Skip to:
Content
Pages
Categories
Search
Top
Bottom

bbPress Security

  • @pagal

    Participant

    Can I use this wp plugin for bbpress?

    < ?php

    /*

    Plugin Name: Block Bad Queries

    Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/

    Description: Protect WordPress Against Malicious URL Requests

    Author URI: http://perishablepress.com/

    Author: Perishable Press

    Version: 1.0

    */

    global $user_ID;

    if($user_ID) {

    if(!current_user_can(‘level_10’)) {

    if (strlen($_SERVER) > 255 ||

    strpos($_SERVER, “eval(“) ||

    strpos($_SERVER, “CONCAT”) ||

    strpos($_SERVER, “UNION+SELECT”) ||

    strpos($_SERVER, “base64”)) {


    @header
    (“HTTP/1.1 414 Request-URI Too Long”);


    @header
    (“Status: 414 Request-URI Too Long”);


    @header
    (“Connection: Close”);


    @exit
    ;

    }

    }

    }

    ?>

    And tell me how can I make my forums more secure?

    Nedd Tips and Tricks!!

    And did anyone make any security concern plugin for bbpress?

    Thanks,

    Pagal

Viewing 2 replies - 1 through 2 (of 2 total)
  • @chrishajer

    Participant

    I think it would probably work if you changed the user check to reflect bbPress users and not WordPress users and levels.

    _ck_ posted something similar a while back on the WordPress.org trac site about blocking long query strings. Maybe she will post here about this.

    simple WordPress and bbPress security plugin to block long requests

    https://core.trac.wordpress.org/ticket/8152

    @_ck_

    Participant

    Someone copied my plugin (they used ALL of my lines then added a few) but they defeated the entire purpose.

    Their code only runs if there is an active user, if someone is not logged in and there is a loophole, the code would run unchallenged.

    Plus they exclude admin, so if there is a hacked account, the code is also bypassed.

    Here is my improved version of my original code

    if (strlen($_SERVER['REQUEST_URI'])>255 ||
    preg_match('@(eval|base64|unescape)[^a-zA-Z0-9]@si',$_SERVER['REQUEST_URI']))
    {
    header('HTTP/1.1 414 Request-URI Too Long');
    header('Status: 414 Request-URI Too Long');
    header('Connection: Close');
    exit;
    }

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.
Skip to toolbar