WordPress Backup & Security Plugin – BlogVault - Version 4.2

Version Description

  • Firewall in prepend mode
  • Robust Firewall and Login protection
  • Robust write callbacks
  • Without FTP cleanup and restore support
Download this release

Release Info

Developer ritesh.soni36
Plugin Icon 128x128 WordPress Backup & Security Plugin – BlogVault
Version 4.2
Comparing to
See all releases

Code changes from version 3.4 to 4.2

Files changed (41) hide show
  1. account.php +8 -2
  2. blogvault.php +22 -18
  3. callback/handler.php +14 -17
  4. callback/request.php +2 -2
  5. callback/wings/account.php +3 -2
  6. callback/wings/db.php +11 -4
  7. callback/wings/fs.php +53 -0
  8. callback/wings/fs_write.php +453 -0
  9. callback/wings/fw.php +0 -62
  10. callback/wings/info.php +46 -42
  11. callback/wings/ipstore.php +3 -4
  12. callback/wings/lp.php +0 -74
  13. callback/wings/misc.php +4 -16
  14. callback/wings/protect.php +66 -23
  15. callback/wings/{monit.php → watch.php} +62 -9
  16. info.php +24 -7
  17. protect/base.php +29 -0
  18. protect/fw/config.php +117 -0
  19. protect/fw/fw.php +347 -0
  20. protect/{wp_fw → fw}/request.php +21 -43
  21. protect/prepend/ignitor.php +9 -0
  22. protect/prepend/info.php +17 -0
  23. protect/prepend/ipstore.php +49 -0
  24. protect/prepend/logger.php +20 -0
  25. protect/prepend/protect.php +76 -0
  26. protect/protect.php +0 -58
  27. protect/{ipstore.php → wp/ipstore.php} +17 -0
  28. protect/{logger.php → wp/logger.php} +0 -0
  29. protect/wp/lp/config.php +25 -0
  30. protect/{wp_lp → wp/lp}/lp.php +12 -13
  31. protect/wp/protect.php +75 -0
  32. protect/wp_fw/config.php +0 -251
  33. protect/wp_fw/fw.php +0 -597
  34. protect/wp_lp/config.php +0 -82
  35. readme.txt +8 -2
  36. recover.php +1 -1
  37. wp_actions.php +1 -2
  38. wp_admin.php +16 -3
  39. wp_api.php +11 -8
  40. wp_db.php +15 -1
  41. wp_site_info.php +13 -3
account.php CHANGED
@@ -42,6 +42,10 @@ if (!class_exists('BVAccount')) :
42
  return $str;
43
  }
44
 
 
 
 
 
45
  public static function apiPublicAccount($settings) {
46
  $pubkey = $settings->getOption(self::$api_public_key);
47
  return self::find($settings, $pubkey);
@@ -98,6 +102,7 @@ if (!class_exists('BVAccount')) :
98
  }
99
 
100
  public function newAuthParams($version) {
 
101
  $args = array();
102
  $time = time();
103
  $sig = sha1($this->public.$this->secret.$time.$version);
@@ -106,6 +111,7 @@ if (!class_exists('BVAccount')) :
106
  $args['bvPublic'] = $this->public;
107
  $args['bvVersion'] = $version;
108
  $args['sha1'] = '1';
 
109
  return $args;
110
  }
111
 
@@ -118,7 +124,7 @@ if (!class_exists('BVAccount')) :
118
  self::update($settings, $accounts);
119
  }
120
 
121
- public function respInfo() {
122
  return array(
123
  "public" => substr($this->public, 0, 6),
124
  "sigmatch" => substr($this->sig_match, 0, 6)
@@ -179,4 +185,4 @@ if (!class_exists('BVAccount')) :
179
  return array_key_exists($pubkey, $accounts);
180
  }
181
  }
182
- endif;
42
  return $str;
43
  }
44
 
45
+ public static function sanitizeKey($key) {
46
+ return preg_replace('/[^a-zA-Z0-9_\-]/', '', $key);
47
+ }
48
+
49
  public static function apiPublicAccount($settings) {
50
  $pubkey = $settings->getOption(self::$api_public_key);
51
  return self::find($settings, $pubkey);
102
  }
103
 
104
  public function newAuthParams($version) {
105
+ $bvinfo = new BVInfo($settings);
106
  $args = array();
107
  $time = time();
108
  $sig = sha1($this->public.$this->secret.$time.$version);
111
  $args['bvPublic'] = $this->public;
112
  $args['bvVersion'] = $version;
113
  $args['sha1'] = '1';
114
+ $args['plugname'] = $bvinfo->plugname;
115
  return $args;
116
  }
117
 
124
  self::update($settings, $accounts);
125
  }
126
 
127
+ public function info() {
128
  return array(
129
  "public" => substr($this->public, 0, 6),
130
  "sigmatch" => substr($this->sig_match, 0, 6)
185
  return array_key_exists($pubkey, $accounts);
186
  }
187
  }
188
+ endif;
blogvault.php CHANGED
@@ -5,7 +5,7 @@ Plugin URI: https://blogvault.net
5
  Description: Easiest way to backup & secure your WordPress site
6
  Author: Backup by BlogVault
7
  Author URI: https://blogvault.net
8
- Version: 3.4
9
  Network: True
10
  */
11
 
@@ -28,6 +28,7 @@ Network: True
28
  /* Global response array */
29
 
30
  if (!defined('ABSPATH')) exit;
 
31
  require_once dirname( __FILE__ ) . '/wp_settings.php';
32
  require_once dirname( __FILE__ ) . '/wp_site_info.php';
33
  require_once dirname( __FILE__ ) . '/wp_db.php';
@@ -55,7 +56,7 @@ add_action('wp_footer', array($wp_action, 'footerHandler'), 100);
55
  ##WPCLIMODULE##
56
  if (is_admin()) {
57
  require_once dirname( __FILE__ ) . '/wp_admin.php';
58
- $wpadmin = new BVWPAdmin($bvsettings, $bvsiteinfo);
59
  add_action('admin_init', array($wpadmin, 'initHandler'));
60
  add_filter('all_plugins', array($wpadmin, 'initBranding'));
61
  add_filter('plugin_row_meta', array($wpadmin, 'hidePluginDetails'), 10, 2);
@@ -65,6 +66,7 @@ if (is_admin()) {
65
  add_action('admin_menu', array($wpadmin, 'menu'));
66
  }
67
  add_filter('plugin_action_links', array($wpadmin, 'settingsLink'), 10, 2);
 
68
  add_action('admin_notices', array($wpadmin, 'activateWarning'));
69
  ##ADMINENQUEUESCRIPTS##
70
  }
@@ -80,7 +82,7 @@ if ((array_key_exists('bvplugname', $_REQUEST)) && ($_REQUEST['bvplugname'] == "
80
  require_once dirname( __FILE__ ) . '/callback/request.php';
81
  require_once dirname( __FILE__ ) . '/recover.php';
82
 
83
- $pubkey = $_REQUEST['pubkey'];
84
 
85
  if (array_key_exists('rcvracc', $_REQUEST)) {
86
  $account = BVRecover::find($bvsettings, $pubkey);
@@ -92,13 +94,16 @@ if ((array_key_exists('bvplugname', $_REQUEST)) && ($_REQUEST['bvplugname'] == "
92
  $response = new BVCallbackResponse($request->bvb64cksize);
93
 
94
  if ($account && (1 === $account->authenticate($request))) {
 
 
 
95
  require_once dirname( __FILE__ ) . '/callback/handler.php';
96
  $params = $request->processParams($_REQUEST);
97
  if ($params === false) {
98
  $resp = array(
99
- "account_info" => $account->respInfo(),
100
- "request_info" => $request->respInfo(),
101
- "bvinfo" => $bvinfo->respInfo(),
102
  "statusmsg" => "BVPRMS_CORRUPTED"
103
  );
104
  $response->terminate($resp);
@@ -115,9 +120,9 @@ if ((array_key_exists('bvplugname', $_REQUEST)) && ($_REQUEST['bvplugname'] == "
115
  }
116
  } else {
117
  $resp = array(
118
- "account_info" => $account ? $account->respInfo() : array("error" => "ACCOUNT_NOT_FOUND"),
119
- "request_info" => $request->respInfo(),
120
- "bvinfo" => $bvinfo->respInfo(),
121
  "statusmsg" => "FAILED_AUTH",
122
  "api_pubkey" => substr(BVAccount::getApiPublicKey($bvsettings), 0, 8),
123
  "def_sigmatch" => substr(BVAccount::getSigMatch($request, BVRecover::getDefaultSecret($bvsettings)), 0, 8)
@@ -126,16 +131,15 @@ if ((array_key_exists('bvplugname', $_REQUEST)) && ($_REQUEST['bvplugname'] == "
126
  }
127
  } else {
128
  if ($bvinfo->isProtectModuleEnabled()) {
129
- require_once dirname( __FILE__ ) . '/protect/protect.php';
130
- require_once dirname( __FILE__ ) . '/protect/ipstore.php';
131
- $bvprotect = new BVProtect($bvdb, $bvsettings);
132
- $bvprotect->init();
133
- }
134
 
135
  if ($bvinfo->isDynSyncModuleEnabled()) {
136
- require_once dirname( __FILE__ ) . '/wp_dynsync.php';
137
- $dynsync = new BVWPDynSync($bvdb, $bvsettings);
138
- $dynsync->init();
139
- }
140
 
141
  }
5
  Description: Easiest way to backup & secure your WordPress site
6
  Author: Backup by BlogVault
7
  Author URI: https://blogvault.net
8
+ Version: 4.2
9
  Network: True
10
  */
11
 
28
  /* Global response array */
29
 
30
  if (!defined('ABSPATH')) exit;
31
+
32
  require_once dirname( __FILE__ ) . '/wp_settings.php';
33
  require_once dirname( __FILE__ ) . '/wp_site_info.php';
34
  require_once dirname( __FILE__ ) . '/wp_db.php';
56
  ##WPCLIMODULE##
57
  if (is_admin()) {
58
  require_once dirname( __FILE__ ) . '/wp_admin.php';
59
+ $wpadmin = new BVWPAdmin($bvsettings, $bvsiteinfo, $bvapi);
60
  add_action('admin_init', array($wpadmin, 'initHandler'));
61
  add_filter('all_plugins', array($wpadmin, 'initBranding'));
62
  add_filter('plugin_row_meta', array($wpadmin, 'hidePluginDetails'), 10, 2);
66
  add_action('admin_menu', array($wpadmin, 'menu'));
67
  }
68
  add_filter('plugin_action_links', array($wpadmin, 'settingsLink'), 10, 2);
69
+ add_action('admin_head', array($wpadmin, 'removeAdminNotices'), 3);
70
  add_action('admin_notices', array($wpadmin, 'activateWarning'));
71
  ##ADMINENQUEUESCRIPTS##
72
  }
82
  require_once dirname( __FILE__ ) . '/callback/request.php';
83
  require_once dirname( __FILE__ ) . '/recover.php';
84
 
85
+ $pubkey = BVAccount::sanitizeKey($_REQUEST['pubkey']);
86
 
87
  if (array_key_exists('rcvracc', $_REQUEST)) {
88
  $account = BVRecover::find($bvsettings, $pubkey);
94
  $response = new BVCallbackResponse($request->bvb64cksize);
95
 
