Mark Costlow
Forum Replies Created
-
Forum: Plugins
In reply to: [WooCommerce] Security Concern: Direct Add-to-Cart GET Requests Vulnerability@oppitz thanks for the info. I hadn’t used fail2ban for this issue because it’s so distributed we rarely see the same IP twice (at least over the short time-spans I’ve been looking at). But banning each IP for a long stretch when any bad request comes sounds like a good idea. It’s going to become a big block list …
Forum: Plugins
In reply to: [WooCommerce] Security Concern: Direct Add-to-Cart GET Requests VulnerabilityWhy is there an AI chatbot answering every human post on this thread? If we wanted to paste this thread into ChatGPT we could do it ourselves. It isn’t adding any useful information.
Forum: Plugins
In reply to: [WooCommerce] Security Concern: Direct Add-to-Cart GET Requests VulnerabilityHi, I’ve been dealing with this same “attack” on a couple of large-ish woo sites. This flavor of abuse started for us in early January this year. I have a question and some additional information.
You said, “WooCommerce does support adding products to the cart via GET requests such as /?add-to-cart=123. […] Disabling all add-to-cart query strings at the HTTP level […] is a valid mitigation”
Are you saying the legitimate GET requests for add-to-cart are not significant and it’s OK to block them?
The other thing we noted is many requests look like this:
"GET /slug?ppp=-1?add-to-cart=196769036?add-to-cart=196769030?add-to-cart=125471?add-to-cart=196769016?add-to-cart=196769034?add-to-cart=121757?add-to-cart=196768998 HTTP/1.1"One feature we’ve been blocking on is multiple add-to-cart elements in the query string.
Most of the time these requests are coming from hundreds of different IPs per hour, all in different net blocks, each making 1-2 requests only. But also have had events where thousands of requests come from over 100 different IPs all in one /24 (most recently, one owned by Facebook using meta-externalagent/1.1 agent string).
I’m personally on the fence about whether this is AI harvesters gone awry, AI agents gone awry, or baddies fuzzing ecommerce sites looking for exploits.
Hi, just FYI, updates to the plugin have still been distributing that broken version of minimize-form-bright.png
Latest was 28.1.2.1 today
Thanks
Thank you for the quick response!
I’m having this problem too. It has generated a 28GB error log for today (well, today is only 2/3 over for me so it will get bigger).
Forum: Plugins
In reply to: [Timely All-in-One Events Calendar] deprecated functions crashing siteAre you saying the plugin in the public repo will not be fixed?
Forum: Plugins
In reply to: [Download Monitor] A long timeout on every page load for license checkRazvan, After updating from 4.9.8 to 4.9.9 it seems to be fixed. Thanks,
Mark
Forum: Plugins
In reply to: [Download Monitor] A long timeout on every page load for license checkAny update on this? I’m experiencing the same problem. I can ping license.wpchill.com with good response times, but the curl command to check a license takes at least a few seconds, but in many cases times out after 2 minutes. I have a site with 9 dlm plugins on it, and because of this we can’t manage any of the plugins because every page view is a 2-3 minute timeout.
I’ve tried running the curl command from a couple of different locations with different upstream networks. Same issue.
Here’s some more info. Well not really new info, just a transcript of a few commands to demonstrate I believe I set cafile in the right php.ini file, but still get the curl error on many, but not all, wp-cli runs.
$ php --version PHP 7.4.30 (cli) (built: Jun 27 2022 08:14:10) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.30, Copyright (c), by Zend Technologies $ wp --version WP-CLI 2.8.1 $ php info.php | grep curl /etc/php/7.4/cli/conf.d/20-curl.ini, curl curl.cainfo => /etc/php/7.4/cli/cacert.pem => /etc/php/7.4/cli/cacert.pem $ head -5 /etc/php/7.4/cli/cacert.pem ## ## Bundle of CA Root Certificates ## ## Certificate data from Mozilla as of: Tue May 30 03:12:04 2023 GMT ## $ wp transient delete --all AIOS_Helper::request_remote exception - cURL error 77: error setting certificate verify locations: CAfile: /home/XXX/public_html/sitename/wp-includes/Requests/s rc/../certificates/cacert.pem CApath: /etc/ssl/certs Success: 2 transients deleted from the database.Note, when I set curl.capath or curl.cafile, it doesn’t change the error message which mentions a location in core for CAfile and /etc/ssl/certs for CApath.
I’m afraid my announcement of success was premature as well. It turns out the problem is more intermittent than I thought. When I tested after adding the cainfo setting, it didn’t give the error. But then later doing some other things (
search-replacemostly) I’m back to getting curl error 77.I tried some more variations, like setting
cafileorcapath, but the results are inconsistent. I still see curl error 77 on many, but not all, wp-cli runs.@hjogiupdraftplus thank you for the pointer, that got me to a fix.
I downloaded a current cacert.pem from https://curl.se/docs/caextract.html and set
curl.cainfoin my php.ini to point to the file. No more error messages from curl.I was led astray by curl mentioning a specific path in the WP core that was really not related to the issue.
Thanks again,
MarkForum: Plugins
In reply to: [WP Shortcodes Plugin — Shortcodes Ultimate] Youtube no longer works@highzera I looked at your page, and see the empty playlist= is still there. I compared it to what my customer’s page produces and there are a couple of differences (on hers the URL is in a src=”…” tag and on yours it’s is a data-src=”…” tag. I don’t know the cause of those differences.
If you’d like to email your youtube-advanced.php file to me at ythelp@swcp.com I can verify it looks right.
If someone else understands what causes the different src tags maybe they can chime in.
- This reply was modified 4 years, 9 months ago by Mark Costlow.
Forum: Plugins
In reply to: [WP Shortcodes Plugin — Shortcodes Ultimate] Youtube no longer works@mustafaaksoy the file is in the shortcodes-ultimate plugin directory. From the top level of your WordPress site, it would be in
wp-content/plugins/shortcodes-ultimate/includes/shortcodes/youtube-advanced.php@highzera That should do it. In some environments it takes a couple of minutes before the server will see the change. If it’s still not working after 5 minutes or so then I’m not sure what the issue may be.
If you “View Source” on the web page with the video, search for the youtube.com link, does the URL have “playlist=” in it?
- This reply was modified 4 years, 9 months ago by Mark Costlow. Reason: formatting
Forum: Plugins
In reply to: [WP Shortcodes Plugin — Shortcodes Ultimate] Youtube no longer worksI had a customer with this problem too. The loop=1 workaround worked, but the site has hundreds of embedded videos so it wasn’t practical. I thought about adding loop=1 in a database search/replace but that seemed dangerous and time consuming (if it didn’t work right the first time).
I confirmed the issue just popped up, while this site was using version 5.9.0 of the plugin, and I tried a few versions between that and 5.10.1 with the same result. Based on this I think the change might have been at youtube, deciding “playlist=” is an error, whereas before it was ignored.
I eventually decided to kludge this in the plugin code.
In the file includes/shortcodes/youtube-advanced.php around line 212 I changed this:
if ( '1' === $url_params['loop'] && '' === $url_params['playlist'] ) {
to this:
if ( '' === $url_params['playlist'] ) {Now it’s worked around, without the loop=1 parameter being needed. I’m assuming this will all get worked out somewhere before the next update of this plugin.
- This reply was modified 4 years, 9 months ago by Mark Costlow. Reason: spelling