public static function misc_form_bypass() { /** * Miscellaneous Form Spam Check Bypass */ /* Setup necessary variables */ $url = rs_wpss_get_url(); $url_lc = rs_wpss_casetrans('lower', $url); $req_uri = $_SERVER['REQUEST_URI']; $req_uri_lc = rs_wpss_casetrans('lower', $req_uri); $post_count = count($_POST); $ip = rs_wpss_get_ip_addr(); $user_agent = rs_wpss_get_user_agent(); $referer = rs_wpss_get_referrer(); /* IP / PROXY INFO - BEGIN */ global $wpss_ip_proxy_info; if (empty($wpss_ip_proxy_info)) { $wpss_ip_proxy_info = rs_wpss_ip_proxy_info(); } extract($wpss_ip_proxy_info); /* IP / PROXY INFO - END */ /* GEOLOCATION */ if ($post_count == 6 && isset($_POST['updatemylocation'], $_POST['log'], $_POST['lat'], $_POST['country'], $_POST['zip'], $_POST['myaddress'])) { return TRUE; } /* WP Remote */ if (defined('WPRP_PLUGIN_SLUG') && !empty($_POST['wpr_verify_key']) && preg_match("~\\ WP\\-Remote\$~", $user_agent) && preg_match("~\\.amazonaws\\.com\$~", $reverse_dns)) { return TRUE; } /* Ecommerce Plugins */ if ((rs_wpss_is_ssl() || !empty($_POST['add-to-cart']) || !empty($_POST['add_to_cart']) || !empty($_POST['addtocart']) || !empty($_POST['product-id']) || !empty($_POST['product_id']) || !empty($_POST['productid']) || $user_agent === 'PayPal IPN ( https://www.paypal.com/ipn )' && preg_match("~(^|\\.)paypal\\.com\$~", $reverse_dns) && $fcrdns === '[Verified]') && self::is_ecom_enabled()) { return TRUE; } if ((rs_wpss_is_ssl() || self::is_ecom_enabled()) && $fcrdns === '[Verified]') { /* PayPal, Stripe, Authorize.net, Worldpay, etc */ if ($user_agent === 'PayPal IPN ( https://www.paypal.com/ipn )' && preg_match("~(^|\\.)paypal\\.com\$~", $reverse_dns) || $reverse_dns === 'api.stripe.com' || preg_match("~(^|\\.)(authorize\\.net|worldpay\\.com|payfast\\.co\\.za|api\\.mollie\\.nl|api\\.simplifycommerce\\.com|wepayapi\\.com|2checkout\\.com|paylane\\.com)\$~", $reverse_dns)) { return TRUE; } } /* WooCommerce Payment Gateways */ if (self::is_woocom_enabled()) { if ($user_agent === 'PayPal IPN ( https://www.paypal.com/ipn )' && preg_match("~^(ipn|ipnpb|notify|reports)(\\.sandbox)?\\.paypal\\.com\$~", $reverse_dns) || strpos($req_uri, 'WC_Gateway_Paypal') !== FALSE) { return TRUE; } if (preg_match("~(^|\\.)payfast\\.co\\.za\$~", $reverse_dns) || strpos($req_uri, 'wc-api') !== FALSE && strpos($req_uri, 'WC_Gateway_PayFast') !== FALSE) { return TRUE; } /* Plugin: 'woocommerce-gateway-payfast/gateway-payfast.php' */ if (preg_match("~((\\?|\\&)wc\\-api\\=WC_(Addons_)?Gateway_|/wc\\-api/.*WC_(Addons_)?Gateway_)~", $req_uri)) { return TRUE; } /* $wc_gateways = array( 'WC_Gateway_BACS', 'WC_Gateway_Cheque', 'WC_Gateway_COD', 'WC_Gateway_Paypal', 'WC_Addons_Gateway_Simplify_Commerce', 'WC_Gateway_Simplify_Commerce' ); */ } /* Easy Digital Downloads Payment Gateways */ if (defined('EDD_VERSION')) { if ($user_agent === 'PayPal IPN ( https://www.paypal.com/ipn )' && preg_match("~^(ipn|ipnpb|notify|reports)(\\.sandbox)?\\.paypal\\.com\$~", $reverse_dns) || !empty($_GET['edd-listener']) && $_GET['edd-listener'] === 'IPN' || strpos($req_uri, 'edd-listener') !== FALSE && strpos($req_uri, 'IPN') !== FALSE) { return TRUE; } if (!empty($_GET['edd-listener']) && $_GET['edd-listener'] === 'amazon' || strpos($req_uri, 'edd-listener') !== FALSE && strpos($req_uri, 'amazon') !== FALSE) { return TRUE; } if (!empty($_GET['edd-listener']) || strpos($req_uri, 'edd-listener') !