96
  if ($account && (1 === $account->authenticate($request))) {
97
+ define('BVBASEPATH', plugin_dir_path(__FILE__));
98
+
99
+
100
  require_once dirname( __FILE__ ) . '/callback/handler.php';
101
  $params = $request->processParams($_REQUEST);
102
  if ($params === false) {
103
  $resp = array(
104
+ "account_info" => $account->info(),
105
+ "request_info" => $request->info(),
106
+ "bvinfo" => $bvinfo->info(),
107
  "statusmsg" => "BVPRMS_CORRUPTED"
108
  );
109
  $response->terminate($resp);
120
  }
121
  } else {
122
  $resp = array(
123
+ "account_info" => $account ? $account->info() : array("error" => "ACCOUNT_NOT_FOUND"),
124
+ "request_info" => $request->info(),
125
+ "bvinfo" => $bvinfo->info(),
126
  "statusmsg" => "FAILED_AUTH",
127
  "api_pubkey" => substr(BVAccount::getApiPublicKey($bvsettings), 0, 8),
128
  "def_sigmatch" => substr(BVAccount::getSigMatch($request, BVRecover::getDefaultSecret($bvsettings)), 0, 8)
131
  }
132
  } else {
133
  if ($bvinfo->isProtectModuleEnabled()) {
134
+ require_once dirname( __FILE__ ) . '/protect/wp/protect.php';
135
+ $bvprotect = new BVProtect($bvdb, $bvsettings);
136
+ $bvprotect->run();
137
+ }
 
138
 
139
  if ($bvinfo->isDynSyncModuleEnabled()) {
140
+ require_once dirname( __FILE__ ) . '/wp_dynsync.php';
141
+ $dynsync = new BVWPDynSync($bvdb, $bvsettings);
142
+ $dynsync->init();
143
+ }
144
 
145
  }
callback/handler.php CHANGED
@@ -10,6 +10,7 @@ if (!class_exists('BVCallbackHandler')) :
10
  public $request;
11
  public $account;
12
  public $response;
 
13
 
14
  public function __construct($db, $settings, $siteinfo, $request, $account, $response) {
15
  $this->db = $db;
@@ -18,6 +19,7 @@ if (!class_exists('BVCallbackHandler')) :
18
  $this->request = $request;
19
  $this->account = $account;
20
  $this->response = $response;
 
21
  }
22
 
23
  public function bvAdmExecuteWithoutUser() {
@@ -30,17 +32,16 @@ if (!class_exists('BVCallbackHandler')) :
30
 
31
  public function execute($resp = array()) {
32
  $this->routeRequest();
33
- $bvinfo = new BVInfo($this->settings);
34
  $resp = array(
35
- "request_info" => $this->request->respInfo(),
36
- "site_info" => $this->siteinfo->respInfo(),
37
- "account_info" => $this->account->respInfo(),
38
- "bvinfo" => $bvinfo->respInfo(),
39
  "api_pubkey" => substr(BVAccount::getApiPublicKey($this->settings), 0, 8)
40
  );
41
  $this->response->terminate($resp);
42
  }
43
-
44
  public function routeRequest() {
45
  switch ($this->request->wing) {
46
  case 'manage':
@@ -67,17 +68,9 @@ if (!class_exists('BVCallbackHandler')) :
67
  require_once dirname( __FILE__ ) . '/wings/ipstore.php';
68
  $module = new BVIPStoreCallback($this);
69
  break;
70
- case 'fw':
71
- require_once dirname( __FILE__ ) . '/wings/fw.php';
72
- $module = new BVFirewallCallback($this);
73
- break;
74
- case 'lp':
75
- require_once dirname( __FILE__ ) . '/wings/lp.php';
76
- $module = new BVLoginProtectCallback($this);
77
- break;
78
- case 'monit':
79
- require_once dirname( __FILE__ ) . '/wings/monit.php';
80
- $module = new BVMonitCallback($this);
81
  break;
82
  case 'brand':
83
  require_once dirname( __FILE__ ) . '/wings/brand.php';
@@ -91,6 +84,10 @@ if (!class_exists('BVCallbackHandler')) :
91
  require_once dirname( __FILE__ ) . '/wings/account.php';
92
  $module = new BVAccountCallback($this);
93
  break;
 
 
 
 
94
  default:
95
  require_once dirname( __FILE__ ) . '/wings/misc.php';
96
  $module = new BVMiscCallback($this);
10
  public $request;
11
  public $account;
12
  public $response;
13
+ public $bvinfo;
14
 
15
  public function __construct($db, $settings, $siteinfo, $request, $account, $response) {
16
  $this->db = $db;
19
  $this->request = $request;
20
  $this->account = $account;
21
  $this->response = $response;
22
+ $this->bvinfo = new BVInfo($this->settings);
23
  }
24
 
25
  public function bvAdmExecuteWithoutUser() {
32
 
33
  public function execute($resp = array()) {
34
  $this->routeRequest();
 
35
  $resp = array(
36
+ "request_info" => $this->request->info(),
37
+ "site_info" => $this->siteinfo->info(),
38
+ "account_info" => $this->account->info(),
39
+ "bvinfo" => $this->bvinfo->info(),
40
  "api_pubkey" => substr(BVAccount::getApiPublicKey($this->settings), 0, 8)
41
  );
42
  $this->response->terminate($resp);
43
  }
44
+
45
  public function routeRequest() {
46
  switch ($this->request->wing) {
47
  case 'manage':
68
  require_once dirname( __FILE__ ) . '/wings/ipstore.php';
69
  $module = new BVIPStoreCallback($this);
70
  break;
71
+ case 'wtch':
72
+ require_once dirname( __FILE__ ) . '/wings/watch.php';
73
+ $module = new BVWatchCallback($this);
 
 
 
 
 
 
 
 
74
  break;
75
  case 'brand':
76
  require_once dirname( __FILE__ ) . '/wings/brand.php';
84
  require_once dirname( __FILE__ ) . '/wings/account.php';
85
  $module = new BVAccountCallback($this);
86
  break;
87
+ case 'fswrt':
88
+ require_once dirname( __FILE__ ) . '/wings/fs_write.php';
89
+ $module = new BVFSWriteCallback();
90
+ break;
91
  default:
92
  require_once dirname( __FILE__ ) . '/wings/misc.php';
93
  $module = new BVMiscCallback($this);
callback/request.php CHANGED
@@ -40,7 +40,7 @@ if (!class_exists('BVCallbackRequest')) :
40
  return array_key_exists('apicall', $this->params);
41
  }
42
 
43
- public function respInfo() {
44
  $info = array(
45
  "requestedsig" => $this->sig,
46
  "requestedtime" => $this->time,
@@ -89,7 +89,7 @@ if (!class_exists('BVCallbackRequest')) :
89
  if (array_key_exists('bvprms', $in_params) && isset($in_params['bvprms']) &&
90
  array_key_exists('bvprmsmac', $in_params) && isset($in_params['bvprmsmac'])) {
91
  $digest_algo = 'SHA1';
92
- $sent_mac = $in_params['bvprmsmac'];
93
 
94
  if (array_key_exists('bvprmshshalgo', $in_params) && isset($in_params['bvprmshshalgo'])) {
95
  $digest_algo = $in_params['bvprmshshalgo'];
40
  return array_key_exists('apicall', $this->params);
41
  }
42
 
43
+ public function info() {
44
  $info = array(
45
  "requestedsig" => $this->sig,
46
  "requestedtime" => $this->time,
89
  if (array_key_exists('bvprms', $in_params) && isset($in_params['bvprms']) &&
90
  array_key_exists('bvprmsmac', $in_params) && isset($in_params['bvprmsmac'])) {
91
  $digest_algo = 'SHA1';
92
+ $sent_mac = BVAccount::sanitizeKey($in_params['bvprmsmac']);
93
 
94
  if (array_key_exists('bvprmshshalgo', $in_params) && isset($in_params['bvprmshshalgo'])) {
95
  $digest_algo = $in_params['bvprmshshalgo'];
callback/wings/account.php CHANGED
@@ -21,7 +21,7 @@ class BVAccountCallback extends BVCallbackBase {
21
  $resp = array("status" => BVAccount::exists($this->settings, $params['public']));
22
  break;
23
  case "rmacc":
24
- $resp = array("status" => $account->remove($params['public']));
25
  break;
26
  case "updt":
27
  $info = array();
@@ -32,7 +32,8 @@ class BVAccountCallback extends BVCallbackBase {
32
  $resp = array("status" => BVAccount::exists($this->settings, $params['pubkey']));
33
  break;
34
  case "updtapikey":
35
- $resp = array("status" => BVAccount::updateApiPublicKey($this->settings, $params['pubkey']));
 
36
  break;
37
  case "rmdefsec":
38
  $resp = array("status" => $settings->deleteOption('bvDefaultSecret'));
21
  $resp = array("status" => BVAccount::exists($this->settings, $params['public']));
22
  break;
23
  case "rmacc":
24
+ $resp = array("status" => BVAccount::remove($this->settings, $params['public']));
25
  break;
26
  case "updt":
27
  $info = array();
32
  $resp = array("status" => BVAccount::exists($this->settings, $params['pubkey']));
33
  break;
34
  case "updtapikey":
35
+ BVAccount::updateApiPublicKey($this->settings, $params['pubkey']);
36
+ $resp = array("status" => $this->settings->getOption(BVAccount::$api_public_key));
37
  break;
38
  case "rmdefsec":
39
  $resp = array("status" => $settings->deleteOption('bvDefaultSecret'));
callback/wings/db.php CHANGED
@@ -9,9 +9,13 @@ class BVDBCallback extends BVCallbackBase {
9
  public $stream;
10
  public $account;
11
 
 
 
12
  public function __construct($callback_handler) {
13
  $this->db = $callback_handler->db;
14
  $this->account = $callback_handler->account;
 
 
15
  }
16
 
17
  public function getLastID($pkeys, $end_row) {
@@ -64,6 +68,9 @@ class BVDBCallback extends BVCallbackBase {
64
  $db = $this->db;
65
  $params = $request->params;
66
  $stream_init_info = BVStream::startStream($this->account, $request);
 
 
 
67
  if (array_key_exists('stream', $stream_init_info)) {
68
  $this->stream = $stream_init_info['stream'];
69
  switch ($request->method) {
@@ -140,17 +147,17 @@ class BVDBCallback extends BVCallbackBase {
140
  $resp = $this->getTableData($table, $tname, $rcount, $offset, $limit, $bsize, $filter, $pkeys, true);
141
  break;
142
  case "tblexists":
143
- $resp = array("tblexists" => $db->isTablePresent($params['tablename']));
144
  break;
145
  case "crttbl":
146
  $usedbdelta = array_key_exists('usedbdelta', $params);
147
- $resp = array("crttbl" => $db->createTable($params['query'], $params['tablename'], $usedbdelta));
148
  break;
149
  case "drptbl":
150
- $resp = array("drptbl" => $db->dropBVTable($params['name']));
151
  break;
152
  case "trttbl":
153
- $resp = array("trttbl" => $db->truncateBVTable($params['name']));
154
  break;
155
  case "altrtbl":
156
  $resp = array("altrtbl" => $db->alterBVTable($params['query'], $params['query']));
9
  public $stream;
10
  public $account;
11
 
