David, please could you get in touch regarding a security issue?

Dan, if you’ve found a security problem with this plugin then please send an email with the details to plugins [at] www.remarpro.com.

They can contact the plugin author directly and if necessary pull the plugin temporarily from the WordPress repository.

Thanks Jan, I have sent an email.

Dan

To clarify, it’s not a security issue in that it makes the site less secure, it just breaks the plugin and stops it from working.

I know it’s semantics, but … Eeeh. Anyway, I forwarded the email to David with a note about how I might fix it.

Absolutely – it’s not a WordPress security issue, but is an issue for the plugin in the sense that it’s aiming to offer security…

Anyway, it will be easily fixed so no worry.

Dan

// will display /phptests/self.php
echo $_SERVER['PHP_SELF']; 

// will display /phptests/self.php?id=1
echo $_SERVER['REQUEST_URI'];

The plugin was using REQUEST_URI, when PHP_SELF would be better.

Fix coming.

David,

PHP_SELF would definitely be better, but I’m not sure a straight switch in your code to this variable will be sufficient.

It will depend on the web server configuration, but it could be possible to use a path in something like this manner:

https://website.com/index.php/robots.txt/

Sorry I haven’t had a chance to look into it properly, but you certainly should. On servers where permalinks aren’t possible, this path (or something similar) might cause concern.

I could be wrong, but I think it needs more thought if you haven’t considered this possibility yet.

Thanks,

Dan