Bev

Is there a way I can immediately lock out users that try to access vulnerable URL’s? For example, I see a lot of the following in the live traffic:

… blocked by firewall for Directory Traversal – wp-config.php in query string: files=..%2F..%2F..%2F..%2Fwp-config.php

I would want anyone attempting access like this to be locked out of ALL access for several days. Right now it looks like they are still allowed in even though it is obvious they are attempting to hack in.

I had hoped the setting for 404’s for known vulnerable URL’s was still available, and I would set it to block after one attempt. I would not want a 404 on a valid page to cause a block.

The calendar must be displayed in a WordPress page or post on a WordPress website. You could embed a post in an iframe.

I have confirmed that the same issue is causing tickets sold under 2.9.12 to fail to print with 2.9.14. Somewhat unfortunate as we are in the middle of ticket sales, but at least there is an explanation.

The error is “You do not have permission to download this file”. The download file specified was uploaded by EDD.

I did some debugging and tracked the problem to the function edd_get_download_token in download-functions.php. This function changed between 2.9.12 and 2.9.14 on line 1211:

2.9.12: $token = md5( $parts[‘path’] . ‘?’ . $parts[‘query’] );

2.9.14: $token = hash_hmac( ‘sha256’, $parts[‘path’] . ‘?’ . $parts[‘query’], wp_salt( ‘edd_file_download_link’ ) );

This causes the token generated in 2.9.12 to fail the test when used with 2.9.14

• This reply was modified 5 years, 6 months ago by Bev.

I ran another test using downloads instead of tickets and deactivated all other plugins.

I created a download on version 2.9.12 and bought it. The download link in the email worked fine. Then I upgraded to 2.9.14 EDD and tried the link and it gives a permission error. If I resend the purchase link then it works again. If I switch back to version 2.9.12 the old link works again and the new link fails.

I am running WP 5.2 with only EDD installed.

I did some more testing on my test site.

FYI I am using Event Tickets, Event Tickets Plus, and Easy Digital Downloads. If I buy a ticket with version 2.9.12 of EDD and view the ticket with 2.9.13 it shows a list of posts.

I did a re-install and the problem persists.

It displayed a list of posts from the website. I poked around and found the following warning logged around the same time:

PHP Warning: require_once(*****/wp-content/plugins/easy-digital-downloads/includes/admin/settings/register-settings.php): failed to ope

I did a lot of digging and added some logging to try to understand what was happening. I discovered that the login attempts that are not being blocked are made with an empty password. I wonder whether these attempts should be blocked due to the invalid username, rather than giving the 200 success return and the standard WordPress “ERROR: The password field is empty.” page. I am not sure why these bots are attempting logins with blank passwords.

I think it would be helpful if the Live Traffic display contained a bit more information.

Currently I see this when an invalid username/empty password is attempted:

Type: Failed Login West Palm Beach, United States attempted a failed login using an invalid username “Admin”.

A better message would include $authUser->get_error_code():

Type: Failed Login West Palm Beach, United States attempted a failed login using an invalid username “Admin”, failed due to empty password.

Or event better:

Type: Blocked West Palm Beach, United States attempted a failed login using an invalid username “Admin”, failed due to empty password.

My issue is that the login attempts were not actually blocked, they were logged as failed login attempts but were not blocked.

Thanks for the quick fix.

I have done some testing with and without Javascript enabled to compare the results with V2 and V3 recaptcha. I found that when using V2 with Javascript disabled, the form displays an error message and does not allow the form submission. To have the same behaviour with V3, I suggest making the edit that PeterUpfold suggests, and adding the error message from V2, slightly modified, to the form within <noscript> tags like this:

<noscript><div class=”wpcf7-response-output wpcf7-spam-blocked”><p>Could not connect to the reCAPTCHA service. Please enable Javascript and reload to get a reCAPTCHA challenge.</p></div></noscript>

I placed this code just above the submit button, replacing the old [recaptcha] tag.

I also adding logging to record when the reCAPTCHA response is missing, and the logging lined up exactly with the incoming spam messages I have been receiving.

I can confirm there is still a problem.

I installed the latest versions of both The Events Calendar, and Event Tickets (both free plugins) on a clean test site running theme Twenty Seventeen.

I set up the tickets to sell using a Paypal account and enabled tickets on pages and posts.

I create a new page and add one ticket.

When both The Events Calendar and Event Tickets are enabled, the page says “Tickets are no longer available”.

If I disable The Events Calendar and just have Event Tickets active, the ticket form appears correctly!

The failure occurs with Event Tickets which is a free plugin.

I just tried the new version 4.8 and it is still failing to show tickets on pages.