Increased attack rate alert after installing webp express plugin

  • Resolved Fabio

    (@origamifc)


    6 years ago

    Hi, as soon as I installed the above mentioned plugin on my site, I started receiving emails from wordfence regarding increased attack rating.
    The content of the email report a list of issues such as the one i paste below:

    novembre 26, 2018 11:55am 66.249.93.205 (Unknown) Blocked for LFI: Local File Inclusion in query string: source=*site-path*/image.jpg

    The webp express plugin basically serves a webp version of the images uploaded on my website, and I’m afraid that this triggers the wordfence alert.
    Is that just a false positive or should I be concerned?
    How can it be fixed?
    Thanks for the help.

Viewing 6 replies - 1 through 6 (of 6 total)
  • NOT-IN-USE-DELETE

    (@rogerwheatley)

    While my comment (here) is not able to offer helpful input, I too would be very interested in any work around (or caveat) regarding this. Thank you!

    wfdave

    (@wfdave)

    Hi @origamifc and @rogerwheatley!

    This seems to be caused by ?source=../ which is found within /wp-content/plugins/webp-express/test/test-run.php on line 426.

    The solution would be to whitelist this query string within the Wordfence firewall.

    1. Go to Wordfence -> All Options -> Whitelisted URLs
    2. Type / for URL
    3. Choose Param Type: Query String
    4. Type source for Param Name
    5. Click Save Changes in the top-right corner

    Dave

    rosell.dk

    (@roselldk)

    Hi,

    I am the author of WebP Express.
    Thanks for finding the source of the problem for me ??

    I will see if I can change the plugin so it does not trigger a LFI warning in the first place.

    I however cannot reproduce the problem. Is there perhaps some option I need to enable? Can you guide me on how to trigger the LFI warning?

    Will it perhaps solve the problem if instead of passing a complete file path in the URL just passes a path relative to document root? And perhaps not to the file, but only to the containing folder. Encoding the path, making it unrecognizable as a path ought to work, right? (ie replacing ‘/’ to ‘//’).

    Thanks,
    Bj?rn

    Hi @roselldk,

    I’m still testing Wordfence + WebP Express by sifting through the source code for both plugins.

    I’ll try to get back to you as soon as possible ??

    Dave

    Fixed in 0.8.0, which has just been released. Users of WebP Express will have to click the “Save settings and force new .htaccess rules” in order to update the .htaccess rules and avoid the LFI block.

    Besides the issue in test-run.php, it was also a problem with the line in .htaccess that passed the source argument to the php script. It was passing it like this: ?source=%{SCRIPT_FILENAME}. I have changed so it now passes it like this: ?xsource=x%{SCRIPT_FILENAME}. By putting an x before the path, the LFI rule is bypassed.

    The whole story is here: https://github.com/rosell-dk/webp-express/issues/87

    Thread Starter Fabio

    (@origamifc)

    Hi, thanks for all the efforts, I’ll check it out asap on my site and let you know.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Increased attack rate alert after installing webp express plugin’ is closed to new replies.