function rs_wpss_misc_form_spam_check()
{
/***
* Checks all miscellaneous form POST submissions for spam
* Added 1.8.9.9
***/
if (rs_wpss_is_user_admin() || rs_wpss_is_admin_sproc()) {
return;
}
global $spamshield_options;
if (empty($spamshield_options)) {
$spamshield_options = get_option('spamshield_options');
}
rs_wpss_update_session_data($spamshield_options);
if (!empty($spamshield_options['disable_misc_form_shield'])) {
return;
}
$url = rs_wpss_get_url();
$url_lc = rs_wpss_casetrans('lower', $url);
$req_uri = $_SERVER['REQUEST_URI'];
$req_uri_lc = rs_wpss_casetrans('lower', $req_uri);
/* BYPASS - GENERAL */
if (empty($_POST) || 'POST' !== $_SERVER['REQUEST_METHOD'] || isset($_POST[WPSS_REF2XJS]) || isset($_POST[WPSS_JSONST]) || isset($_POST['wpss_contact_message']) || isset($_POST['signup_username']) || isset($_POST['signup_email']) || isset($_POST['ws_plugin__s2member_registration']) || isset($_POST['_wpcf7_version']) || isset($_POST['gform_submit']) || isset($_POST['gform_unique_id'])) {
return;
}
if (is_admin() && !rs_wpss_is_login_page()) {
return;
}
if (rs_wpss_is_login_page() && (!isset($_GET['action']) || $_GET['action'] !== 'register')) {
return;
}
if (rs_wpss_is_doing_ajax() || rs_wpss_is_doing_cron() || rs_wpss_is_xmlrpc() || defined('WP_INSTALLING')) {
return;
}
if (rs_wpss_is_ajax_request() || rs_wpss_is_comment_request() || is_trackback()) {
return;
}
if (current_user_can('moderate_comments')) {
return;
}
if (is_user_logged_in()) {
return;
}
/* May remove later */
$post_count = count($_POST);
if ($post_count == 4 && isset($_POST['excerpt'], $_POST['url'], $_POST['title'], $_POST['blog_name'])) {
return;
}
$ip = rs_wpss_get_ip_addr();
if ($ip === WPSS_SERVER_ADDR) {
return;
}
/* Skip website IP address */
if (strpos($ip, '.') !== FALSE) {
$ip_arr = explode('.', $ip);
unset($ip_arr[3]);
$ip_c = implode('.', $ip_arr) . '.';
if (strpos(WPSS_SERVER_ADDR, $ip_c) === 0) {
return;
}
/* Skip anything on same C-Block as website */
}
$ecom_urls = array('/checkout/', '/store/', '/shop/', '/cart/');
foreach ($ecom_urls as $k => $u) {
if (strpos($req_uri, $u) !== FALSE) {
return;
}
}
$admin_url = WPSS_ADMIN_URL . '/';
if ($post_count >= 5 && isset($_POST['log'], $_POST['pwd'], $_POST['wp-submit'], $_POST['testcookie'], $_POST['redirect_to']) && $_POST['redirect_to'] === $admin_url) {
return;
}
if ($post_count >= 5 && isset($_POST['log'], $_POST['pwd'], $_POST['login'], $_POST['testcookie'], $_POST['redirect_to'])) {
return;
}
if ($post_count >= 5 && isset($_POST['username'], $_POST['password'], $_POST['login'], $_POST['_wpnonce'], $_POST['_wp_http_referer']) && rs_wpss_is_wc_login_page()) {
return;
}
if (WPSS_Compatibility::misc_form_bypass()) {
return;
}
/* BYPASS - HOOK */
$mfsc_bypass = apply_filters('wpss_misc_form_spam_check_bypass', FALSE);
if (!empty($mfsc_bypass)) {
return;
}
$msc_filter_status = $wpss_error_code = $log_pref = '';
$msc_jsck_error = $msc_badrobot_error = FALSE;
$form_type = 'misc form';
$pref = 'MSC-';
$errors_3p = array();
$error_txt = rs_wpss_error_txt();
$server_name = WPSS_SERVER_NAME;
$server_email_domain = rs_wpss_get_email_domain($server_name);
$msc_serial_post = serialize($_POST);
$form_auth_dat = array('comment_author' => '', 'comment_author_email' => '', 'comment_author_url' => '');
/* Check for Specific Contact Form Plugins */
if (defined('JETPACK__VERSION') && isset($_POST['action']) && $_POST['action'] === 'grunion-contact-form') {
$form_type = 'jetpack form';
$pref = 'JP-';
} elseif (defined('NF_PLUGIN_VERSION') && isset($_POST['_ninja_forms_display_submit'])) {
$form_type = 'ninja forms';
$pref = 'NF-';
