and mistakenly believed that the source of the alert was from a different plugin. (I used Wordfence on all my sites, so it was natural for me to assume that an alert about a vulnerability would have been generated by that plugin rather than WP-Spamshield).
So here are several suggestions as to how to avoid confusion (and complaints) in the future)
1.(Easy) Add text to the alert so that it is clear that it is generated by SpamShield. That will eliminate confusion as to the source of any alerts.
2. An option in settings to disable dashboard display of security alerts, and/or to restrict display to site administrators only (if this is not already the case). That will give site administrators the ability to determine who sees alerts.
3. Set up the alert feature so that it checks for the latest version of WP, and suppresses the alert if the site is already updated. Yes, I personally am happy to know about this obscure potential exploit that WordPress apparently does not feel is important enough to patch … but there is nothing that I can do about it other than keep my sites updated to the latest version, so no value in showing the alert in sites that are already running the newest WordPress release.
I do appreciate your intent to add a mitigation to SpamShield to protect against this exploit – but I think you need to keep in mind that you have a very large user base which includes many site owners or user who are technically unsophisticated and/or who are not native English speakers. So best to keep things simple. It is one thing to remind users to upgrade their sites because of a security concern, quite another when no upgrade has been issued.
Forum: Themes and Templates
In reply to: [evolve] Is it possible to disable google maps?Rodario, I don’t think this is coming from the Evolve theme. When I look at the page source of your site, I see this code in the source html of your home page (at line 6)
<link rel='dns-prefetch' href='//maps.googleapis.com' />I used Google maps on internal pages of my own Evolve-based site, but I don’t see any dns-prefetch links for the Google maps api — not even on the the pages which display the maps (not the theme contact page, but from a third-party plugin).
Now I may be mistaken, because I also opted to disable the map on the “contact” page, simply by not entering address information in the Theme Options/Contact section — so maybe that is the difference — so a starting point for you may be to check to be sure to clear out any information in the address field for that section. Then clear all caches & check your home page source code to see whether you are still seeing the dns-prefetch link.
I also have other things that might impact site display — for example, I use cloudflare, which does make its own changes to source code — but I would suggest that to debug you might disable all plugins, and then reload your home page and view source code to see whether that dns-prefetch element is still there.
If not, you could enable plugins one by one to see which is responsible for the code. Plugins that supposedly optimize or speed up your site might be the most likely to add the pre-fetch link.
Forum: Plugins
In reply to: [Cloudflare] Red progress bar / bad requestI saw the same issue today as well (red progress bar, “Bad Request”)
Forum: Themes and Templates
In reply to: [evolve] Hamburger menu shiftedTry adding this CSS:
@media screen and (max-width: 768px) .searchform { margin-top: -50px !important; }Is that the display effect you are looking for?
If it is you’ll still have to experiment to see whether it causes unintended problems for smaller screen sizes, and may have to adjust accordingly.
Forum: Plugins
In reply to: [Cloudflare] Moving hosting serverThis doesn’t have anything to do with the Cloudflare plugin, but you might want to check this page – https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs – and ask the new hosting provider whether the appropriate cloudflare module or options are enabled on the server. This will vary by platform, but can definitely impact site function.
Forum: Themes and Templates
In reply to: [evolve] PHP 7.1 error in basic-functions.phpThank you for your very clear explanation — I also appreciate the mini-lesson ion coding. I’m still puzzled by why it was coded that way in the first place.
The file is commented:
/* * function to print out css class according to layout * used in content-blog.php, index.php.so I am guessing that the goal is simply to generate a stylesheet which adapts to values users have entered in theme customizations… and apparently it isn’t working anyway. At least for me I haven’t noticed any issues with layout after modifying the script, but if it did crop up I have a child theme and could correct any issues by manually editing my child stylesheet.
So I’ll let the developers figure out the rest.
Forum: Themes and Templates
In reply to: [evolve] PHP 7.1 error in basic-functions.phpDonna, thank you for your suggestion — I did change line 1430 from:
echo ' col-md-4 odd' . ( $xyz % 3 );
to
echo ' col-md-4 odd' . ( $xyz );And I haven’t seen any more entries in my error log since making the change.
I’m not sure what that bit of code was intended to do, but everything on my site appears to be functioning and displaying properly.
I did intend this post to be a bug report (or at least a possible compatibility issue with PHP 7.1) — so I’m leaving this marked as “not resolved” — the developer can review this and determine whether or not it is something that should be addressed. (My problem is that I assume that anything placed in code was intentional and placed for a reason, so just because it works for me to delete a few characters doesn’t really mean that the problem has been addressed.)
But I definitely do appreciate your input — as it saves me the trouble of having to revert the site back to PHP 7.0.
Forum: Themes and Templates
In reply to: [evolve] PHP 7.1 error in basic-functions.phpDebugging is not enabled my WP installation – this is showing up in the error_log — not impairing site function.
However, this is an issue that should be addressed. PHP 7.1 was released in December 2016. I’m running more than a dozen WP sites with different plugin and themes, and I tested them all with PHP 7.1 in February and reported errors then.
Evolve is the only theme remaining (among the ones I use) that has not yet addressed this issue.
The bottom line is that the code does not validate under current (latest) standards, because of changes introduced in PHP. It’s not the fault of the developer that changes to PHP weren’t anticipated when the file was coded, but it is important to maintain compatibility down the line — so that is why I am reporting it.
Thank you for the suggestion about removing the modulus operator. I’m reluctant to make changes to a theme lest I introduce other errors, but I’ll test to see if that seem to resolve the problem and post back here if it does.
Forum: Plugins
In reply to: [Groups] PHP 7.1 warning persists after upgradeThank you, I have installed the update and no error messages!
Forum: Everything else WordPress
In reply to: Posts being held for moderation – why?Thank you — I don’t mind the content of the message, as I could tell nothing was being held up as long as 72 hours — it’s just when it persisted over several weeks that I was frustrated. Anyway, I’m glad it’s cleared up now.
Forum: Everything else WordPress
In reply to: New Plugin Directory Layout – Older Versions?I feel the same, and was frustrated when I couldn’t figure out where to find the development list and links. However, there is a plugin called WP Rollback that takes care of this automatically from the WP Dashboard — it adds a “Rollback” link to plugins and themes that let you choose and install previous version. See https://wordpress.org/plugins/wp-rollback/
Forum: Plugins
In reply to: [WP-SpamShield] Admin pages unreachable after updating to v1.9.99.5@marikamitsos — if you install the free wordpress plugin “WP Rollback” you will easily be able to restore earlier versions of this plugin as well as other free themes & plugins. The plugin adds a “Rollback” link to the plugin management screen and essentially all you have to do is click that link and choose the version you want to install — and the rest is handled automatically.
Forum: Plugins
In reply to: [WP-SpamShield] V1.9.9.9.3 produces javascript/cookie errorDavid, are you running caching software? I run WP-Supercache and have found that I need to follow this process with each upgrade:
1) De-activate Spamshield
2) Delete Cache (WP Supercache)
3) Upgrade Spamshield
4) Re-activate SpamshieldI have tested extensively and this is the only process that works consistently for me.
Clearing the cache is the very first step recommended in the Software official troubleshooting guide at https://www.redsandmarketing.com/plugins/wp-spamshield/troubleshooting-guide/
I have found the additional steps of de-activating and re-activating Spamshield to be necessary on my sites.