[Plugin: Members Only] Bypassed by adding variable to url
-
This plugin can easily be bypassed by adding
?blah="wp-login.php"
or even just?wp-login.php
to the end of the url.
-
Thank you mrgreen – well spotted! I used a very poorly thought preg_match on the URL. I’ve fixed this in version 0.4 which I will release tonight.
If you want to manually fix the plugin in the meantime change this line of code:
if ($currenturl == $redirection || $currenturl == $redirection.'/' || preg_match("/wp-login.php/i", $_SERVER["REQUEST_URI"]) || preg_match("/wp-register.php/i", $_SERVER["REQUEST_URI"]) || preg_match("/wp-admin/i", $_SERVER["REQUEST_URI"]))
to this:
if ($currenturl == $redirection || $currenturl == $redirection.'/' || preg_match('/http:\/\/[^\/]+\/wp-login\.php/', $currenturl) || preg_match('/http:\/\/[^\/]+\/wp-register\.php/', $currenturl) || preg_match('/http:\/\/[^\/]+\/wp-admin/', $currenturl))
/ Hami
Members Only 0.4 uploaded to the SVN. Should be available very shortly.
https://www.ads-software.com/extend/plugins/members-only// Hami
It’s available – everyone please update. Thank you again mrgreen for spotting this.
/ Hami
The fix in 0.4 did work as intended as you could still add the full url of wp-login.php as a variable and bypass the check.
I’ve released 0.4.1 with actually fixes the flaw. The
preg-match
now usesparse_url
to only check only the path of the url and nothing else. All users using Members Only should upgrade to version 0.4.1 as soon as possible to avoid this flaw being taken advantage of./ Hami
I’ve improved the security again with version 0.4.2. I’ve replaced all
preg_match
and replaced withstrpos
except checking for wp-admin URLs and also parse the URL first. That should be the end of variable hacks.If also added checking for 404 pages, they now redirect to the login page too. This involved a changing when the plugin is called from
init
back towp_head
otherwise 404 pages can’t be redirected.If this causes problems, like the ‘Cannot modify header information’ error you can change this back to
init
but a 404 page will be able to be seen as normal./ Hami
ok, then where can we download version 0.4.2?
we are getting this ERROR! please help
Warning: Cannot modify header information – headers already sent by (output started at /home/7946/domains/oururl.com/html/wp-content/themes/default/header.php:2) in /home/7946/domains/oururl.com/html/wp-content/plugins/members-only/members-only.php on line 97
Have you edited/modified your header.php or viewed either the plugin or header.php in an online editor?
If so can you send me your header.php to [email protected] as I think it could be the infamous white space problem – which is either a space or a blank line in your header.php (or the plugin) before or after
<?php
and?>
. If you send it to me I’ll have a look.If you opened up the plugin in an editor, can you try replacing it with a copy straight from the zip (i.e. without opening it first) and see if the problem persists.
/ Hami
Can you also let me know what other plugins your using?
/ Hami
It’s still not secure. If you load a post by the permalink (/archives/%year%/%monthnum%/%postname%/) login is completely bypassed.
Hi Chris,
Can you clarify further. On both my WordPress testbeds I can’t seem to replicate this problem.
https://mydomain.tld/2008/02/hello-world/ correctly redirects to https://mydomain.tld/wp-login.php?redirect_to=/2008/02/hello-world/
https://mydomain.tld/archives/2008/02/hello-world/ first redirects to https://mydomain.tld/2008/02/hello-world/ then to https://mydomain.tld/wp-login.php?redirect_to=/2008/02/hello-world/
Without permalinks https://mydomain.tld/?p=1 correctly redirects to https://mydomain.tld/wp-login.php?redirect_to=/?p=1
In your situation this could be one of three things. Firstly you need to have
<?php wp_head(); ?>
somewhere inbetween <head> and </head> in your header.php for your theme in order for the plugin to work. I’m guessing this is your problem, rather than the second option which is double-check that Members Only is turned on in it’s settings page, or the third option double-check your not logged in to your site.Obviously if this isn’t the case please let me know and I’ll try and track down the problem.
/ Hami
Ok, it’s on, it’s configured and at least now I’m getting an error:
Warning: Cannot modify header information – headers already sent by (output started at /home/*/public_html/journal/wp-content/themes/*/header.php:11) in /home/*/public_html/journal/wp-content/plugins/members-only.php on line 97
Line 11 in my theme’s header.php is:
<title><?php bloginfo(‘name’); ?><?php if ( is_single() ) { ?>» journal <?php } ?><?php wp_title(‘ » ‘,true); ?></title>
So, I don’t doubt that it works, it’s just not working for me. I’ll report back if I find the specified issue.
Hi Chris,
I think this maybe the infamous white space problem that you get when sending the header command. Check whether there is a blank line or space either before the first
<?php
or after the last?>
in your header.php./ Hami
BTW I’m using wp 2.5. I turned all other plugins off but this one switched to the default wp theme and it’s still not working and I’m still getting an error:
Warning: Cannot modify header information – headers already sent by (output started at /home/*/public_html/journal/wp-content/themes/default/header.php:2) in /home/*/public_html/journal/wp-content/plugins/members-only.php on line 97
Thanks Chris, maybe I have a white space in the plugin – I’ll have a triple-check for it and upload a new one today as 0.4.3 fixes a bug with redirecting to specific page.
A few people get this problem but the vast majority don’t. The other thing in common could be the host (and their PHP configuration), is the * in your path a four digit number by chance?
In the meantime you can change where the plugin is called to get around this issue.
Change this line…
add_action('wp_head', 'members_only');
to this…
add_action('init', 'members_only');
/ Hami
- The topic ‘[Plugin: Members Only] Bypassed by adding variable to url’ is closed to new replies.