} elseif ((defined('MC4WP_VERSION') || defined('MC4WP_LITE_VERSION')) && (isset($_POST['_mc4wp_form_id']) || isset($_POST['_mc4wp_form_submit']))) {
$form_type = 'mailchimp form';
$pref = 'MCF-';
}
/* JS/JQUERY CHECK */
$wpss_key_values = rs_wpss_get_key_values();
$wpss_jq_key = $wpss_key_values['wpss_jq_key'];
$wpss_jq_val = $wpss_key_values['wpss_jq_val'];
if (TRUE === WPSS_COMPAT_MODE || defined('WPSS_SOFT_COMPAT_MODE')) {
/* Fall back to FVFJS Keys instead of jQuery keys from jscripts.php */
$wpss_jq_key = $wpss_key_values['wpss_js_key'];
$wpss_jq_val = $wpss_key_values['wpss_js_val'];
}
$wpss_jsck_jquery_val = !empty($_POST[$wpss_jq_key]) ? $_POST[$wpss_jq_key] : '';
if ($wpss_jsck_jquery_val !== $wpss_jq_val) {
$wpss_error_code .= ' ' . $pref . 'JQHFT-5';
$msc_jsck_error = TRUE;
$err_cod = 'jsck_error';
$err_msg = __('Sorry, there was an error. Please be sure JavaScript and Cookies are enabled in your browser and try again.', WPSS_PLUGIN_NAME);
$errors_3p[$err_cod] = $err_msg;
}
if (!isset($_POST['wp-submit'])) {
/* Don't use on default WordPress Login, Registration, or Forgot Email pages
/* EMAIL BLACKLIST */
if ($form_type === 'mailchimp form') {
foreach ($_POST as $k => $v) {
if (!is_string($v)) {
continue;
}
$k_lc = rs_wpss_casetrans('lower', $k);
$v_lc = rs_wpss_casetrans('lower', trim(stripslashes($v)));
if (strpos($k_lc, 'email') !== FALSE) {
if (!is_email($v_lc)) {
$wpss_error_code .= ' ' . $pref . '9200E-BL';
if ($msc_jsck_error !== TRUE) {
$err_cod = 'blacklist_email_error';
$err_msg = __('Sorry, that email address is not allowed!') . ' ' . __('Please enter a valid email address.');
$errors_3p[$err_cod] = $err_msg;
}
break;
} elseif (is_email($v_lc)) {
$email_domain = rs_wpss_parse_email($v_lc, 'domain');
if ($email_domain === $server_email_domain) {
continue;
}
if (rs_wpss_email_blacklist_chk($v_lc)) {
$wpss_error_code .= ' ' . $pref . '9200E-BL';
if ($msc_jsck_error !== TRUE) {
$err_cod = 'blacklist_email_error';
$err_msg = __('Sorry, that email address is not allowed!') . ' ' . __('Please enter a valid email address.');
$errors_3p[$err_cod] = $err_msg;
}
break;
}
}
}
}
} else {
foreach ($_POST as $k => $v) {
if (!is_string($v)) {
continue;
}
$k_lc = rs_wpss_casetrans('lower', $k);
$v_lc = rs_wpss_casetrans('lower', trim(stripslashes($v)));
if (strpos($k_lc, 'email') !== FALSE && is_email($v_lc)) {
$email_domain = rs_wpss_parse_email($v_lc, 'domain');
if ($email_domain === $server_email_domain) {
continue;
}
if (rs_wpss_email_blacklist_chk($v_lc)) {
$wpss_error_code .= ' ' . $pref . '9200E-BL';
if ($msc_jsck_error !== TRUE) {
$err_cod = 'blacklist_email_error';
$err_msg = __('Sorry, that email address is not allowed!') . ' ' . __('Please enter a valid email address.');
$errors_3p[$err_cod] = $err_msg;
}
break;
}
}
}
}
if ($form_type === 'jetpack form' || $form_type === 'ninja forms') {
/* CONTACT FORM CONTENT BLACKLIST */
foreach ($_POST as $k => $v) {
if (!is_string($v)) {
continue;
}
$k_lc = rs_wpss_casetrans('lower', $k);
$v_lc = rs_wpss_casetrans('lower', trim(stripslashes($v)));
if ((strpos($k_lc, 'message') !== FALSE || strpos($k_lc, 'comment') !== FALSE) && rs_wpss_cf_content_blacklist_chk($v_lc)) {
$wpss_error_code .= ' ' . $pref . '10400C-BL';
if ($msc_jsck_error !== TRUE) {
$err_cod = 'blacklist_content_error';
$err_msg = __('Message appears to be spam.', WPSS_PLUGIN_NAME);
$errors_3p[$err_cod] = $err_msg;
}
break;
}
}
}
/* BAD ROBOT BLACKLIST */
$bad_robot_filter_data = rs_wpss_bad_robot_blacklist_chk($form_type, $msc_filter_status);
$msc_filter_status = $bad_robot_filter_data['status'];
$bad_robot_blacklisted = $bad_robot_filter_data['blacklisted'];
if (!empty($bad_robot_blacklisted)) {
$wpss_error_code .= $bad_robot_filter_data['error_code'];