12
+ public static $bvTables = array("fw_requests", "lp_requests", "ip_store");
13
+
14
  public function __construct($callback_handler) {
15
  $this->db = $callback_handler->db;
16
  $this->account = $callback_handler->account;
17
+ $this->siteinfo = $callback_handler->siteinfo;
18
+ $this->bvinfo = $callback_handler->bvinfo;
19
  }
20
 
21
  public function getLastID($pkeys, $end_row) {
68
  $db = $this->db;
69
  $params = $request->params;
70
  $stream_init_info = BVStream::startStream($this->account, $request);
71
+
72
+
73
+
74
  if (array_key_exists('stream', $stream_init_info)) {
75
  $this->stream = $stream_init_info['stream'];
76
  switch ($request->method) {
147
  $resp = $this->getTableData($table, $tname, $rcount, $offset, $limit, $bsize, $filter, $pkeys, true);
148
  break;
149
  case "tblexists":
150
+ $resp = array("tblexists" => $db->isTablePresent($params['table']));
151
  break;
152
  case "crttbl":
153
  $usedbdelta = array_key_exists('usedbdelta', $params);
154
+ $resp = array("crttbl" => $db->createTable($params['query'], $params['table'], $usedbdelta));
155
  break;
156
  case "drptbl":
157
+ $resp = array("drptbl" => $db->dropBVTable($params['table']));
158
  break;
159
  case "trttbl":
160
+ $resp = array("trttbl" => $db->truncateBVTable($params['table']));
161
  break;
162
  case "altrtbl":
163
  $resp = array("altrtbl" => $db->alterBVTable($params['query'], $params['query']));
callback/wings/fs.php CHANGED
@@ -8,6 +8,8 @@ class BVFSCallback extends BVCallbackBase {
8
  public $stream;
9
  public $account;
10
 
 
 
11
  public function __construct($callback_handler) {
12
  $this->account = $callback_handler->account;
13
  }
@@ -149,6 +151,34 @@ class BVFSCallback extends BVCallbackBase {
149
  return $md5;
150
  }
151
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
152
  function getFilesStats($files, $offset = 0, $limit = 0, $bsize = 102400, $md5 = false) {
153
  $result = array();
154
  foreach ($files as $file) {
@@ -207,6 +237,9 @@ class BVFSCallback extends BVCallbackBase {
207
  function process($request) {
208
  $params = $request->params;
209
  $stream_init_info = BVStream::startStream($this->account, $request);
 
 
 
210
  if (array_key_exists('stream', $stream_init_info)) {
211
  $this->stream = $stream_init_info['stream'];
212
  switch ($request->method) {
@@ -264,6 +297,26 @@ class BVFSCallback extends BVCallbackBase {
264
  $directoryList = glob($initdir.$regex, $glob_option);
265
  $resp = $this->getFilesStats($directoryList);
266
  break;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
267
  default:
268
  $resp = false;
269
  }
8
  public $stream;
9
  public $account;
10
 
11
+ public static $cwAllowedFiles = array(".htaccess", ".user.ini", "malcare-waf.php");
12
+
13
  public function __construct($callback_handler) {
14
  $this->account = $callback_handler->account;
15
  }
151
  return $md5;
152
  }
153
 
