Daan Oostindi?n

@li-an I wont trust a plugin that is not available through the regular WordPress Plugin Directory. If you are serious about this project, please make it available.

I had low-key started working on fixing the File Away plugin. Just re-writing and moving code. Unfortunately I now must admit my defeat… the code from this plugin is too much of a mess to even understand the simplest functions. It’ll be much, much quicker just to start over new.

With the original author not responding this plugin is dead anyway.

Alternatives? I don’t know.

For what its worth, this fixes the current vulnerability:

Add:
if($class) $class = sanitize_html_class($class);
To:
lib/cls/class.fileup.php on line 20. Right below the two extract(); calls

While you’re add it @thomstark maybe you can add me to the developers and I can attempt to make this plugin PHP 8.x proof.

• This reply was modified 1 year, 4 months ago by Daan Oostindi?n.

It will take me some time to get up to speed, if other programmers are quicker, be my guest.

Not to discredit @amarthakur88 but the user was created today and this is the only post. Be careful who you trust.

Thanks! Works like a charm!

Wat Webrat11 zegt eigenlijk;

Dashboard –> Installingen–> Meteohub

Of eventueel de volledige url:
/wp-admin/options-general.php?page=Meteohub

Als dat niet werkt, welke versie van wordpress gebruik je?

Thanks for the answer. I will remove it from my .htaccess.

Obviously I don’t want to allow malformed Query Strings/invalid Request URIs/URLs/Query Strings on my website. I want a user friendly and safe website ??

I think the line in the .htaccess is solely for the ? behind the URL, but I’m not sure. If that’s the case, and its not ‘unsafe’ but only syntactically wrong I’d rather remove the line.
On the other hand, if there are issues with attacks that are blocked by this rule I’d rather let it be, that’s something I can explain that to my clients.

Ah, getting a 2 year block takes serious effort:
First you get a 8h block (8 failed
Then you get a 2d block (15 failed =2d,8h)
Then you get a 8h block (23 failed =2d,16h)
Then you get a 14d block (25 failed =18d,16h)
Then you get a 8h block (33 failed =19d)
Then you get a 2m block (40 failed =2m,21d)
Then you get a 8h block (48 failed =2m,21d,8h)
Then you get a 2d block (55 failed =2m,23d,8h)
Then you get a 8h block (63 failed =2m,21d,16h)
Then, after 2 months, 21 days and 16 hours of continuous hammering from the same IP, you get a 2 year block (which effectively resets everything).

It’s pretty hard to get to the point where you’ll be blocked for 2 years, but nonetheless there should be a ‘Unblock me’ feature somewhere. 25 failed attempts is not unthinkable, but being unable to login for two weeks is.

I would also suggest to start with some smaller steps. 8 failed attempts is not much, but blocks you for a nasty period. Perhaps start with 15m, then an hour, then rapidly build up to longer periods for the real bots.

A bit like this:
5 failed attempts in 15mins = 15 min block
10 failed attempts in 30mins = 1 hour block
15 failed attempts in 90mins = 1 day block
Etc..

It also seems important to give some feedback like ‘3 attempts left’.

Can you give any indication about the timespan you use for this count? (10 attempts a year or 10 attempts an hour make quite the difference.) And perhaps for the length of the lockout period?

I’d like to be able to tell my clients (more or less) exactly what plugins do.

It seems the author forgot to pass some PHP variables to the javascript handler.

If you’re brave enough:

1. open ‘/wp-content/plugins/simple-popup-plugin/simple_popup_plugin.php’
2. Look on rule #52, it should start like this:
settings="width=" + w + ",height=" + h + ",top=" + mytop + ",left=

3. Replace that whole line with this:
settings="width=" + w + ",height=" + h + ",top=" + mytop + ",left=" + myleft + ",scrollbars=<?php echo $scrollbar ?>,location=<?php echo $location ?>,directories=no,status=no,menubar=no,toolbar=<?php echo $toolbar ?>,resizable=no";swin=window.open(mypage,myname,settings);