== FALSE) { return TRUE; } } /* Gravity Forms PayPal Payments Standard Add-On ( http://www.gravityforms.com/add-ons/paypal/ ) */ if (defined('GF_MIN_WP_VERSION') && defined('GF_PAYPAL_VERSION') || class_exists('GFForms') && class_exists('GF_PayPal_Bootstrap')) { if ($url === WPSS_SITE_URL . '/?page=gf_paypal_ipn' && isset($_POST['ipn_track_id'], $_POST['payer_id'], $_POST['receiver_id'], $_POST['txn_id'], $_POST['txn_type'], $_POST['verify_sign'])) { return TRUE; } } /* PayPal IPN */ if (isset($_POST['ipn_track_id'], $_POST['payer_id'], $_POST['payment_type'], $_POST['payment_status'], $_POST['receiver_id'], $_POST['txn_id'], $_POST['txn_type'], $_POST['verify_sign']) && FALSE !== strpos($req_uri_lc, 'paypal') && $user_agent === 'PayPal IPN ( https://www.paypal.com/ipn )' && preg_match("~^(ipn|ipnpb|notify|reports)(\\.sandbox)?\\.paypal\\.com\$~", $reverse_dns) && $fcrdns === '[Verified]') { return TRUE; } /* Clef */ if (defined('CLEF_VERSION')) { if (preg_match("~^Clef/[0-9](\\.[0-9]+)+\\ \\(https\\://getclef\\.com\\)\$~", $user_agent) && preg_match("~((^|\\.)clef\\.io|\\.amazonaws\\.com)\$~", $reverse_dns)) { return TRUE; } } /* OA Social Login */ if (defined('OA_SOCIAL_LOGIN_VERSION')) { $ref_dom_rev = strrev(rs_wpss_get_domain($referer)); $oa_dom_rev = strrev('api.oneall.com'); if ($post_count >= 4 && isset($_GET['oa_social_login_source'], $_POST['oa_action'], $_POST['oa_social_login_token'], $_POST['connection_token'], $_POST['identity_vault_key']) && $_POST['oa_action'] === 'social_login' && strpos($ref_dom_rev, $oa_dom_rev) === 0) { return TRUE; } } /* Nothing was triggered */ return FALSE; }
public function check_post_sec() { /*** * Check if POST submission is security threat: hack attempt or vulnerability probe ***/ $site_url = WPSS_SITE_URL; $site_dom = WPSS_SITE_DOMAIN; $admin_url = WPSS_ADMIN_URL . '/'; $cont_url = WPSS_CONTENT_DIR_URL . '/'; $plug_url = WPSS_PLUGINS_DIR_URL . '/'; $post_count = count($_POST); $user_agent = rs_wpss_get_user_agent(); $req_url = rs_wpss_casetrans('lower', rs_wpss_get_url()); $req_ajax = rs_wpss_is_ajax_request(); $req_404 = rs_wpss_is_404(); /* Not all WP sites return proper 404 status. The fact this security check even got activated means it was a 404. */ $req_hal = rs_wpss_get_http_accept(TRUE, TRUE, TRUE); $req_ha = rs_wpss_get_http_accept(TRUE, TRUE); /* IP / PROXY INFO - BEGIN */ global $wpss_ip_proxy_info; if (empty($wpss_ip_proxy_info)) { $wpss_ip_proxy_info = rs_wpss_ip_proxy_info(); } extract($wpss_ip_proxy_info); /* IP / PROXY INFO - END */ /* Short Signatures - Regex */ $rgx_sig_arr = array('-e*5l?*B-@yZ_-,8_-lSZ98BC[', '+25-Z9dCZ,87C-7CBlSZ=-C['); foreach ($_POST as $k => $v) { $v = rs_wpss_casetrans('lower', $v); foreach ($rgx_sig_arr as $i => $s) { /* Switch to single preg_match as this expands, replace nested foreach() */ $sd = rs_wpss_rbkmd($s, 'de'); if (FALSE !== strpos($v, $sd)) { return TRUE; } } } /* Full Signatures */ $signatures = array(array('description' => 'Revslider & Showbiz Pro - AJAX Vulnerability', 'post_i_min' => 2, 'post_i_max' => 2, 'target_urls' => array('/wp-admin/admin-ajax.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'revslider_ajax_action', 'client_action' => 'update_plugin'), array('action' => 'showbiz_ajax_action', 'client_action' => 'update_plugin'))), array('description' => 'WP Marketplace <= 2.4.0 & WP Download Manager <=2.7.4 - Remote Code Execution', 'post_i_min' => 5, 'post_i_max' => 5, 'target_urls' => array(), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'wpmp_pp_ajax_call', 'user_login' => '*', 'execute' => 'wp_insert_user', 'role' => 'administrator', 'user_pass' => '*'), array('action' => 'wpdm_ajax_call', 'user_login' => '*', 'execute' => 'wp_insert_user', 'role' => 'administrator', 'user_pass' => '*'))), array('description' => 'WP Symposium <= 14.11 - Shell Upload Vulnerability', 'post_i_min' => 2, 'post_i_max' => 3, 'target_urls' => array('/wp-content/plugins/wp-symposium/server/php/index.