154
+ function getFilesContent($files, $withContent = true) {
155
+ $result = array();
156
+ foreach ($files as $file) {
157
+ $fdata = $this->fileStat($file);
158
+ $absfile = ABSPATH.$file;
159
+
160
+ if (is_dir($absfile) && !is_link($absfile)) {
161
+ $fdata['is_dir'] = true;
162
+ } else {
163
+ if (!is_readable($file)) {
164
+ $fdata['error'] = 'file not readable';
165
+ } else {
166
+ if ($withContent === true) {
167
+ if ($content = file_get_contents($absfile)) {
168
+ $fdata['content'] = $content;
169
+ } else {
170
+ $fdata['error'] = 'unable to read file';
171
+ }
172
+ }
173
+ }
174
+ }
175
+
176
+ $result[$file] = $fdata;
177
+ }
178
+
179
+ return $result;
180
+ }
181
+
182
  function getFilesStats($files, $offset = 0, $limit = 0, $bsize = 102400, $md5 = false) {
183
  $result = array();
184
  foreach ($files as $file) {
237
  function process($request) {
238
  $params = $request->params;
239
  $stream_init_info = BVStream::startStream($this->account, $request);
240
+
241
+
242
+
243
  if (array_key_exists('stream', $stream_init_info)) {
244
  $this->stream = $stream_init_info['stream'];
245
  switch ($request->method) {
297
  $directoryList = glob($initdir.$regex, $glob_option);
298
  $resp = $this->getFilesStats($directoryList);
299
  break;
300
+ case "dirsexists":
301
+ $resp = array();
302
+ $dirs = $params['dirs'];
303
+
304
+ foreach ($dirs as $dir) {
305
+ $path = ABSPATH.$dir;
306
+ if (file_exists($path) && is_dir($path) && !is_link($path)) {
307
+ $resp[$dir] = true;
308
+ } else {
309
+ $resp[$dir] = false;
310
+ }
311
+ }
312
+
313
+ $resp["status"] = "Done";
314
+ break;
315
+ case "gtfilescntent":
316
+ $files = $params['files'];
317
+ $withContent = array_key_exists('withcontent', $params) ? $params['withcontent'] : true;
318
+ $resp = array("files_content" => $this->getFilesContent($files, $withContent));
319
+ break;
320
  default:
321
  $resp = false;
322
  }
callback/wings/fs_write.php ADDED
@@ -0,0 +1,453 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if (!defined('ABSPATH')) exit;
4
+ if (!class_exists('BVFSWriteCallback')) :
5
+
6
+ class BVFSWriteCallback extends BVCallbackBase {
7
+
8
+ const MEGABYTE = 1024 * 1024;
9
+
10
+ public function __construct() {
11
+ }
12
+
13
+ public function removeFiles($files) {
14
+ $result = array();
15
+
16
+ foreach($files as $file) {
17
+ $file_result = array();
18
+
19
+ if (file_exists($file)) {
20
+
21
+ $file_result['status'] = unlink($file);
22
+ if ($file_result['status'] === false) {
23
+ $file_result['error'] = "UNLINK_FAILED";
24
+ }
25
+
26
+ } else {
27
+ $file_result['status'] = true;
28
+ $file_result['error'] = "NOT_PRESENT";
29
+ }
30
+
31
+ $result[$file] = $file_result;
32
+ }
33
+
34
+ $result['status'] = true;
35
+ return $result;
36
+ }
37
+
38
+ public function makeDirs($dirs) {
39
+ $result = array();
40
+
41
+ foreach($dirs as $dir) {
42
+ $dir_result = array();
43
+
44
+ if (file_exists($dir)) {
45
+
46
+ if (is_dir($dir)) {
47
+ $dir_result['status'] = true;
48
+ $dir_result['message'] = "DIR_ALREADY_PRESENT";
49
+ } else {
50
+ $dir_result['status'] = false;
51
+ $dir_result['error'] = "FILE_PRESENT_IN_PLACE_OF_DIR";
52
+ }
53
+
54
+ } else {
55
+
56
+ $dir_result['status'] = mkdir($dir);
57
+ if ($dir_result['status'] === false) {
58
+ $dir_result['error'] = "MKDIR_FAILED";
59
+ }
60
+
61
+ }
62
+
63
+ $result[$dir] = $dir_result;
64
+ }
65
+
66
+ $result['status'] = true;
67
+ return $result;
68
+ }
69
+
70
+ public function removeDirs($dirs) {
71
+ $result = array();
72
+
73
+ foreach($dirs as $dir) {
74
+ $dir_result = array();
75
+
76
+ if (is_dir($dir) && !is_link($dir)) {
77
+
78
+ if ($this->isEmptyDir($dir)) {
79
+
80
+ $dir_result['status'] = rmdir($dir);
81
+ if ($dir_result['status'] === false) {
82
+ $dir_result['error'] = "RMDIR_FAILED";
83
+ }
84
+
85
+ } else {
86
+ $dir_result['status'] = false;
87
+ $dir_result['error'] = "NOT_EMPTY";
88
+ }
89
+
90
+ } else {
91
+ $dir_result['status'] = false;
92
+ $dir_result['error'] = "NOT_DIR";
93
+ }
94
+
95
+ $result[$dir] = $dir_result;
96
+ }
97
+
98
+ $result['status'] = true;
99
+ return $result;
100
+ }
101
+
102
+ public function isEmptyDir($dir) {
103
+ $handle = opendir($dir);
104
+
105
+ while (false !== ($entry = readdir($handle))) {
106
+ if ($entry != "." && $entry != "..") {
107
+ closedir($handle);
108
+ return false;
109
+ }
110
+ }
111
+ closedir($handle);
112
+
113
+ return true;
114
+ }
115
+
116
+ public function doChmod($path_infos) {
117
+ $result = array();
118
+
119
+ foreach($path_infos as $path => $mode) {
120
+ $path_result = array();
121
+
122
+ if (file_exists($path)) {
123
+
124
+ $path_result['status'] = chmod($path, $mode);
125
+ if ($path_result['status'] === false) {
126
+ $path_result['error'] = "CHMOD_FAILED";
127
+ }
128
+
129
+ } else {
130
+ $path_result['status'] = false;
131
+ $path_result['error'] = "NOT_FOUND";
132
+ }
133
+
134
+ $result[$path] = $path_result;
135
+ }
136
+
137
+ $result['status'] = true;
138
+ return $result;
139
+ }
140
+
141
+ public function concatFiles($ifiles, $ofile, $bsize, $offset) {
142
+ if (($offset !== 0) && (!file_exists($ofile))) {
143
+ return array(
144
+ 'status' => false,
145
+ 'error' => 'OFILE_NOT_FOUND_BEFORE_CONCAT'
146
+ );
147
+ }
148
+
149
+ if (file_exists($ofile) && ($offset !== 0)) {
150
+ $handle = fopen($ofile, 'rb+');
151
+ } else {
152
+ $handle = fopen($ofile, 'wb+');
153
+ }
154
+
155
+ if ($handle === false) {
156
+ return array(
157
+ 'status' => false,
158
+ 'error' => 'FOPEN_FAILED'
159
+ );
160
+ }
161
+
162
+ if ($offset !== 0) {
163
+ if (fseek($handle, $offset, SEEK_SET) === -1) {
164
+ return array(
165
+ 'status' => false,
166
+ 'error' => 'FSEEK_FAILED'
167
+ );
168
+ }
169
+ }
170
+
171
+ $total_written = 0;
172
+ foreach($ifiles as $file) {
173
+ $fp = fopen($file, 'rb');
174
+ if ($fp === false) {
175
+ return array(
176
+ 'status' => false,
177
+ 'error' => "UNABLE_TO_OPEN_TMP_OFILE_FOR_READING"
178
+ );
179
+ }
180
+
181
+ while (!feof($fp)) {
182
+ $content = fread($fp, $bsize);
183
+ if ($content === false) {
184
+ return array(
185
+ 'status' => false,
186
+ 'error' => "UNABLE_TO_READ_INFILE",
187
+ 'filename' => $file
188
+ );
189
+ }
190
+
191
+ $written = fwrite($handle, $content);
192
+ if ($written === false) {
193
+ return array(
194
+ 'status' => false,
195
+ 'error' => "UNABLE_TO_WRITE_TO_OFILE",
196
+ 'filename' => $file
197
+ );
198
+ }
199
+ $total_written += $written;
200
+ }
201
+
202
+ fclose($fp);
203
+ }
204
+
205
+ $result = array();
206
+ $result['fclose'] = fclose($handle);
207
+
208
+ if (file_exists($ofile) && ($total_written != 0)) {
209
+ $result['status'] = true;
210
+ $result['fsize'] = filesize($ofile);
211
+ $result['total_written'] = $total_written;
212
+ } else {
213
+ $result['status'] = false;
214
+ $result['error'] = 'CONCATINATED_FILE_FAILED';
215
+ }
216
+
217
+ return $result;
218
+ }
219
+
220
+ public function renameFiles($path_infos) {
221
+ $result = array();
222
+
223
+ foreach($path_infos as $oldpath => $newpath) {
224
+ $action_result = array();
225
+ $failed = array();
226
+
227
+ if (file_exists($oldpath)) {
228
+
229
+ $action_result['status'] = rename($oldpath, $newpath);
230
+ if ($action_result['status'] === false) {
231
+ $action_result['error'] = "RENAME_FAILED";
232
+ }
233
+
234
+ } else {
235
+ $action_result['status'] = false;
236
+ $action_result['error'] = "NOT_FOUND";
237
+ }
238
+
239
+ $result[$oldpath] = $action_result;
240
+ }
241
+
242
+ $result['status'] = true;
243
+ return $result;
244
+ }
245
+
246
+ public function curlFile($ifile_url, $ofile, $timeout) {
247
+ $fp = fopen($ofile, "wb+");
248
+ if ($fp === false) {
249
+ return array(
250
+ 'error' => 'FOPEN_FAILED_FOR_TEMP_OFILE'
251
+ );
252
+ }
253
+
254
+ $result = array();
255
+ $ch = curl_init($ifile_url);
256
+ curl_setopt($ch, CURLOPT_BINARYTRANSFER, 1);
257
+ curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
258
+ curl_setopt($ch, CURLOPT_HEADER, 0);
259
+ curl_setopt($ch, CURLOPT_FILE, $fp);
260
+
261
+ if (!curl_exec($ch)) {
262
+ $result['error'] = curl_error($ch);
263
+ $result['errorno'] = curl_errno($ch);
264
+ }
265
+
266
+ curl_close($ch);
267
+ fclose($fp);
268
+
269
+ return $result;
270
+ }
271
+
272
+ public function wgetFile($ifile_url, $ofile) {
273
+ $result = array();
274
+ system("wget -nv -O $ofile $ifile_url 2>&1 > /dev/null", $retval);
275
+
276
+ if ($retval !== 0) {
277
+ $result['error'] = "WGET_ERROR";
278
+ }
279
+
280
+ return $result;
281
+ }
282
+
283
+ public function streamCopyFile($ifile_url, $ofile) {
284
+ $result = array();
285
+ $handle = fopen($ifile_url, "rb");
286
+
287
+ if ($handle === false) {
288
+ return array(
289
+ 'error' => "UNABLE_TO_OPEN_REMOTE_FILE_STREAM"
290
+ );
291
+ }
292
+
293
+ $fp = fopen($ofile, "wb+");
294
+ if ($fp === false) {
295
+ fclose($handle);
296
+
297
+ return array(
298
+ 'error' => 'FOPEN_FAILED_FOR_OFILE'
299
+ );
300
+ }
301
+
302
+ if (stream_copy_to_stream($handle, $fp) === false) {
303
+ $result['error'] = "UNABLE_TO_WRITE_TO_TMP_OFILE";
304
+ }
305
+
306
+ fclose($handle);
307
+ fclose($fp);
308
+
309
+ return $result;
310
+ }
311
+
312
+ public function writeContentToFile($content, $ofile) {
313
+ $result = array();
314
+
315
+ $fp = fopen($ofile, "wb+");
316
+ if ($fp === false) {
317
+ return array(
318
+ 'error' => 'FOPEN_FAILED_FOR_TEMP_OFILE'
319
+ );
320
+ }
321
+
322
+ if (fwrite($fp, $content) === false) {
323
+ $resp['error'] = "UNABLE_TO_WRITE_TO_TMP_OFILE";
324
+ }
325
+ fclose($fp);
326
+
327
+ return $result;
328
+ }
329
+
330
+ public function moveUploadedFile($ofile) {
331
+ $result = array();
332
+
333
+ if (isset($_FILES['myfile'])) {
334
+ $myfile = $_FILES['myfile'];
335
+ $is_upload_ok = false;
336
+
337
+ switch ($myfile['error']) {
338
+ case UPLOAD_ERR_OK:
339
+ $is_upload_ok = true;
340
+ break;
341
+ case UPLOAD_ERR_NO_FILE:
342
+ $result['error'] = "UPLOADERR_NO_FILE";
343
+ break;
344
+ case UPLOAD_ERR_INI_SIZE:
345
+ case UPLOAD_ERR_FORM_SIZE:
346
+ $result['error'] = "UPLOADERR_FORM_SIZE";
347
+ break;
348
+ default:
349
+ $result['error'] = "UPLOAD_ERR_UNKNOWN";
350
+ }
351
+
352
+ if ($is_upload_ok && !isset($myfile['tmp_name'])) {
353
+ $result['error'] = "MYFILE_TMP_NAME_NOT_FOUND";
354
+ $is_upload_ok = false;
355
+ }
356
+
357
+ if ($is_upload_ok) {
358
+ if (move_uploaded_file($myfile['tmp_name'], $ofile) === false) {
359
+ $result['error'] = 'MOVE_UPLOAD_FILE_FAILED';
360
+ }
361
+ }
362
+
363
+ } else {
364
+ $result['error'] = "FILE_NOT_PRESENT_IN_FILES";
365
+ }
366
+
367
+ return $result;
368
+ }
369
+
370
+
371
+ public function uploadFile($params) {
372
+ $resp = array();
373
+ $ofile = $params['ofile'];
374
+
375
+ switch($params['protocol']) {
376
+ case "curl":
377
+ $timeout = isset($params['timeout']) ? $params['timeout'] : 60;
378
+ $ifile_url = isset($params['ifileurl']) ? $params['ifileurl'] : null;
379
+
380
+ $resp = $this->curlFile($ifile_url, $ofile, $timeout);
381
+ break;
382
+ case "wget":
383
+ $ifile_url = isset($params['ifileurl']) ? $params['ifileurl'] : null;
384
+
385
+ $resp = $this->wgetFile($ifile_url, $ofile);
386
+ break;
387
+ case "streamcopy":
388
+ $ifile_url = isset($params['ifileurl']) ? $params['ifileurl'] : null;
389
+
390
+ $resp = $this->streamCopyFile($ifile_url, $ofile);
391
+ break;
392
+ case "httpcontenttransfer":
393
+ $resp = $this->writeContentToFile($params['content'], $ofile);
394
+ break;
395
+ case "httpfiletransfer":
396
+ $resp = $this->moveUploadedFile($ofile);
397
+ break;
398
+ default:
399
+ $resp['error'] = "INVALID_PROTOCOL";
400
+ }
401
+
402
+ if (isset($resp['error'])) {
403
+ $resp['status'] = false;
404
+ } else {
405
+
406
+ if (file_exists($ofile)) {
407
+ $resp['status'] = true;
408
+ $resp['fsize'] = filesize($ofile);
409
+ } else {
410
+ $resp['status'] = false;
411
+ $resp['error'] = "OFILE_NOT_FOUND";
412
+ }
413
+
414
+ }
415
+
416
+ return $resp;
417
+ }
418
+
419
+ public function process($request) {
420
+ $params = $request->params;
421
+
422
+ switch ($request->method) {
423
+ case "rmfle":
424
+ $resp = $this->removeFiles($params['files']);
425
+ break;
426
+ case "chmd":
427
+ $resp = $this->doChmod($params['pathinfos']);
428
+ break;
429
+ case "mkdr":
430
+ $resp = $this->makeDirs($params['dirs']);
431
+ break;
432
+ case "rmdr":
433
+ $resp = $this->removeDirs($params['dirs']);
434
+ break;
435
+ case "renmefle":
436
+ $resp = $this->renameFiles($params['pathinfos']);
437
+ break;
438
+ case "wrtfle":
439
+ $resp = $this->uploadFile($params);
440
+ break;
441
+ case "cncatfls":
442
+ $bsize = (isset($params['bsize'])) ? $params['bsize'] : (8 * BVFSWriteCallback::MEGABYTE);
443
+ $offset = (isset($params['offset'])) ? $params['offset'] : 0;
444
+ $resp = $this->concatFiles($params['infiles'], $params['ofile'], $bsize, $offset);
445
+ break;
446
+ default:
447
+ $resp = false;
448
+ }
449
+
450
+ return $resp;
451
+ }
452
+ }
453
+ endif;
callback/wings/fw.php DELETED
@@ -1,62 +0,0 @@
1
- <?php
2
-
3
- if (!defined('ABSPATH')) exit;
4
- if (!class_exists('BVFirewallCallback')) :
5
-
6
- require_once dirname( __FILE__ ) . '/../../protect/wp_fw/config.php';
7
-
8
- class BVFirewallCallback {
9
- public $db;
10
- public $settings;
11
-
12
- public function __construct($callback_handler) {
13
- $this->db = $callback_handler->db;
14
- $this->settings = $callback_handler->settings;
15
- }
16
-
17
- public function process($request) {
18
- $params = $request->params;
19
- $config = new BVWPFWConfig($this->db, $this->settings);
20
- switch ($request->method) {
21
- case "clrconfig":
22
- $resp = array("clearconfig" => $config->clear());
23
- break;
24
- case "setmode":
25
- $config->setMode($params['mode']);
26
- $resp = array("setmode" => $config->getMode());
27
- break;
28
- case "dsblrules":
29
- $config->setDisabledRules($params['disabled_rules']);
30
- $resp = array("disabled_rules" => $config->getDisabledRules());
31
- break;
32
- case "adtrls":
33
- $config->setAuditRules($params['audit_rules']);
34
- $resp = array("audit_rules" => $config->getAuditRules());
35
- break;
36
- case "setrulesmode":
37
- $config->setRulesMode($params['rules_mode']);
38
- $resp = array("rules_mode" => $config->getRulesMode());
39
- break;
40
- case "setreqprofilingmode":
41
- $config->setReqProfilingMode($params['req_profiling_mode']);
42
- $resp = array("req_profiling_mode" => $config->getReqProfilingMode());
43
- break;
44
- case "stbypslevl":
45
- $config->setBypassLevel($params['bypslevl']);
46
- $resp = array("bypslevl" => $config->getBypassLevel());
47
- break;
48
- case "stcstmrls":
49
- $config->setCustomRoles($params['cstmrls']);
50
- $resp = array("cstmrls" => $config->getCustomRoles());
51
- break;
52
- case "stcookiemode":
53
- $config->setCookieMode($params['mode']);
54
- $resp = array("mode" => $config->getCookieMode());
55
- break;
56
- default:
57
- $resp = false;
58
- }
59
- return $resp;
60
- }
61
- }
62
- endif;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
callback/wings/info.php CHANGED
@@ -96,11 +96,13 @@ class BVInfoCallback extends BVCallbackBase {
96
 
