[Plugin: Ultimate Security Checker] Code check

Hi, thanks for the question. I will take deeper look on this.

I have this issue as well. I also have the core of my config file outside of my WordPress folder but it says I don’t since I can’t move the whole thing out. One directory up is another website. There should be a checkbox or something “yes it is secure” that can be checked if you KNOW it is secure.

But yea the issue described by first poster is an issue I have. However I’m on webhostingpad.

I’m also having that issue, on all my sites. Some are self-hosted on RedHat Linux, others on third-party hosting installations.

A couple of questions: Isn’t a 255-character limit a little arbitrary? The allowable limit for URLs is much higher than that.

But maybe it fails because of this: blockbadqueries.php is looking for a REQUEST_URI of greater than 255 characters. But the REQUEST_URI is the portion after the domain name. The Ultimate Security Checker test is only generating a query string 250 characters long:

‘long’ -> $this->gen_random_string(250),

So when tested against the 255 value the URL generated by the test won’t it always pass, because it’s going to be at most 252 characters long?

But that’s not it; I tried some URLs that are supposed to be trapped (after logging off my admin account):

https://this.blogs.com/?12341234base640-982321
https://this.blogs.com/?12341234base640-982321eval(xyzz);f4
https://this.blogs.com/?eval(CONCAT(this+that))

In each case, my server cheerfully returned a “200” server response. So is the problem with the blockbadqueries.php plugin itself?

Is the $user_ID defined? Do the guys with black hats have one? If not, then it doesn’t even run the test. Same with current_user_can — what if there is no “current user”?

When I commented out the tests for the existence of $user_ID and the ‘level_10’ access, bingo: my test URLs successfully failed, as it were.

One more thing. WordPress on its own generates query strings longer than 255 characters. For example, if you empty your Akismet spam folder you’re going to have a URL somewhere around 700 characters. Same with any bulk approve/delete/spam actions you might take on comments.

When you click you get the “white screen of death.” Click the back button and refresh, all your comments are untouched.

Hi everybody, thanks for your reports.

tommcgee, rolandos, weareonesoul – I’ve updated the code of plugin – removed 255 characters limit and checks for user rights since you might be logged in and click some link that will do bad thing for your blog.

weareonesoul some people can understand it wrong if I won’t put that message. Technically config file still remains in unsecured place. If you know that you can’t put it in folder above – that’s ok, keep it in your mind.

So now it always states “Your blog can be hacked with malicious URL requests.” whenever I’m logged in with full credentials? I updated the plugin a while ago and now receive the warning mentioned above which was not shown with the old version of the plugin.

Now it’s OK for me. 96 of 104 security points. Rating ACAAAA, but with site at root of domain + fresh WP 3.1.2 install. Site in subdomain still states “Your blog can be hacked with malicious URL requests”. Both sites have the latest US Checker v.2.5.5 and the same BBQ plugin.