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('uploader_url' => $plug_url . '/wp-symposium/server/php/', 'uploader_uid' => '1'))), array('description' => 'Ultimate Product Catalogue <= 3.11 - Multiple Vulnerabilities', 'post_i_min' => 3, 'post_i_max' => 3, 'target_urls' => array('/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-links-ompt.php', '/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-includes.php', '/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-styles.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('p2' => '2929', 'abc28' => 'print $_REQUEST[\'p1\'].$_REQUEST[\'p2\']', 'p1' => '4242'), array('p2' => '2929', 'af5f492a1' => 'print $_REQUEST[\'p1\'].$_REQUEST[\'p2\']', 'p1' => '4242'), array('p2' => '2929', 'e41e' => 'print $_REQUEST[\'p1\'].$_REQUEST[\'p2\']', 'p1' => '4242'))), array('description' => 'Ultimate Product Catalogue <= 3.11 - Multiple Vulnerabilities', 'post_i_min' => 1, 'post_i_max' => 1, 'target_urls' => array('/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-setup.php', '/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-includes.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('e51e' => 'die(pi());'), array('af5f492a1' => 'die(pi());'))), array('description' => 'Simple Ads Manager <= 2.5.94 - Arbitrary File Upload', 'post_i_min' => 2, 'post_i_max' => 2, 'target_urls' => array('/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'upload_ad_image', 'path' => '*'))), array('description' => 'Work The Flow File Upload <= 2.5.2 - Shell Upload', 'post_i_min' => 1, 'post_i_max' => 1, 'target_urls' => array('/wp-content/plugins/work-the-flow-file-upload/public/assets/jquery-file-upload-9.5.0/server/php/index.php', '/assets/plugins/jquery-file-upload/server/php/index.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'upload')))); /* Run Checks Against Signatures */ foreach ($signatures as $i => $sig) { if (!empty($sig['post_i_min']) && ($post_count < $sig['post_i_min'] || $post_count > $sig['post_i_max'])) { continue; } if (!empty($sig['target_urls'])) { $urls_rgx = rs_wpss_get_regex_phrase($sig['target_urls'], '', 'red_str'); if (!preg_match($urls_rgx, $req_url)) { continue; } } if ($sig['ajax_request'] !== '*' && $sig['ajax_request'] !== $req_ajax) { continue; } if ($sig['404'] !== '*' && $sig['404'] !== $req_404) { continue; } $hal_max = count($sig['hal_signature']) - 1; $m = 0; /* Matches */ foreach ($sig['hal_signature'] as $i => $hal_sig) { if ($hal_sig == $req_hal) { $m++; } if ($i == $hal_max && $m === 0) { continue 2; } } $ha_max = count($sig['ha_signature']) - 1; $m = 0; /* Matches */ foreach ($sig['ha_signature'] as $i => $ha_sig) { if ($ha_sig == $req_ha) { $m++; } if ($i == $ha_max && $m === 0) { continue 2; } } foreach ($sig['key_val_pairs'] as $i => $kvp) { $kvp_max = count($kvp); $m = 0; /* Matches */ foreach ($kvp as $k => $v) { if (!empty($_POST[$k]) && $_POST[$k] === $v || $v === '*' && isset($_POST[$k])) { $m++; } if ($m === $kvp_max) { return TRUE; } } } } return FALSE; }