97
  public function getSystemInfo() {
98
  $sys_info = array(
99
- 'serverip' => $_SERVER['SERVER_ADDR'],
100
  'host' => $_SERVER['HTTP_HOST'],
101
  'phpversion' => phpversion(),
102
  'AF_INET6' => defined('AF_INET6')
103
  );
 
 
 
104
  if (function_exists('get_current_user')) {
105
  $sys_info['user'] = get_current_user();
106
  }
@@ -134,6 +136,7 @@ class BVInfoCallback extends BVCallbackBase {
134
  'wpversion' => $wp_version,
135
  'dbversion' => $wp_db_version,
136
  'abspath' => ABSPATH,
 
137
  'uploadpath' => $upload_dir['basedir'],
138
  'uploaddir' => wp_upload_dir(),
139
  'contentdir' => defined('WP_CONTENT_DIR') ? WP_CONTENT_DIR : null,
@@ -203,51 +206,11 @@ class BVInfoCallback extends BVCallbackBase {
203
  $data['dynsync'] = $settings->getOption('bvDynSyncActive');
204
  $data['woodyn'] = $settings->getOption('bvWooDynSync');
205
  $data['dynplug'] = $settings->getOption('bvdynplug');
206
- $data['ptplug'] = $settings->getOption('bvptplug');
207
- $data['fw'] = $this->getFWConfig();
208
- $data['lp'] = $this->getLPConfig();
209
  $data['brand'] = $settings->getOption($this->bvinfo->brand_option);
210
  $data['badgeinfo'] = $settings->getOption($this->bvinfo->badgeinfo);
211
  }
212
 
213
- public function getLPConfig() {
214
- $config = array();
215
- $settings = $this->settings;
216
- $mode = $settings->getOption('bvlpmode');
217
- $cplimit = $settings->getOption('bvlpcaptchalimit');
218
- $tplimit = $settings->getOption('bvlptempblocklimit');
219
- $bllimit = $settings->getOption('bvlpblockAllLimit');
220
- $config['mode'] = intval($mode ? $mode : 1);
221
- $config['captcha_limit'] = intval($cplimit ? $cplimit : 3);
222
- $config['temp_block_limit'] = intval($tplimit? $tplimit : 6);
223
- $config['block_all_limit'] = intval($bllimit ? $bllimit : 100);
224
- return $config;
225
- }
226
-
227
- public function getFWConfig() {
228
- $config = array();
229
- $settings = $this->settings;
230
- $mode = $settings->getOption('bvfwmode');
231
- $drules = $settings->getOption('bvfwdisabledrules');
232
- $arules = $settings->getOption('bvfwauditrules');
233
- $rmode = $settings->getOption('bvfwrulesmode');
234
- $reqprofilingmode = $settings->getOption('bvfwreqprofilingmode');
235
- $bypass_level = $settings->getOption('bvfwbypasslevel');
236
- $custom_roles = $settings->getOption('bvfwcustomroles');
237
- $cookiemode = $settings->getOption('bvfwcookiemode');
238
- $cookiekey = (string) $settings->getOption('bvfwcookiekey');
239
- $config['mode'] = intval($mode ? $mode : 1);
240
- $config['disabled_rules'] = $drules ? $drules : array();
241
- $config['audit_rules'] = $arules ? $arules : array();
242
- $config['rules_mode'] = intval($rmode ? $rmode : 1);
243
- $config['req_profiling_mode'] = intval($reqprofilingmode ? $reqprofilingmode : 1);
244
- $config['bypslevl'] = intval($bypass_level ? $bypass_level : 2);
245
- $config['cstmrls'] = $custom_roles ? $custom_roles : array();
246
- $config['cookiemode'] = intval($cookiemode ? $cookiemode : 2);
247
- $config['cookiekey'] = $cookiekey;
248
- return $config;
249
- }
250
-
251
  public function dbconf(&$info) {
252
  $db = $this->db;
253
  if (defined('DB_CHARSET'))
@@ -256,6 +219,15 @@ class BVInfoCallback extends BVCallbackBase {
256
  $info['charset_collate'] = $db->getCharsetCollate();
257
  return $info;
258
  }
 
 
 
 
 
 
 
 
 
259
 
260
  public function activate() {
261
  $resp = array();
@@ -266,6 +238,15 @@ class BVInfoCallback extends BVCallbackBase {
266
  return array('actinfo' => $resp);
267
  }
268
 
 
 
 
 
 
 
 
 
 
269
  public function process($request) {
270
  $db = $this->db;
271
  $params = $request->params;
@@ -273,6 +254,9 @@ class BVInfoCallback extends BVCallbackBase {
273
  case "activateinfo":
274
  $resp = $this->activate();
275
  break;
 
 
 
276
  case "gtpsts":
277
  $count = 5;
278
  if (array_key_exists('count', $params))
@@ -294,6 +278,13 @@ class BVInfoCallback extends BVCallbackBase {
294
  case "gtwp":
295
  $resp = $this->getWpInfo();
296
  break;
 
 
 
 
 
 
 
297
  case "getoption":
298
  $resp = array("option" => $this->settings->getOption($params['name']));
299
  break;
@@ -309,6 +300,19 @@ class BVInfoCallback extends BVCallbackBase {
309
  $transient = $this->objectToArray($transient);
310
  $resp = array("transient" => $transient);
311
  break;
 
 
 
 
 
 
 
 
 
 
 
 
 
312
  default:
313
  $resp = false;
314
  }
96
 
97
  public function getSystemInfo() {
98
  $sys_info = array(
 
99
  'host' => $_SERVER['HTTP_HOST'],
100
  'phpversion' => phpversion(),
101
  'AF_INET6' => defined('AF_INET6')
102
  );
103
+ if (array_key_exists('SERVER_ADDR', $_SERVER)) {
104
+ $sys_info['serverip'] = $_SERVER['SERVER_ADDR'];
105
+ }
106
  if (function_exists('get_current_user')) {
107
  $sys_info['user'] = get_current_user();
108
  }
136
  'wpversion' => $wp_version,
137
  'dbversion' => $wp_db_version,
138
  'abspath' => ABSPATH,
139
+ 'bvpluginpath' => defined('BVBASEPATH') ? BVBASEPATH : null,
140
  'uploadpath' => $upload_dir['basedir'],
141
  'uploaddir' => wp_upload_dir(),
142
  'contentdir' => defined('WP_CONTENT_DIR') ? WP_CONTENT_DIR : null,
206
  $data['dynsync'] = $settings->getOption('bvDynSyncActive');
207
  $data['woodyn'] = $settings->getOption('bvWooDynSync');
208
  $data['dynplug'] = $settings->getOption('bvdynplug');
209
+ $data['protect'] = $settings->getOption('bvptconf');
 
 
210
  $data['brand'] = $settings->getOption($this->bvinfo->brand_option);
211
  $data['badgeinfo'] = $settings->getOption($this->bvinfo->badgeinfo);
212
  }
213
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
214
  public function dbconf(&$info) {
215
  $db = $this->db;
216
  if (defined('DB_CHARSET'))
219
  $info['charset_collate'] = $db->getCharsetCollate();
220
  return $info;
221
  }
222
+
223
+ public function cookieInfo() {
224
+ $resp = array();
225
+ if (defined('COOKIEPATH'))
226
+ $resp['cookiepath'] = COOKIEPATH;
227
+ if (defined('COOKIE_DOMAIN'))
228
+ $resp['cookiedomain'] = COOKIE_DOMAIN;
229
+ return array('cookieinfo' => $resp);
230
+ }
231
 
232
  public function activate() {
233
  $resp = array();
238
  return array('actinfo' => $resp);
239
  }
240
 
241
+ public function getHostInfo() {
242
+ $host_info = $_SERVER;
243
+ $host_info['PHP_SERVER_NAME'] = php_uname('\n');
244
+ if (array_key_exists('IS_PRESSABLE', get_defined_constants())) {
245
+ $host_info['IS_PRESSABLE'] = true;
246
+ }
247
+ return array('host_info' => $host_info);
248
+ }
249
+
250
  public function process($request) {
251
  $db = $this->db;
252
  $params = $request->params;
254
  case "activateinfo":
255
  $resp = $this->activate();
256
  break;
257
+ case "ckeyinfo":
258
+ $resp = $this->cookieInfo();
259
+ break;
260
  case "gtpsts":
261
  $count = 5;
262
  if (array_key_exists('count', $params))
278
  case "gtwp":
279
  $resp = $this->getWpInfo();
280
  break;
281
+ case "gtallhdrs":
282
+ $data = (function_exists('getallheaders')) ? getallheaders() : false;
283
+ $resp = array("allhdrs" => $data);
284
+ break;
285
+ case "gtsvr":
286
+ $resp = array("svr" => $_SERVER);
287
+ break;
288
  case "getoption":
289
  $resp = array("option" => $this->settings->getOption($params['name']));
290
  break;
300
  $transient = $this->objectToArray($transient);
301
  $resp = array("transient" => $transient);
302
  break;
303
+ case "gthost":
304
+ $resp = $this->getHostInfo();
305
+ break;
306
+ case "gtplinfo":
307
+ $args = array(
308
+ 'slug' => wp_unslash($params['slug'])
309
+ );
310
+ $action = $params['action'];
311
+ $args = (object) $args;
312
+ $args = apply_filters('plugins_api_args', $args, $action);
313
+ $data = apply_filters('plugins_api', false, $action, $args);
314
+ $resp = array("plugins_info" => $data);
315
+ break;
316
  default:
317
  $resp = false;
318
  }
callback/wings/ipstore.php CHANGED
@@ -3,7 +3,7 @@
3
  if (!defined('ABSPATH')) exit;
4
  if (!class_exists('BVIPStoreCallback')) :
5
 
6
- require_once dirname( __FILE__ ) . '/../../protect/ipstore.php';
7
 
8
  class BVIPStoreCallback extends BVCallbackBase {
9
  public $db;
@@ -87,9 +87,8 @@ class BVIPStoreCallback extends BVCallbackBase {
87
  case "insrtips":
88
  $values = $params['values'];
89
  $fields = $params['fields'];
90
- $rmfilter = $params['rmfilter'];
91
- if ($rmfilter) {
92
- $db->deleteBVTableContent($table, $rmfilter);
93
  }
94
  $this->insertIPs($bvTable, $fields, $values);
95
  $resp = array("offset" => $this->getIPStoreOffset($bvTable, $auto_increment_offset));
3
  if (!defined('ABSPATH')) exit;
4
  if (!class_exists('BVIPStoreCallback')) :
5
 
6
+ require_once dirname( __FILE__ ) . '/../../protect/wp/ipstore.php';
7
 
8
  class BVIPStoreCallback extends BVCallbackBase {
9
  public $db;
87
  case "insrtips":
88
  $values = $params['values'];
89
  $fields = $params['fields'];
90
+ if (array_key_exists('rmfilter', $params)) {
91
+ $db->deleteBVTableContent($table, $params['rmfilter']);
 