$msc_badrobot_error = TRUE;
if ($msc_jsck_error !== TRUE) {
$err_cod = 'badrobot_error';
$err_msg = __('That action is currently not allowed.');
$errors_3p[$err_cod] = $err_msg;
}
}
/* BLACKLISTED USER */
if (empty($wpss_error_code) && rs_wpss_ubl_cache()) {
$wpss_error_code .= ' ' . $pref . '0-BL';
$err_cod = 'blacklisted_user_error';
$err_msg = __('That action is currently not allowed.');
/* TO DO: TRANSLATE */
$errors_3p[$err_cod] = $err_msg;
}
}
/* Done with Tests */
$wpss_error_code = trim($wpss_error_code);
if (strpos($wpss_error_code, '0-BL') !== FALSE) {
rs_wpss_append_log_data('Blacklisted user detected. Miscellaneous forms have been temporarily disabled to prevent spam. ERROR CODE: ' . $wpss_error_code, FALSE);
}
if (!empty($wpss_error_code)) {
rs_wpss_update_accept_status($form_auth_dat, 'r', 'Line: ' . __LINE__, $wpss_error_code);
/* If enabled, run security check to make sure this POST submission wasn't a security threat: vulnerability probe or hack attempt */
if (TRUE === WPSS_IP_BAN_ENABLE) {
$wpss_security = new WPSS_Security();
if ($wpss_security->check_post_sec()) {
global $wpss_sec_threat;
$wpss_sec_threat = TRUE;
}
}
if (!empty($spamshield_options['comment_logging'])) {
rs_wpss_log_data($form_auth_dat, $wpss_error_code, $form_type, $msc_serial_post);
}
if (TRUE === WPSS_IP_BAN_ENABLE) {
if (!empty($wpss_sec_threat)) {
$wpss_security->ip_ban();
}
}
} else {
rs_wpss_update_accept_status($form_auth_dat, 'a', 'Line: ' . __LINE__);
if (!empty($spamshield_options['comment_logging']) && !empty($spamshield_options['comment_logging_all'])) {
rs_wpss_log_data($form_auth_dat, $wpss_error_code, $form_type, $msc_serial_post);
}
}
/* Now output error message */
if (!empty($wpss_error_code)) {
$error_msg = '';
foreach ($errors_3p as $c => $m) {
$error_msg .= '<strong>' . $error_txt . ':</strong> ' . $m . '<br /><br />' . WPSS_EOL;
}
$args = array('response' => '403');
wp_die($error_msg, '', $args);
}
}
public function check_post_sec()
{
/***
* Check if POST submission is security threat: hack attempt or vulnerability probe
***/
$site_url = WPSS_SITE_URL;
$site_dom = WPSS_SITE_DOMAIN;
$admin_url = WPSS_ADMIN_URL . '/';
$cont_url = WPSS_CONTENT_DIR_URL . '/';
$plug_url = WPSS_PLUGINS_DIR_URL . '/';
$post_count = count($_POST);
$user_agent = rs_wpss_get_user_agent();
$req_url = rs_wpss_casetrans('lower', rs_wpss_get_url());
$req_ajax = rs_wpss_is_ajax_request();
$req_404 = rs_wpss_is_404();
/* Not all WP sites return proper 404 status. The fact this security check even got activated means it was a 404. */
$req_hal = rs_wpss_get_http_accept(TRUE, TRUE, TRUE);
$req_ha = rs_wpss_get_http_accept(TRUE, TRUE);
/* IP / PROXY INFO - BEGIN */
global $wpss_ip_proxy_info;
if (empty($wpss_ip_proxy_info)) {
$wpss_ip_proxy_info = rs_wpss_ip_proxy_info();
}
extract($wpss_ip_proxy_info);
/* IP / PROXY INFO - END */
/* Short Signatures - Regex */
$rgx_sig_arr = array('-e*5l?*B-@yZ_-,8_-lSZ98BC[', '+25-Z9dCZ,87C-7CBlSZ=-C[');
foreach ($_POST as $k => $v) {
$v = rs_wpss_casetrans('lower', $v);
foreach ($rgx_sig_arr as $i => $s) {
/* Switch to single preg_match as this expands, replace nested foreach() */
$sd = rs_wpss_rbkmd($s, 'de');
if (FALSE !== strpos($v, $sd)) {
return TRUE;
}
}
}
/* Full Signatures */
