The hidden URL can be bypassed in Firefox

  • Resolved Nephalem

    (@nephalem)


    8 years, 4 months ago

    Under normal circumstances, the hidden URL prevents people from finding the login page, as it supposed to be, but there’s a very simple way to bypass this security in Mozilla Firefox. Instead of typing this:

    https://www.mysite.com/wps-login.php (which is futile),

    you can use a coded version of this URL:

    https://www.mysite.com/%77%70%2D%6C%6F%67%69%6E.%70%68%70

    …and your browser will display the hidden URL login page. It looks like a security glitch. Firefox resolves the encoded URL in such a way that your WPS Hide Login lets the resolved URL go through like a correct hidden URL.

    This is confirmed on Mozilla Firefox. Other browsers (like MSIE) can’t use this method for revealing the correct hidden login page. I would like to see if other people can confirm this behavior as well.

    https://www.ads-software.com/plugins/wps-hide-login/

Viewing 15 replies - 1 through 15 (of 17 total)

  • I confirm Firefox and Safari on Mac osX reveals hidden login URL.

    @nephalem for security reasons – perhaps this thread needs to be removed and sent directly to developer?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    If I understand what this plugin does, there’s no security issue. It just hides the login page. Big deal. As long as you have good passwords and well secured site, you’re OK.

    The issue is whether the plugin works as it should, not whether your site is secure.

    thumbs up

    • This reply was modified 7 years, 10 months ago by nicozanches.

    Hi,

    Not only for {your-site}/wp-admin/wp-register.php, you can bypass the login url by {your-site}/wp-admin/customize.php. But so far I didn’t receive any bruteforce attack in my login url.

    Thanks.

    I can verify that this plugin can be bypassed using {your-site}/wp-admin/customize.php, disappointing. I did a bandaid fix by blocking all access to customize.php, as I never use it. Not sure what to do about the other bypass URLs. Disappointing as this used to be a very good plugin, now it’s so so. MTN

    I have tried all permatations of the above in firefox and none of them allow a user to log in, or even display a log in page. They all go back to the main page
    I use a redirect for any pages not on my sites to take them back to the main page.

    My tests were in Chrome browser. Glad to hear the plugin works correctly in Firefox. It needs to work with _all_ browsers to not be deemed defective, lame, and worse. MTN

    @tabrisrp, You might be interested in how iThemes Security is approaching this. They seem to have a combination of actions and filters that are working for them. https://github.com/wp-plugins/better-wp-security/blob/master/core/modules/hide-backend/class-itsec-hide-backend.php

    Please correct me if I’m wrong but the OP and others appear to be misunderstanding what this plugin does.

    It is meant to allow you, the site owner, to alter the admin and login paths from something guessable (like /wp-login.php) TO something unguessable.

    It is not designed to block someone who already knows the paths; whether by URL encoding or not.

    • This reply was modified 7 years, 6 months ago by willberforce.

    @willbeforce, It isn’t clear, but OP’s encoded version is actually the encoded version of the guessable https://www.mysite.com/wp-login.php. The plugin was revealing the hidden path after being passed an encoded guessable path.

    @claytonl – sorry, yes forive me, I think I misunderstood the issue.

    On testing, WP is redirecting from the following to the hidden login page.

    /wp-admin/customize.php
    /wp-register.php
    /%77%70%2D%6C%6F%67%69%6E.%70%68%70

    Does anyone have a working fix?

    Presumably wp-register is unlikely to be necessary in most scenarios if the login url is being obfuscated.

    wp-customize and the encoded wp-login.php must be fairly easy to block in htaccess – though this mod prides itself on being non-htaccess based, so a redirect to 404 on path hook would do the job.

    Thinking out loud.

    Wellll, my understanding wp-register.php is depreciated, WordPress runs without it and it shouldn’t exist in a current install. I deleted it a long time ago. Just for grins, I keep wp-register.php blocked using both Wordfence and .htaccess.

    Something must have changed

    Without the Wordfence blocking I get a “this has been disabled” message in IE, and Chrome when browsing to
    website/wp-admin/customize.php/wp-register.php/%77%70%2D%6C%6F%67%69%6E.%70%68%70

    BUT, if I browse to //www.mysite.com/%77%70%2D%6C%6F%67%69%6E.%70%68%70
    The only thing stopping it from landing on wp-login.php is the blocking of wp-login.php in my .htaccess.

    So, suggestions: test the plugin with the permutations above. Check to be sure wp-register.php doesn’t exist on your server, and block wp-login.php in your .htaccess.

    In other words WPS Hide Login can be bypassed to one degree or another, requires testing, and tweaking of server configuration for it to work as advertised.

    MTN

    Ok I have a solution:

    I installed BPS security plugin with default settings, ran the wizard and its blocking url encoding and wp-login.php – showing a 404 for each.

    It wasnt doing the wp-register.php so I added this file to htaccess custom code as follows:

    Root htaccess (BOX 6):

    # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
RedirectMatch 404 wp-register\.php$

    Save
    Activate

    This successfully 404s these 3 urls.

    Its an easy fix. A more elegant solution would be for the plugin to itself prevent these redirects via hooking.

    nice

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘The hidden URL can be bypassed in Firefox’ is closed to new replies.

Tags