92
  }
93
  $this->insertIPs($bvTable, $fields, $values);
94
  $resp = array("offset" => $this->getIPStoreOffset($bvTable, $auto_increment_offset));
callback/wings/lp.php DELETED
@@ -1,74 +0,0 @@
1
- <?php
2
-
3
- if (!defined('ABSPATH')) exit;
4
- if (!class_exists('BVLoginProtectCallback')) :
5
-
6
- require_once dirname( __FILE__ ) . '/../../protect/wp_lp/lp.php';
7
-
8
- class BVLoginProtectCallback extends BVCallbackBase {
9
- public $db;
10
- public $settings;
11
-
12
- public function __construct($callback_handler) {
13
- $this->db = $callback_handler->db;
14
- $this->settings = $callback_handler->settings;
15
- }
16
-
17
- public function unBlockLogins() {
18
- $this->settings->deleteTransient('bvlp_block_logins');
19
- $this->settings->setTransient('bvlp_allow_logins', 'true', 1800);
20
- return $this->settings->getTransient('bvlp_allow_logins');
21
- }
22
-
23
- public function blockLogins($time) {
24
- $this->settings->deleteTransient('bvlp_allow_logins');
25
- $this->settings->setTransient('bvlp_block_logins', 'true', $time);
26
- return $this->settings->getTransient('bvlp_block_logins');
27
- }
28
-
29
- public function unBlockIP($ip, $attempts, $time) {
30
- $transient_name = BVWPLP::$unblock_ip_transient.$ip;
31
- $this->settings->setTransient($transient_name, $attempts, $time);
32
- return $this->settings->getTransient($transient_name);
33
- }
34
-
35
- public function process($request) {
36
- $params = $request->params;
37
- $config = new BVWPLPConfig($this->db, $this->settings);
38
- switch ($request->method) {
39
- case "clrconfig":
40
- $resp = array("clearconfig" => $config->clear());
41
- break;
42
- case "setmode":
43
- $config->setMode($params['mode']);
44
- $resp = array("setmode" => $config->getMode());
45
- break;
46
- case "setcaptchalimit":
47
- $config->setCaptchaLimit($params['captcha_limit']);
48
- $resp = array("captcha_limit" => $config->getCaptchaLimit());
49
- break;
50
- case "settmpblklimit":
51
- $config->setTempBlockLimit($params['temp_block_limit']);
52
- $resp = array("temp_block_limit" => $config->getTempBlockLimit());
53
- break;
54
- case "setblkalllimit":
55
- $config->setBlockAllLimit($params['block_all_limit']);
56
- $resp = array("block_all_limit" => $config->getBlockAllLimit());
57
- break;
58
- case "unblklogins":
59
- $resp = array("unblocklogins" => $this->unBlockLogins());
60
- break;
61
- case "blklogins":
62
- $time = array_key_exists('time', $params) ? $params['time'] : 1800;
63
- $resp = array("blocklogins" => $this->blockLogins($time));
64
- break;
65
- case "unblkip":
66
- $resp = array("unblockip" => $this->unBlockIP($params['ip'], $params['attempts'], $params['time']));
67
- break;
68
- default:
69
- $resp = false;
70
- }
71
- return $resp;
72
- }
73
- }
74
- endif;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
callback/wings/misc.php CHANGED
@@ -23,9 +23,9 @@ class BVMiscCallback extends BVCallbackBase {
23
  switch ($request->method) {
24
  case "dummyping":
25
  $resp = array();
26
- $resp = array_merge($resp, $this->siteinfo->respInfo());
27
- $resp = array_merge($resp, $this->account->respInfo());
28
- $resp = array_merge($resp, $this->bvinfo->respInfo());
29
  break;
30
  case "enablebadge":
31
  $option = $bvinfo->badgeinfo;
@@ -52,14 +52,6 @@ class BVMiscCallback extends BVCallbackBase {
52
  $settings->deleteOption('bvdynplug');
53
  $resp = array("unsetdynplug" => $settings->getOption('bvdynplug'));
54
  break;
55
- case "setptplug":
56
- $settings->updateOption('bvptplug', $params['ptplug']);
57
- $resp = array("setptplug" => $settings->getOption('bvptplug'));
58
- break;
59
- case "unsetptplug":
60
- $settings->deleteOption('bvptlug');
61
- $resp = array("unsetptplug" => $settings->getOption('bvptlug'));
62
- break;
63
  case "wpupplgs":
64
  $resp = array("wpupdateplugins" => wp_update_plugins());
65
  break;
@@ -69,10 +61,6 @@ class BVMiscCallback extends BVCallbackBase {
69
  case "wpupcre":
70
  $resp = array("wpupdatecore" => wp_version_check());
71
  break;
72
- case "rmmonitime":
73
- $this->settings->deleteOption('bvmonittime');
74
- $resp = array("rmmonitime" => !$bvinfo->getMonitTime());
75
- break;
76
  case "phpinfo":
77
  phpinfo();
78
  die();
@@ -86,4 +74,4 @@ class BVMiscCallback extends BVCallbackBase {
86
  return $resp;
87
  }
88
  }
89
- endif;
23
  switch ($request->method) {
24
  case "dummyping":
25
  $resp = array();
26
+ $resp = array_merge($resp, $this->siteinfo->info());
27
+ $resp = array_merge($resp, $this->account->info());
28
+ $resp = array_merge($resp, $this->bvinfo->info());
29
  break;
30
  case "enablebadge":
31
  $option = $bvinfo->badgeinfo;
52
  $settings->deleteOption('bvdynplug');
53
  $resp = array("unsetdynplug" => $settings->getOption('bvdynplug'));
54
  break;
 
 
 
 
 
 
 
 
55
  case "wpupplgs":
56
  $resp = array("wpupdateplugins" => wp_update_plugins());
57
  break;
61
  case "wpupcre":
62
  $resp = array("wpupdatecore" => wp_version_check());
63
  break;
 
 
 
 
64
  case "phpinfo":
65
  phpinfo();
66
  die();
74
  return $resp;
75
  }
76
  }
77
+ endif;
callback/wings/protect.php CHANGED
@@ -3,7 +3,9 @@
3
  if (!defined('ABSPATH')) exit;
4
  if (!class_exists('BVProtectCallback')) :
5
 
6
- require_once dirname( __FILE__ ) . '/../../protect/protect.php';
 
 
7
 
8
  class BVProtectCallback extends BVCallbackBase {
9
  public $db;
@@ -14,10 +16,40 @@ class BVProtectCallback extends BVCallbackBase {
14
  $this->settings = $callback_handler->settings;
15
  }
16
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
17
  public function process($request) {
18
  $bvinfo = new BVInfo($this->settings);
19
- $protect = new BVProtect($this->db, $this->settings);
20
  $params = $request->params;
 
21
  switch ($request->method) {
22
  case "gtipprobeinfo":
23
  $resp = array();
@@ -31,41 +63,52 @@ class BVProtectCallback extends BVCallbackBase {
31
  }
32
  }
33
  $resp["hdrsinfo"] = $hdrsinfo;
34
- if ($iphdr = $this->settings->getOption($bvinfo->ip_header_option)) {
35
- $resp["iphdr"] = $iphdr;
36
- }
 
 
 
 
 
 
 
 
 
37
  break;
38
  case "gtraddr":
39
  $raddr = array_key_exists('REMOTE_ADDR', $_SERVER) ? $_SERVER['REMOTE_ADDR'] : false;
40
  $resp = array("raddr" => $raddr);
41
  break;
42
- case "gtallhdrs":
43
- $data = (function_exists('getallheaders')) ? getallheaders() : false;
44
- $resp = array("allhdrs" => $data);
 
 
 
45
  break;
46
- case "gtsvr":
47
- $resp = array("svr" => $_SERVER);
 
48
  break;
49
- case "gtip":
50
- $resp = array("ip" => $protect->getIP());
51
  break;
52
- case "stiphdr":
53
- $option_name = $bvinfo->ip_header_option;
54
- $iphdr = array('hdr' => $params['hdr'], 'pos' => $params['pos']);
55
- $this->settings->updateOption($option_name, $iphdr);
56
- $resp = array("iphdr" => $this->settings->getOption($option_name));
57
  break;
58
- case "gtiphdr":
59
- $resp = array("iphdr" => $this->settings->getOption($bvinfo->ip_header_option));
60
  break;
61
- case "rmiphdr":
62
- $option_name = $bvinfo->ip_header_option;
63
- $this->settings->deleteOption($option_name);
64
- $resp = array("iphdr" => $this->settings->getOption($option_name));
65
  break;
66
  default:
67
  $resp = false;
68
  }
 
69
  return $resp;
70
  }
71
  }
3
  if (!defined('ABSPATH')) exit;
4
  if (!class_exists('BVProtectCallback')) :
5
 
6
+ require_once dirname( __FILE__ ) . '/../../protect/wp/protect.php';
7
+ require_once dirname( __FILE__ ) . '/../../protect/fw/config.php';
8
+ require_once dirname( __FILE__ ) . '/../../protect/wp/lp/config.php';
9
 
10
  class BVProtectCallback extends BVCallbackBase {
11
  public $db;
16
  $this->settings = $callback_handler->settings;
17
  }
18
 
19
+ public function serverConfig() {
20
+ return array(
21
+ 'software' => $_SERVER['SERVER_SOFTWARE'],
22
+ 'sapi' => (function_exists('php_sapi_name')) ? php_sapi_name() : false,
23
+ 'has_apache_get_modules' => function_exists('apache_get_modules'),
24
+ 'posix_getuid' => (function_exists('posix_getuid')) ? posix_getuid() : null,
25
+ 'uid' => (function_exists('getmyuid')) ? getmyuid() : null,
26
+ 'user_ini' => ini_get('user_ini.filename'),
27
+ 'php_major_version' => PHP_MAJOR_VERSION
28
+ );
29
+ }
30
+
31
+ public function unBlockLogins() {
32
+ $this->settings->deleteTransient('bvlp_block_logins');
33
+ $this->settings->setTransient('bvlp_allow_logins', 'true', 1800);
34
+ return $this->settings->getTransient('bvlp_allow_logins');
35
+ }
36
+
37
+ public function blockLogins($time) {
38
+ $this->settings->deleteTransient('bvlp_allow_logins');
39
+ $this->settings->setTransient('bvlp_block_logins', 'true', $time);
40
+ return $this->settings->getTransient('bvlp_block_logins');
41
+ }
42
+
43
+ public function unBlockIP($ip, $attempts, $time) {
44
+ $transient_name = BVWPLP::$unblock_ip_transient.$ip;
45
+ $this->settings->setTransient($transient_name, $attempts, $time);
46
+ return $this->settings->getTransient($transient_name);
47
+ }
48
+
49
  public function process($request) {
50
  $bvinfo = new BVInfo($this->settings);
 
