public function beforeRunRules()
{
// Whitelisted URLs (in WAF config)
$whitelistedURLs = wfWAF::getInstance()->getStorageEngine()->getConfig('whitelistedURLs');
if ($whitelistedURLs) {
$whitelistPattern = "";
foreach ($whitelistedURLs as $whitelistedURL) {
$whitelistPattern .= preg_replace('/\\\\\\*/', '.*?', preg_quote($whitelistedURL, '/')) . '|';
}
$whitelistPattern = '/^(?:' . substr($whitelistPattern, 0, -1) . ')$/i';
wfWAFRule::create(wfWAF::getInstance(), 0x8000000, 'rule', 'whitelist', 0, 'User Supplied Whitelisted URL', 'allow', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison(wfWAF::getInstance(), 'match', $whitelistPattern, array('request.uri'))))->evaluate();
}
// Whitelisted IPs (Wordfence config)
$whitelistedIPs = wfWAF::getInstance()->getStorageEngine()->getConfig('whitelistedIPs');
if ($whitelistedIPs) {
require_once dirname(__FILE__) . '/wfWAFUserIPRange.php';
if (!is_array($whitelistedIPs)) {
$whitelistedIPs = explode(',', $whitelistedIPs);
}
foreach ($whitelistedIPs as $whitelistedIP) {
$ipRange = new wfWAFUserIPRange($whitelistedIP);
if ($ipRange->isIPInRange(wfWAF::getInstance()->getRequest()->getIP())) {
throw new wfWAFAllowException('Wordfence whitelisted IP.');
}
}
}
}
public function beforeRunRules()
{
// Whitelisted URLs (in WAF config)
$whitelistedURLs = wfWAF::getInstance()->getStorageEngine()->getConfig('whitelistedURLs');
if ($whitelistedURLs) {
$whitelistPattern = "";
foreach ($whitelistedURLs as $whitelistedURL) {
$whitelistPattern .= preg_replace('/\\\\\\*/', '.*?', preg_quote($whitelistedURL, '/')) . '|';
}
$whitelistPattern = '/^(?:' . substr($whitelistPattern, 0, -1) . ')$/i';
wfWAFRule::create(wfWAF::getInstance(), 0x8000000, 'rule', 'whitelist', 0, 'User Supplied Whitelisted URL', 'allow', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison(wfWAF::getInstance(), 'match', $whitelistPattern, array('request.uri'))))->evaluate();
}
// Whitelisted IPs (Wordfence config)
$whitelistedIPs = wfWAF::getInstance()->getStorageEngine()->getConfig('whitelistedIPs');
if ($whitelistedIPs) {
if (!is_array($whitelistedIPs)) {
$whitelistedIPs = explode(',', $whitelistedIPs);
}
foreach ($whitelistedIPs as $whitelistedIP) {
$ipRange = new wfWAFUserIPRange($whitelistedIP);
if ($ipRange->isIPInRange(wfWAF::getInstance()->getRequest()->getIP())) {
throw new wfWAFAllowException('Wordfence whitelisted IP.');
}
}
}
// Check plugin blocking
if ($result = wfWAF::getInstance()->willPerformFinalAction(wfWAF::getInstance()->getRequest())) {
if ($result === true) {
$result = 'Not available';
}
// Should not happen but can if the reason in the blocks table is empty
wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('finalAction' => $result)));
}
}
$this->whitelistedParams['request.body[blacklist_keys]'][] = '/\\/wp-admin\\/options\\.php$/i';
$this->whitelistedParams['request.body[permalink_structure]'][] = '/\\/wp-admin\\/options\\.php$/i';
$this->whitelistedParams['request.body[category_base]'][] = '/\\/wp-admin\\/options\\.php$/i';
$this->whitelistedParams['request.body[tag_base]'][] = '/\\/wp-admin\\/options\\.php$/i';
$this->whitelistedParams['request.queryString[s]'][] = '/\\/wp-admin\\/edit-comments\\.php$/i';
$this->whitelistedParams['request.body[log]'][] = '/\\/wp-login\\.php$/i';
$this->whitelistedParams['request.body[pwd]'][] = '/\\/wp-login\\.php$/i';
$this->whitelistedParams['request.body[redirect_to]'][] = '/\\/wp-login\\.php$/i';
$this->whitelistedParams['request.queryString[s]'][] = '/\\/wp-admin\\/network\\/(?:user|site)s\\.php$/i';
$this->whitelistedParams['request.body[blog]'][] = '/\\/wp-admin\\/network\\/site-new\\.php$/i';
$this->whitelistedParams['request.body[deletedWhitelistedPath]'][] = '/\\/wp-admin\\/admin-ajax\\.php$/i';
$this->whitelistedParams['request.body[deletedWhitelistedParam]'][] = '/\\/wp-admin\\/admin-ajax\\.php$/i';
$this->whitelistedParams['request.body[itsec_global][log_location]'][] = '/\\/wp-admin\\/options\\.php$/i';
$this->whitelistedParams['request.body[itsec_backup][location]'][] = '/\\/wp-admin\\/options\\.php$/i';
$this->whitelistedParams['request.body[dir]'][] = '/\\/wp-admin\\/admin-ajax\\.php$/i';
$this->whitelistedParams['request.body[sql_query]'][] = '/(?:lint|import)\\.php$/i';
