Skip to:
Content
Pages
Categories
Search
Top
Bottom

bbPress Security

  • Can I use this wp plugin for bbpress?

    < ?php

    /*

    Plugin Name: Block Bad Queries

    Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/

    Description: Protect WordPress Against Malicious URL Requests

    Author URI: http://perishablepress.com/

    Author: Perishable Press

    Version: 1.0

    */

    global $user_ID;

    if($user_ID) {

    if(!current_user_can(‘level_10′)) {

    if (strlen($_SERVER) > 255 ||

    strpos($_SERVER, “eval(“) ||

    strpos($_SERVER, “CONCAT”) ||

    strpos($_SERVER, “UNION+SELECT”) ||

    strpos($_SERVER, “base64″)) {

    @header(“HTTP/1.1 414 Request-URI Too Long”);

    @header(“Status: 414 Request-URI Too Long”);

    @header(“Connection: Close”);

    @exit;

    }

    }

    }

    ?>

    And tell me how can I make my forums more secure?

    Nedd Tips and Tricks!!

    And did anyone make any security concern plugin for bbpress?

    Thanks,

    Pagal

Viewing 2 replies - 1 through 2 (of 2 total)

  • chrishajer
    Participant

    @chrishajer

    I think it would probably work if you changed the user check to reflect bbPress users and not WordPress users and levels.

    _ck_ posted something similar a while back on the WordPress.org trac site about blocking long query strings. Maybe she will post here about this.

    http://ckon.wordpress.com/2008/11/11/simple-wordpress-and-bbpress-security-plugin-to-block-long-requests/

    http://core.trac.wordpress.org/ticket/8152


    _ck_
    Participant

    @_ck_

    Someone copied my plugin (they used ALL of my lines then added a few) but they defeated the entire purpose.

    Their code only runs if there is an active user, if someone is not logged in and there is a loophole, the code would run unchallenged.

    Plus they exclude admin, so if there is a hacked account, the code is also bypassed.

    Here is my improved version of my original code

    if (strlen($_SERVER['REQUEST_URI'])>255 ||
    preg_match('@(eval|base64|unescape)[^a-zA-Z0-9]@si',$_SERVER['REQUEST_URI']))
    {
    header('HTTP/1.1 414 Request-URI Too Long');
    header('Status: 414 Request-URI Too Long');
    header('Connection: Close');
    exit;
    }

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.