51
  $params = $request->params;
52
+
53
  switch ($request->method) {
54
  case "gtipprobeinfo":
55
  $resp = array();
63
  }
64
  }
65
  $resp["hdrsinfo"] = $hdrsinfo;
66
+ break;
67
+ case "gtptcnf":
68
+ $resp = array('conf' => $this->settings->getOption('bvptconf'));
69
+ break;
70
+ case "clrcnf":
71
+ $this->settings->deleteOption('bvptconf');
72
+ $this->settings->deleteOption('bvptplug');
73
+ $resp = array("clearconfig" => true);
74
+ break;
75
+ case "docnf":
76
+ $this->settings->updateOption('bvptconf', $params['conf']);
77
+ $resp = array('conf' => $this->settings->getOption('bvptconf'));
78
  break;
79
  case "gtraddr":
80
  $raddr = array_key_exists('REMOTE_ADDR', $_SERVER) ? $_SERVER['REMOTE_ADDR'] : false;
81
  $resp = array("raddr" => $raddr);
82
  break;
83
+ case "svrcnf":
84
+ $resp = array("serverconfig" => $this->serverConfig());
85
+ break;
86
+ case "setptplug":
87
+ $this->settings->updateOption('bvptplug', $params['ptplug']);
88
+ $resp = array("setptplug" => $this->settings->getOption('bvptplug'));
89
  break;
90
+ case "unsetptplug":
91
+ $this->settings->deleteOption('bvptlug');
92
+ $resp = array("unsetptplug" => $this->settings->getOption('bvptlug'));
93
  break;
94
+ case "unblklogins":
95
+ $resp = array("unblocklogins" => $this->unBlockLogins());
96
  break;
97
+ case "blklogins":
98
+ $time = array_key_exists('time', $params) ? $params['time'] : 1800;
99
+ $resp = array("blocklogins" => $this->blockLogins($time));
 
 
100
  break;
101
+ case "unblkip":
102
+ $resp = array("unblockip" => $this->unBlockIP($params['ip'], $params['attempts'], $params['time']));
103
  break;
104
+ case "rmwatchtime":
105
+ $this->settings->deleteOption('bvwatchtime');
106
+ $resp = array("rmwatchtime" => !$bvinfo->getWatchTime());
 
107
  break;
108
  default:
109
  $resp = false;
110
  }
111
+
112
  return $resp;
113
  }
114
  }
callback/wings/{monit.php → watch.php} RENAMED
@@ -1,9 +1,9 @@
1
  <?php
2
 
3
  if (!defined('ABSPATH')) exit;
4
- if (!class_exists('BVMonitCallback')) :
5
 
6
- class BVMonitCallback extends BVCallbackBase {
7
  public $db;
8
  public $settings;
9
 
@@ -31,20 +31,65 @@ class BVMonitCallback extends BVCallbackBase {
31
  return $this->db->deleteBVTableContent($name, $filter);
32
  }
33
 
34
- public function setMonitTime() {
35
- return $this->settings->updateOption('bvmonittime', time());
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
36
  }
37
 
38
  public function process($request) {
39
  $db = $this->db;
40
  $settings = $this->settings;
41
- $this->setMonitTime();
42
  $params = $request->params;
 
43
  switch ($request->method) {
44
  case "getdata":
45
  $resp = array();
 
46
  if (array_key_exists('lp', $params)) {
47
- require_once dirname( __FILE__ ) . '/../../protect/wp_lp/config.php';
48
  $lp_params = $params['lp'];
49
  $limit = intval(urldecode($lp_params['limit']));
50
  $filter = urldecode($lp_params['filter']);
@@ -52,15 +97,22 @@ class BVMonitCallback extends BVCallbackBase {
52
  $table = $db->getBVTable(BVWPLPConfig::$requests_table);
53
  $resp["lplogs"] = $this->getData($table, $limit, $filter);
54
  }
 
 
 
 
 
 
55
  if (array_key_exists('fw', $params)) {
56
- require_once dirname( __FILE__ ) . '/../../protect/wp_fw/config.php';
57
  $fw_params = $params['fw'];
58
  $limit = intval(urldecode($fw_params['limit']));
59
  $filter = urldecode($fw_params['filter']);
60
- $db->deleteBVTableContent(BVWPFWConfig::$requests_table, $fw_params['rmfilter']);
61
- $table = $db->getBVTable(BVWPFWConfig::$requests_table);
62
  $resp["fwlogs"] = $this->getData($table, $limit, $filter);
63
  }
 
64
  if (array_key_exists('dynevent', $params)) {
65
  require_once dirname( __FILE__ ) . '/../../wp_dynsync.php';
66
  $isdynsyncactive = $settings->getOption('bvDynSyncActive');
@@ -76,6 +128,7 @@ class BVMonitCallback extends BVCallbackBase {
76
  $resp["status"] = true;
77
  }
78
  }
 
79
  $resp["status"] = "done";
80
  break;
81
  case "rmdata":
1
  <?php
2
 
3
  if (!defined('ABSPATH')) exit;
4
+ if (!class_exists('BVWatchCallback')) :
5
 
6
+ class BVWatchCallback extends BVCallbackBase {
7
  public $db;
8
  public $settings;
9
 
31
  return $this->db->deleteBVTableContent($name, $filter);
32
  }
33
 
34
+ public function setWatchTime() {
35
+ return $this->settings->updateOption('bvwatchtime', time());
36
+ }
37
+
38
+ public function getFWPrependLog($params) {
39
+ $result = array();
40
+ $fname = $params['fname'];
41
+ $limit = intval($params['limit']);
42
+
43
+ if (file_exists($fname)) {
44
+
45
+ $result['exists'] = true;
46
+ $tmpfname = $fname."tmp";
47
+
48
+ if (!@rename($fname, $tmpfname)) {
49
+
50
+ $result = array('status' => 'Error', 'message' => 'UNABLE_TO_RENAME_LOGFILE');
51
+
52
+ } else {
53
+
54
+ if (file_exists($tmpfname)) {
55
+
56
+ $fsize = filesize($tmpfname);
57
+ $result["size"] = $fsize;
58
+
59
+ if ($fsize <= $limit) {
60
+
61
+ $result['content'] = file_get_contents($tmpfname);
62
+
63
+ } else {
64
+ $handle = fopen($tmpfname, "rb");
65
+ $result['content'] = fread($handle, $limit);
66
+ $result['incomplete'] = true;
67
+ fclose($handle);
68
+ }
69
+
70
+ $result['tmpfile'] = unlink($tmpfname);
71
+ } else {
72
+ $result['tmpfile'] = 'DOES_NOT_EXISTS';
73
+ }
74
+
75
+ }
76
+ }
77
+
78
+ return $result;
79
  }
80
 
81
  public function process($request) {
82
  $db = $this->db;
83
  $settings = $this->settings;
84
+ $this->setWatchTime();
85
  $params = $request->params;
86
+
87
  switch ($request->method) {
88
  case "getdata":
89
  $resp = array();
90
+
91
  if (array_key_exists('lp', $params)) {
92
+ require_once dirname( __FILE__ ) . '/../../protect/wp/lp/config.php';
93
  $lp_params = $params['lp'];
94
  $limit = intval(urldecode($lp_params['limit']));
95
  $filter = urldecode($lp_params['filter']);
97
  $table = $db->getBVTable(BVWPLPConfig::$requests_table);
98
  $resp["lplogs"] = $this->getData($table, $limit, $filter);
99
  }
100
+
101
+ if (array_key_exists('prelog', $params)) {
102
+ $prelog_params = $params['prelog'];
103
+ $resp["prelog"] = $this->getFWPrependLog($prelog_params);
104
+ }
105
+
106
  if (array_key_exists('fw', $params)) {
107
+ require_once dirname( __FILE__ ) . '/../../protect/fw/config.php';
108
  $fw_params = $params['fw'];
109
  $limit = intval(urldecode($fw_params['limit']));
110
  $filter = urldecode($fw_params['filter']);
111
+ $db->deleteBVTableContent(BVFWConfig::$requests_table, $fw_params['rmfilter']);
112
+ $table = $db->getBVTable(BVFWConfig::$requests_table);
113
  $resp["fwlogs"] = $this->getData($table, $limit, $filter);
114
  }
115
+
116
  if (array_key_exists('dynevent', $params)) {
117
  require_once dirname( __FILE__ ) . '/../../wp_dynsync.php';
118
  $isdynsyncactive = $settings->getOption('bvDynSyncActive');
128
  $resp["status"] = true;
129
  }
130
  }
131
+
132
  $resp["status"] = "done";
133
  break;
134
  case "rmdata":
info.php CHANGED
@@ -9,17 +9,23 @@ if (!class_exists('BVInfo')) :
9
  public $badgeinfo = 'bvbadge';
10
  public $ip_header_option = 'bvipheader';
11
  public $brand_option = 'bvbrand';
12
- public $version = '3.4';
13
  public $webpage = 'https://blogvault.net';
14
  public $appurl = 'https://app.blogvault.net';
15
  public $slug = 'blogvault-real-time-backup/blogvault.php';
16
  public $plug_redirect = 'bvredirect';
17
  public $logo = '../img/bvlogo.png';
 
18
 
19
  public function __construct($settings) {
20
  $this->settings = $settings;
21
  }
22
 
 
 
 
 
 
23
  public function getBrandInfo() {
24
  return $this->settings->getOption($this->brand_option);
25
  }
@@ -29,11 +35,20 @@ if (!class_exists('BVInfo')) :
29
  if ($brand && array_key_exists('menuname', $brand)) {
30
  return $brand['menuname'];
31
  }
 
32
  return $this->brandname;
33
  }
34
 
35
- public function getMonitTime() {
36
- $time = $this->settings->getOption('bvmonittime');
 
 
 
 
 
 
 
 
37
  return ($time ? $time : 0);
38
  }
39
 
@@ -48,10 +63,10 @@ if (!class_exists('BVInfo')) :
48
  return $this->appurl;
49
  }
50
  }
51
-
52
  public function isActivePlugin() {
53
  $expiry_time = time() - (3 * 24 * 3600);
54
- return ($this->getMonitTime() > $expiry_time);
55
  }
56
 
57
  public function isProtectModuleEnabled() {
@@ -63,6 +78,7 @@ if (!class_exists('BVInfo')) :
63
  return ($this->settings->getOption('bvdynplug') === $this->plugname) &&
64
  $this->isActivePlugin();
65
  }
 
66
  public function isActivateRedirectSet() {
67
  return ($this->settings->getOption($this->plug_redirect) === 'yes') ? true : false;
68
  }
@@ -75,10 +91,11 @@ if (!class_exists('BVInfo')) :
75
  return $this->getBrandName() === 'BlogVault';
76
  }
77
 
78
- public function respInfo() {
79
  return array(
80
  "bvversion" => $this->version,
81
- "sha1" => "true"
 
82
  );
83
  }
84
  }
9
  public $badgeinfo = 'bvbadge';
10
  public $ip_header_option = 'bvipheader';
11
  public $brand_option = 'bvbrand';
12
+ public $version = '4.2';
13
  public $webpage = 'https://blogvault.net';
14
  public $appurl = 'https://app.blogvault.net';
15
  public $slug = 'blogvault-real-time-backup/blogvault.php';
16
  public $plug_redirect = 'bvredirect';
17
  public $logo = '../img/bvlogo.png';
18
+ public $brand_icon = '/img/icon.png';
19
 
20
  public function __construct($settings) {
21
  $this->settings = $settings;
22
  }
23
 
24
+ public function canOverrideCW() {
25
+ $scanOption = $this->settings->getOption('bvoverridecw');
26
+ return (isset($scanOption) && $scanOption == 1);
27
+ }
28
+
29
  public function getBrandInfo() {
30
  return $this->settings->getOption($this->brand_option);
31
  }
35
  if ($brand && array_key_exists('menuname', $brand)) {
36
  return $brand['menuname'];
37
  }
38
+
39
  return $this->brandname;
40
  }
41
 