$this->whitelistedParams['request.body[divi_integration_body]'][] = '/\\/wp-admin\\/admin-ajax\\.php$/i';
$this->whitelistedParams['request.body[divi_integration_head]'][] = '/\\/wp-admin\\/admin-ajax\\.php$/i';
$this->rules[18] = wfWAFRule::create($this, 18, NULL, 'priv-esc', NULL, 'User Roles Manager Priviledge Escalation <= 4.24', 0, 'block', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'notEquals', '', array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.body', 1 => 'ure_other_roles'), array()))), new wfWAFRuleLogicalOperator('AND'), new wfWAFRuleComparison($this, 'match', '#/wp\\-admin/(network/)?(profile|user-new)\\.php#i', array(wfWAFRuleComparisonSubject::create($this, 'request.path', array()))), new wfWAFRuleLogicalOperator('AND'), new wfWAFRuleComparison($this, 'currentUserIsNot', 'administrator', array(wfWAFRuleComparisonSubject::create($this, 'server.empty', array())))));
$this->rules[1] = wfWAFRule::create($this, 1, NULL, 'whitelist', NULL, 'Whitelisted URL', 1, 'allow', new wfWAFRuleComparisonGroup(new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '#/wp\\-admin/(network/)?(post|profile|user-new|settings)\\.php$#i', array(wfWAFRuleComparisonSubject::create($this, 'server.script_filename', array())))), new wfWAFRuleLogicalOperator('OR'), new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '#/wp\\-admin/admin\\-ajax\\.php$#i', array(wfWAFRuleComparisonSubject::create($this, 'server.script_filename', array()))), new wfWAFRuleLogicalOperator('AND'), new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'equals', 'wordfence_loadLiveTraffic', array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.body', 1 => 'action'), array()))), new wfWAFRuleLogicalOperator('OR'), new wfWAFRuleComparison($this, 'equals', 'wordfence_ticker', array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.body', 1 => 'action'), array())))))));
$this->rules[2] = wfWAFRule::create($this, 2, NULL, 'lfi', NULL, 'Slider Revolution: Local File Inclusion', 0, 'block', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '/\\/wp\\-admin[\\/]+admin\\-ajax\\.php/', array(wfWAFRuleComparisonSubject::create($this, 'request.path', array()))), new wfWAFRuleLogicalOperator('AND'), new wfWAFRuleComparisonGroup(new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'equals', 'revslider_show_image', array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.queryString', 1 => 'action'), array()))), new wfWAFRuleLogicalOperator('AND'), new wfWAFRuleComparison($this, 'match', '/\\.php$/i', array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.queryString', 1 => 'img'), array())))), new wfWAFRuleLogicalOperator('OR'), new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'equals', 'revslider_show_image', array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.body', 1 => 'action'), array()))), new wfWAFRuleLogicalOperator('AND'), new wfWAFRuleComparison($this, 'match', '/\\.php$/i', array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.body', 1 => 'img'), array())))))));
$this->rules[15] = wfWAFRule::create($this, 15, NULL, 'xss', NULL, 'dzs-videogallery 8.80 XSS HTML injection in inline JavaScript', 0, 'blockXSS', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '/dzs\\-videogallery[\\/]+admin[\\/]+(?:playlist|tag)seditor[\\/]+popup\\.php/', array(wfWAFRuleComparisonSubject::create($this, 'request.path', array()))), new wfWAFRuleLogicalOperator('AND'), new wfWAFRuleComparison($this, 'contains', '\'', array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.queryString', 1 => 'initer'), array())))));
$this->rules[16] = wfWAFRule::create($this, 16, NULL, 'sqli', NULL, 'Simple Ads Manager <= 2.9.4.116 - SQL Injection', 0, 'block', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '/simple-ads-manager[\\/]+sam-ajax-loader\\.php/', array(wfWAFRuleComparisonSubject::create($this, 'request.path', array()))), new wfWAFRuleLogicalOperator('AND'), new wfWAFRuleComparison($this, 'match', new wfWAFRuleVariable($this, 'sqliRegex', NULL), array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.body', 1 => 'wc'), array(0 => 'base64decode'))))));