$signatures = array(array('description' => 'Revslider & Showbiz Pro - AJAX Vulnerability', 'post_i_min' => 2, 'post_i_max' => 2, 'target_urls' => array('/wp-admin/admin-ajax.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'revslider_ajax_action', 'client_action' => 'update_plugin'), array('action' => 'showbiz_ajax_action', 'client_action' => 'update_plugin'))), array('description' => 'WP Marketplace <= 2.4.0 & WP Download Manager <=2.7.4 - Remote Code Execution', 'post_i_min' => 5, 'post_i_max' => 5, 'target_urls' => array(), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'wpmp_pp_ajax_call', 'user_login' => '*', 'execute' => 'wp_insert_user', 'role' => 'administrator', 'user_pass' => '*'), array('action' => 'wpdm_ajax_call', 'user_login' => '*', 'execute' => 'wp_insert_user', 'role' => 'administrator', 'user_pass' => '*'))), array('description' => 'WP Symposium <= 14.11 - Shell Upload Vulnerability', 'post_i_min' => 2, 'post_i_max' => 3, 'target_urls' => array('/wp-content/plugins/wp-symposium/server/php/index.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('uploader_url' => $plug_url . '/wp-symposium/server/php/', 'uploader_uid' => '1'))), array('description' => 'Ultimate Product Catalogue <= 3.11 - Multiple Vulnerabilities', 'post_i_min' => 3, 'post_i_max' => 3, 'target_urls' => array('/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-links-ompt.php', '/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-includes.php', '/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-styles.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('p2' => '2929', 'abc28' => 'print $_REQUEST[\'p1\'].$_REQUEST[\'p2\']', 'p1' => '4242'), array('p2' => '2929', 'af5f492a1' => 'print $_REQUEST[\'p1\'].$_REQUEST[\'p2\']', 'p1' => '4242'), array('p2' => '2929', 'e41e' => 'print $_REQUEST[\'p1\'].$_REQUEST[\'p2\']', 'p1' => '4242'))), array('description' => 'Ultimate Product Catalogue <= 3.11 - Multiple Vulnerabilities', 'post_i_min' => 1, 'post_i_max' => 1, 'target_urls' => array('/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-setup.php', '/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-includes.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('e51e' => 'die(pi());'), array('af5f492a1' => 'die(pi());'))), array('description' => 'Simple Ads Manager <= 2.5.94 - Arbitrary File Upload', 'post_i_min' => 2, 'post_i_max' => 2, 'target_urls' => array('/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'upload_ad_image', 'path' => '*'))), array('description' => 'Work The Flow File Upload <= 2.5.2 - Shell Upload', 'post_i_min' => 1, 'post_i_max' => 1, 'target_urls' => array('/wp-content/plugins/work-the-flow-file-upload/public/assets/jquery-file-upload-9.5.0/server/php/index.php', '/assets/plugins/jquery-file-upload/server/php/index.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'upload'))));
/* Run Checks Against Signatures */
foreach ($signatures as $i => $sig) {
if (!empty($sig['post_i_min']) && ($post_count < $sig['post_i_min'] || $post_count > $sig['post_i_max'])) {
continue;
}
if (!empty($sig['target_urls'])) {
$urls_rgx = rs_wpss_get_regex_phrase($sig['target_urls'], '', 'red_str');
if (!preg_match($urls_rgx, $req_url)) {
continue;
}
}
if ($sig['ajax_request'] !== '*' && $sig['ajax_request'] !== $req_ajax) {
continue;
}
if ($sig['404'] !== '*' && $sig['404'] !== $req_404) {
continue;
}
$hal_max = count($sig['hal_signature']) - 1;
$m = 0;
/* Matches */
foreach ($sig['hal_signature'] as $i => $hal_sig) {
if ($hal_sig == $req_hal) {
$m++;
}
if ($i == $hal_max && $m === 0) {
continue 2;
}
}
$ha_max = count($sig['ha_signature']) - 1;
$m = 0;
/* Matches */
foreach ($sig['ha_signature'] as $i => $ha_sig) {
if ($ha_sig == $req_ha) {
$m++;
}
if ($i == $ha_max && $m === 0) {
continue 2;
}
}
foreach ($sig['key_val_pairs'] as $i => $kvp) {
$kvp_max = count($kvp);
$m = 0;
/* Matches */
foreach ($kvp as $k => $v) {
if (!empty($_POST[$k]) && $_POST[$k] === $v || $v === '*' && isset($_POST[$k])) {
$m++;
}
if ($m === $kvp_max) {
return TRUE;
}
}
}
}
return FALSE;
}