function hide_nag_notices() { if (rs_wpss_is_admin_sproc(TRUE) || !rs_wpss_is_user_admin()) { return; } $ns_codes = array('n01' => 'vote', 'n02' => 'donate'); /* Nag Status Codes */ if (!isset($_GET['wpss_hide_nag'], $_GET['nid'], $ns_codes[$_GET['nid']]) || $_GET['wpss_hide_nag'] != '1') { return; } global $current_user; $status = get_user_meta($current_user->ID, 'wpss_nag_status', TRUE); $timenow = time(); $url = rs_wpss_get_url(); $query_args = rs_wpss_get_query_args($url); unset($query_args['wpss_hide_nag'], $query_args['nid']); $query_str = http_build_query($query_args); if ($query_str != '') { $query_str = '?' . $query_str; } $redirect_url = rs_wpss_fix_url($url, TRUE, TRUE) . $query_str; $status['currentnag'] = FALSE; $status['lastnag'] = $timenow; $status[$ns_codes[$_GET['nid']]] = TRUE; update_user_meta($current_user->ID, 'wpss_nag_status', $status); update_user_meta($current_user->ID, 'wpss_nag_notices', array()); wp_redirect($redirect_url); exit; }
public static function early_post_intercept() { /** * SECURITY - Checks all incoming POST requests early for malicious behavior * Added 1.9.7.8 */ if ('POST' !== $_SERVER['REQUEST_METHOD'] || rs_wpss_is_local_request() || is_user_logged_in()) { return; } global $spamshield_options; if (empty($spamshield_options)) { $spamshield_options = get_option('spamshield_options'); } if (!empty($spamshield_options['disable_misc_form_shield'])) { return; } $url = rs_wpss_get_url(); $url_lc = rs_wpss_casetrans('lower', $url); $req_uri = $_SERVER['REQUEST_URI']; $req_uri_lc = rs_wpss_casetrans('lower', $req_uri); $epc_filter_status = $wpss_error_code = $log_pref = ''; $epc_jsck_error = $epc_badrobot_error = FALSE; $form_type = 'misc form'; $pref = 'EPC-'; $errors_3p = array(); $error_txt = rs_wpss_error_txt(); $server_name = WPSS_SERVER_NAME; $server_email_domain = rs_wpss_get_email_domain($server_name); $epc_serial_post = json_encode($_POST); $form_auth_dat = array('comment_author' => '', 'comment_author_email' => '', 'comment_author_url' => ''); $blocked = FALSE; $c = array('name' => '', 'value' => '1', 'expire' => time() + 60 * 60 * 24 * 365 * 1, 'path' => '/', 'domain' => rs_wpss_get_cookie_domain(), 'secure' => FALSE, 'httponly' => FALSE); if (rs_wpss_is_xmlrpc()) { if (empty($_POST) || !empty($_GET)) { $blocked = TRUE; } rs_wpss_start_session(); $c['name'] = 'P_XMLRPC'; } if (rs_wpss_is_doing_ajax()) { if (empty($_POST) && empty($_GET) || empty($_REQUEST['action'])) { $wpss_error_code .= ' ' . $pref . 'FAR1020'; $err_cod = 'fake_ajax_request_error'; $err_msg = __('That action is currently not allowed.'); $errors_3p[$err_cod] = $err_msg; } } if (rs_wpss_skiddie_ua_check()) { $wpss_error_code .= ' ' . $pref . 'UA1004'; $err_cod = 'badrobot_skiddie_error'; $err_msg = __('That action is currently not allowed.'); $errors_3p[$err_cod] = $err_msg; } if (rs_wpss_ubl_cache()) { if (TRUE === WPSS_IP_BAN_ENABLE && rs_wpss_is_xmlrpc()) { self::ip_ban(); } $wpss_error_code .= ' ' . $pref . '0-BL'; $err_cod = 'blacklisted_user_error'; $err_msg = __('That action is currently not allowed.'); $errors_3p[$err_cod] = $err_msg; } if (!empty($c['name'])) { /* Setting cookie to honeypot bad actors */ @setcookie($c['name'], $c['value'], $c['expire'], $c['path'], $c['domain'], $c['secure'], $c['httponly']); } if (!empty($wpss_error_code)) { rs_wpss_update_accept_status($form_auth_dat, 'r', 'Line: ' . __LINE__, $wpss_error_code); if (!empty($spamshield_options['comment_logging'])) { rs_wpss_log_data($form_auth_dat, $wpss_error_code, $form_type, $epc_serial_post); } } else { rs_wpss_update_accept_status($form_auth_dat, 'a', 'Line: ' . __LINE__); } /* Now output error message */ if (!empty($wpss_error_code)) { $error_msg = ''; foreach ($errors_3p as $c => $m) { $error_msg .= '<strong>' . $error_txt . ':</strong> ' . $m . '<br /><br />' . WPSS_EOL; } WP_SpamShield::wp_die($error_msg, TRUE); } }