WP-SpamShield 1.4 shows "ERROR 403: Forbidden" on wp-admin login page

Hey tigertech, thanks for the feedback.

You’ve given me the info I need to fix the issue.

It’s not so much that blocking query strings with “http” is wrong…there needs to just be an exception for when people try to login at /wp-admin/ instead of wp-login.php because it redirects to wp-login with “http%3A%2F%2F”. That was an oversight on my part.

A lot of SQL Injection attacks use this and its a fairly standard and effective protection method to filter for these.

I’ll be issuing a patch soon to fix the problem.

Scott Allen wrote:

> It’s not so much that blocking query strings with “http” is wrong

I think you’ll find it’s wrong. Quite a few legitimate requests contain a URL in the query string, and it’s a perfectly reasonable thing to do, if uncommon. (Heck, the WordPress code itself contains one example!) I found several other legitimate cases you’ll block with a few seconds of grepping our customer logs.

As a suggestion from someone who has been dealing with security for thousands of WordPress sites for many years (both at the PHP level and the Apache server mod_security level), you should consider what a nightmare trying to block requests things by heuristics will be. You won’t get it right. Nobody does. You’ll have an unending stream of low-level complaints from annoyed people who eventually figure out that your plugin is blocking something that used to work just fine.

>A lot of SQL Injection attacks use this

That doesn’t matter since legitimate requests use this, too. You’ll find the same is true of many other things that look like low-hanging fruit, unfortunately.

But anyway: if you continue trying to do this, as I said, PLEASE make sure the error message mentions your plugin name so people know what to disable to fix false positives. Thanks!

Version 1.4.1 has just been released and fixes this issue.

Hi tigertech,

I’ll take your feedback into consideration. It’s a dangerous habit for developers to create requests with http in the query string. Calling it reasonable is a matter of opinion. Yes, WordPress does, and in my opinion it would be better not to. As much as I love WordPress its not perfect, no software is.

Part of the problem with error messages is that’s how many hackers get information in the first place…error messages give away far too much info.

That being said, I do appreciate your input and will take this all into consideration. If you’d like to discuss more, lets do it in private since this is a security issue. My email is in the plugin code or you can use the contact form on my website.

You still just have this in there:

die('ERROR: 403 Forbidden');

You’re wasting the valuable support resources of other people by hiding the fact that you’re the one blocking legitimate requests. I’m tired of getting “I think there’s a problem with your servers” complaints from our customers who install this kind of plugin.

Again: Can you please at least tell your users that your plugin is the thing blocking requests to their sites, instead of hiding it behind a generic message?

>Part of the problem with error messages is that’s how many hackers get information in the first place…error messages give away far too much info.

[ Unhelpful comments moderated ]

tigertech,

You’re being really immature…this is a public forum. Let’s try to keep things professional. It’s hard to take you seriously right now with the way you’re acting.

1) It won’t block any user’s access to their site anymore…this has been fixed.

2) It’s a bit rude to say, You’re wasting the valuable support resources of other people by hiding the fact that you’re the one blocking legitimate requests. One could say you’re doing the same thing to plugin developers. I’m not hiding anything. It’s just smart not to give away a ridiculous amount of info on an error page.

3) You said I’m tired of getting “I think there’s a problem with your servers” complaints from our customers who install this kind of plugin. This issue has been out less than 1 day and its been fixed as quickly as humanly possible. If you are tired of dealing with these issues, that’s not my fault. I took care of the issue as quick as possible.

4) Web hosts make plenty of mistakes regarding security and other issues, so you’ll forgive me I don’t instantly change things to the way you ask.

5) We clearly have a difference of opinion on security issues. As I said, if you’d like to discuss further, contact me via email.

6) If you’re not a user of the plugin, you’re really not supposed to be posting support requests here.