$this->rules[17] = wfWAFRule::create($this, 17, NULL, 'rfi', NULL, 'Gwolle Guestbook <= 1.5.3 - Remote File Inclusion', 0, 'block', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '/gwolle\\-gb[\\/]+frontend[\\/]+captcha[\\/]+ajaxresponse\\.php/', array(wfWAFRuleComparisonSubject::create($this, 'request.path', array()))), new wfWAFRuleLogicalOperator('AND'), new wfWAFRuleComparison($this, 'match', '/.*/', array(wfWAFRuleComparisonSubject::create($this, array(0 => 'request.queryString', 1 => 'abspath'), array())))));
$this->rules[3] = wfWAFRule::create($this, 3, NULL, 'sqli', '40', 'SQL Injection', 1, 'failSQLi', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'matchCount', new wfWAFRuleVariable($this, 'sqliRegex', NULL), array(wfWAFRuleComparisonSubject::create($this, 'request.body', array()), wfWAFRuleComparisonSubject::create($this, 'request.queryString', array())))));
$this->rules[9] = wfWAFRule::create($this, 9, NULL, 'xss', '100', 'XSS: Cross Site Scripting', 1, 'failXSS', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'matchCount', new wfWAFRuleVariable($this, 'xssRegex', NULL), array(wfWAFRuleComparisonSubject::create($this, 'request.body', array()), wfWAFRuleComparisonSubject::create($this, 'request.queryString', array())))));
$this->rules[11] = wfWAFRule::create($this, 11, NULL, 'file_upload', NULL, 'Malicous File Upload', 1, 'block', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '/\\.(p(h(p|tml)[0-9]?|l|y)|(j|a)sp|aspx|sh|shtml|html?|cgi|htaccess)($|\\.)/i', array(wfWAFRuleComparisonSubject::create($this, 'request.fileNames', array())))));
$this->rules[12] = wfWAFRule::create($this, 12, NULL, 'lfi', NULL, 'Directory Traversal', 1, 'block', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '/(^|\\/|\\\\)\\.\\.(\\\\|\\/)/', array(wfWAFRuleComparisonSubject::create($this, 'request.body', array()), wfWAFRuleComparisonSubject::create($this, 'request.queryString', array())))));
$this->rules[13] = wfWAFRule::create($this, 13, NULL, 'lfi', NULL, 'LFI: Local File Inclusion', 1, 'block', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '/^\\/(?:\\.\\/)*(?:var|home|usr|mnt|media|etc|tmp|dev|proc)\\//i', array(wfWAFRuleComparisonSubject::create($this, 'request.body', array()), wfWAFRuleComparisonSubject::create($this, 'request.queryString', array())))));
$this->rules[14] = wfWAFRule::create($this, 14, NULL, 'xxe', NULL, 'XXE: External Entity Expansion', 1, 'block', new wfWAFRuleComparisonGroup(new wfWAFRuleComparison($this, 'match', '/<\\!(?:DOCTYPE|ENTITY)\\s+(?:%\\s*)?\\w+\\s+SYSTEM/i', array(wfWAFRuleComparisonSubject::create($this, 'request.body', array()), wfWAFRuleComparisonSubject::create($this, 'request.queryString', array())))));
/**
* @param wfWAFRule $rule
* @param wfWAFRuleComparisonFailure $failedComparison
* @param bool $updateFailedRules
* @throws wfWAFBlockSQLiException
*/
public function blockSQLi($rule, $failedComparison, $updateFailedRules = true)
{
// Verify the param looks like SQLi to help reduce false positives.
if (!wfWAFSQLiParser::testForSQLi($failedComparison->getParamValue())) {
return;
}
$paramKey = $failedComparison->getParamKey();
$category = $rule->getCategory();
if ($updateFailedRules) {
$this->failedRules[$paramKey][$category][] = array('rule' => $rule, 'failedComparison' => $failedComparison, 'action' => 'blockXSS');
}
$e = new wfWAFBlockSQLiException();
$e->setFailedRules(array($rule));
$e->setParamKey($failedComparison->getParamKey());
$e->setParamValue($failedComparison->getParamValue());
$e->setRequest($this->getRequest());
throw $e;
}
/**
* @return string
* @throws wfWAFRuleException
*/
public function renderRule()
{
if (!$this->isActionValid()) {
throw new wfWAFRuleException('Invalid action passed to ' . get_class($this) . ', action: ' . var_export($this->getAction(), true));
}
$subjectExport = '';
/** @var wfWAFRuleComparisonSubject $subject */
foreach ($this->getSubjects() as $subject) {
$subjectExport .= $subject->renderRule() . ", ";
}
$subjectExport = wfWAFUtils::substr($subjectExport, 0, -2);
$expected = $this->getExpected();
return sprintf('%s(%s, %s)', $this->getAction(), $expected instanceof wfWAFRuleVariable ? $expected->renderRule() : wfWAFRule::exportString($expected), $subjectExport);
}
public function renderValue()
{
return wfWAFRule::exportString($this);
}
