Script still gets executed even though malicious request blocked by Firewall

  • Resolved pao2

    (@pao2)


    4 years ago

    Hi, i have a php script for sending email which gets triggered via ajax. When a malicious requests (injection via form, for example) are “detected & blocked by Firewall” why does the script still get executed and therefore sending mails?

    Firewall Status: Enabled, Extended Protection is enabled.

    Can anyone elaborate?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @pao2 and thanks for reaching out to us!

    Could you post a screenshot of the Tools > Live Traffic hit that is showing this script being run?

    I would like to see what IP is hitting and also what its accessing.

    Thanks!

    Thread Starter pao2

    (@pao2)

    Hi @wfadam,

    The live traffic only shows the blocked requests with SQL injection body:
    request.body[utm_source]=(select(0)from(select(sleep(9)))v)/*'+(select(0)from(select(sleep...

    Maybe i was just being careless since Wordfence clearly blocked them in the traffic logs, but there’s no sign of my script’s ajax action name in any of the body of the requests, how does one execute an ajax action without even calling its action name?

    Any idea?

    Plugin Support WFAdam

    (@wfadam)

    I’d suggest that you look at the site’s raw access logs, to see if there are additional hits that don’t appear in Live Traffic. AJAX hits are not normally logged in Live Traffic unless they’re blocked, so if someone is running a scanner against the site, it’s possible there were AJAX hits mixed in with the blocked hits.

    For your other question, you normally can’t call an AJAX action without using its name, but it can be in the POST body. Since the full body isn’t shown in Live Traffic when it’s long, it’s possible it appears later in the hit if the hit was actually blocked, but it’s more likely that there are other hits, since the script is actually sending mail.

    Another possibility is that the script isn’t written correctly, and it’s possible for the code to run without actually calling the action properly. For example, if the AJAX action includes another .php file, but that script is publicly accessible, it may be possible to hit it directly. That should be relatively rare though.

    Let me know what you find!

    Thanks!

    Thread Starter pao2

    (@pao2)

    you normally can’t call an AJAX action without using its name, but it can be in the POST body. Since the full body isn’t shown in Live Traffic when it’s long

    I’m going to take this as possible case, though unfortunately the raw log doesn’t record request body.
    The code itself is in a standard wordpress ajax hook callback with no privileges, since this is public facing, so that’s it really. I suppose i should’ve made use of some sort of recaptcha solution to protect the ajax endpoint.

    Thank you.

    Plugin Support WFAdam

    (@wfadam)

    Were you able to find any solution to this?

    Just wanted to make sure you were all set.

    Thanks!

    Thread Starter pao2

    (@pao2)

    Unfortunately i couldn’t find a definite answer but i guess it’s fine, nothing requires privileged action in that script, plus i have implemented recaptcha. You can mark this thread as resolved.

    Thanks for your advice.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Script still gets executed even though malicious request blocked by Firewall’ is closed to new replies.