42
+ public function getBrandIcon() {
43
+ $brand = $this->getBrandInfo();
44
+ if ($brand && array_key_exists('brand_icon', $brand)) {
45
+ return $brand['brand_icon'];
46
+ }
47
+ return $this->brand_icon;
48
+ }
49
+
50
+ public function getWatchTime() {
51
+ $time = $this->settings->getOption('bvwatchtime');
52
  return ($time ? $time : 0);
53
  }
54
 
63
  return $this->appurl;
64
  }
65
  }
66
+
67
  public function isActivePlugin() {
68
  $expiry_time = time() - (3 * 24 * 3600);
69
+ return ($this->getWatchTime() > $expiry_time);
70
  }
71
 
72
  public function isProtectModuleEnabled() {
78
  return ($this->settings->getOption('bvdynplug') === $this->plugname) &&
79
  $this->isActivePlugin();
80
  }
81
+
82
  public function isActivateRedirectSet() {
83
  return ($this->settings->getOption($this->plug_redirect) === 'yes') ? true : false;
84
  }
91
  return $this->getBrandName() === 'BlogVault';
92
  }
93
 
94
+ public function info() {
95
  return array(
96
  "bvversion" => $this->version,
97
+ "sha1" => "true",
98
+ "plugname" => $this->plugname
99
  );
100
  }
101
  }
protect/base.php ADDED
@@ -0,0 +1,29 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+ if (! (defined('ABSPATH') || defined('MCDATAPATH')) ) exit;
3
+ if (!class_exists('BVProtectBase')) :
4
+
5
+ class BVProtectBase {
6
+ public static function getIP($ipHeader) {
7
+ $ip = '127.0.0.1';
8
+ if ($ipHeader && is_array($ipHeader)) {
9
+ if (array_key_exists($ipHeader['hdr'], $_SERVER)) {
10
+ $_ips = preg_split("/(,| |\t)/", $_SERVER[$ipHeader['hdr']]);
11
+ if (array_key_exists(intval($ipHeader['pos']), $_ips)) {
12
+ $ip = $_ips[intval($ipHeader['pos'])];
13
+ }
14
+ }
15
+ } else if (array_key_exists('REMOTE_ADDR', $_SERVER)) {
16
+ $ip = $_SERVER['REMOTE_ADDR'];
17
+ }
18
+
19
+ $ip = trim($ip);
20
+ if (preg_match('/^\[([0-9a-fA-F:]+)\](:[0-9]+)$/', $ip, $matches)) {
21
+ $ip = $matches[1];
22
+ } elseif (preg_match('/^([0-9.]+)(:[0-9]+)$/', $ip, $matches)) {
23
+ $ip = $matches[1];
24
+ }
25
+
26
+ return $ip;
27
+ }
28
+ }
29
+ endif;
protect/fw/config.php ADDED
@@ -0,0 +1,117 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if (! (defined('ABSPATH') || defined('MCDATAPATH')) ) exit;
4
+ if (!class_exists('BVFWConfig')) :
5
+
6
+ class BVFWConfig {
7
+ public $mode;
8
+ public $requestProfilingMode;
9
+ public $roleLevel;
10
+ public $ipCookieMode;
11
+ public $adminCookieMode;
12
+ public $bypassLevel;
13
+ public $customRoles;
14
+ public $cookieKey;
15
+ public $cookiePath;
16
+ public $cookieDomain;
17
+ public $loggingMode;
18
+
19
+ public static $requests_table = 'fw_requests';
20
+ public static $roleLevels = array(
21
+ 'administrator' => BVFWConfig::ROLE_LEVEL_ADMIN,
22
+ 'editor' => BVFWConfig::ROLE_LEVEL_EDITOR,
23
+ 'author' => BVFWConfig::ROLE_LEVEL_AUTHOR,
24
+ 'contributor' => BVFWConfig::ROLE_LEVEL_CONTRIBUTOR,
25
+ 'subscriber' => BVFWConfig::ROLE_LEVEL_SUBSCRIBER
26
+ );
27
+
28
+ function __construct($confHash) {
29
+ $this->mode = array_key_exists('mode', $confHash) ? intval($confHash['mode']) : BVFWConfig::DISABLED;
30
+ $this->requestProfilingMode = array_key_exists('reqprofilingmode', $confHash) ? intval($confHash['reqprofilingmode']) : BVFWConfig::REQ_PROFILING_MODE_DISABLED;
31
+ $this->ipCookieMode = array_key_exists('ipcookiemode', $confHash) ? intval($confHash['ipcookiemode']) : BVFWConfig::IP_COOKIE_MODE_DISABLED;
32
+ $this->adminCookieMode = array_key_exists('admincookiemode', $confHash) ? intval($confHash['admincookiemode']) : BVFWConfig::ADMIN_COOKIE_MODE_DISABLED;
33
+ $this->loggingMode = array_key_exists('loggingmode', $confHash) ? intval($confHash['loggingmode']) : BVFWConfig::LOGGING_MODE_VISITOR;
34
+ $this->bypassLevel = array_key_exists('bypasslevel', $confHash) ? intval($confHash['bypasslevel']) : BVFWConfig::ROLE_LEVEL_CONTRIBUTOR;
35
+ $this->customRoles = array_key_exists('customroles', $confHash) ? $confHash['customroles'] : array();
36
+ $this->cookieKey = array_key_exists('cookiekey', $confHash) ? $confHash['cookiekey'] : "";
37
+ $this->cookiePath = array_key_exists('cookiepath', $confHash) ? $confHash['cookiepath'] : "";
38
+ $this->cookieDomain = array_key_exists('cookiedomain', $confHash) ? $confHash['cookiedomain'] : "";
39
+ }
40
+
41
+ #mode
42
+ const DISABLED = 1;
43
+ const AUDIT = 2;
44
+ const PROTECT = 3;
45
+
46
+ #Request Profiling Mode
47
+ const REQ_PROFILING_MODE_DISABLED = 1;
48
+ const REQ_PROFILING_MODE_NORMAL = 2;
49
+ const REQ_PROFILING_MODE_DEBUG = 3;
50
+
51
+ #IP Cookie Mode
52
+ const IP_COOKIE_MODE_ENABLED = 1;
53
+ const IP_COOKIE_MODE_DISABLED = 2;
54
+
55
+ #Admin Cookie Mode
56
+ const ADMIN_COOKIE_MODE_ENABLED = 1;
57
+ const ADMIN_COOKIE_MODE_DISABLED = 2;
58
+
59
+ #Role Level
60
+ const ROLE_LEVEL_SUBSCRIBER = 1;
61
+ const ROLE_LEVEL_CONTRIBUTOR = 2;
62
+ const ROLE_LEVEL_AUTHOR = 3;
63
+ const ROLE_LEVEL_EDITOR = 4;
64
+ const ROLE_LEVEL_ADMIN = 5;
65
+ const ROLE_LEVEL_CUSTOM = 6;
66
+
67
+ #WebServer Conf Mode
68
+ const MODE_APACHEMODPHP = 1;
69
+ const MODE_APACHESUPHP = 2;
70
+ const MODE_CGI_FASTCGI = 3;
71
+ const MODE_NGINX = 4;
72
+ const MODE_LITESPEED = 5;
73
+ const MODE_IIS = 6;
74
+
75
+ #Logging Mode
76
+ const LOGGING_MODE_VISITOR = 1;
77
+ const LOGGING_MODE_COMPLETE = 2;
78
+ const LOGGING_MODE_DISABLED = 3;
79
+
80
+
81
+ #Valid mc_data filenames
82
+ public static $validMcDataFilenames = array('mc.conf', 'mc_ips.conf');
83
+ public static $validDeletableFiles = array('mc.conf', 'mc_ips.conf', 'malcare-waf.php', 'mc.log', 'mc_data');
84
+
85
+ public function isActive() {
86
+ return ($this->mode !== BVFWConfig::DISABLED);
87
+ }
88
+
89
+ public function isProtecting() {
90
+ return ($this->mode === BVFWConfig::PROTECT);
91
+ }
92
+
93
+ public function isAuditing() {
94
+ return ($this->mode === BVFWConfig::AUDIT);
95
+ }
96
+
97
+ public function isReqProfilingModeDebug() {
98
+ return ($this->requestProfilingMode === BVFWConfig::REQ_PROFILING_MODE_DEBUG);
99
+ }
100
+
101
+ public function canProfileReqInfo() {
102
+ return ($this->requestProfilingMode !== BVFWConfig::REQ_PROFILING_MODE_DISABLED);
103
+ }
104
+
105
+ public function isCompleteLoggingEnabled() {
106
+ return ($this->loggingMode === BVFWConfig::LOGGING_MODE_COMPLETE);
107
+ }
108
+
109
+ public function isVisitorLoggingEnabled() {
110
+ return ($this->loggingMode === BVFWConfig::LOGGING_MODE_VISITOR);
111
+ }
112
+
113
+ public function isLoggingDisabled() {
114
+ return ($this->loggingMode === BVFWConfig::LOGGING_MODE_DISABLED);
115
+ }
116
+ }
117
+ endif;
protect/fw/fw.php ADDED
@@ -0,0 +1,347 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if (! (defined('ABSPATH') || defined('MCDATAPATH')) ) exit;
4
+ if (!class_exists('BVFW')) :
5
+
6
+ class BVFW {
7
+ public $bvinfo;
8
+ public $request;
9
+ public $config;
10
+ public $ipstore;
11
+ public $category;
12
+ public $logger;
13
+
14
+ const SQLIREGEX = '/(?:[^\\w<]|\\/\\*\\![0-9]*|^)(?:
15
+ @@HOSTNAME|
16
+ ALTER|ANALYZE|ASENSITIVE|
17
+ BEFORE|BENCHMARK|BETWEEN|BIGINT|BINARY|BLOB|
18
+ CALL|CASE|CHANGE|CHAR|CHARACTER|CHAR_LENGTH|COLLATE|COLUMN|CONCAT|CONDITION|CONSTRAINT|CONTINUE|CONVERT|CREATE|CROSS|CURRENT_DATE|CURRENT_TIME|CURRENT_TIMESTAMP|CURRENT_USER|CURSOR|
19
+ DATABASE|DATABASES|DAY_HOUR|DAY_MICROSECOND|DAY_MINUTE|DAY_SECOND|DECIMAL|DECLARE|DEFAULT|DELAYED|DELETE|DESCRIBE|DETERMINISTIC|DISTINCT|DISTINCTROW|DOUBLE|DROP|DUAL|DUMPFILE|
20
+ EACH|ELSE|ELSEIF|ELT|ENCLOSED|ESCAPED|EXISTS|EXIT|EXPLAIN|EXTRACTVALUE|
21
+ FETCH|FLOAT|FLOAT4|FLOAT8|FORCE|FOREIGN|FROM|FULLTEXT|
22
+ GRANT|GROUP|HAVING|HEX|HIGH_PRIORITY|HOUR_MICROSECOND|HOUR_MINUTE|HOUR_SECOND|
23
+ IFNULL|IGNORE|INDEX|INFILE|INNER|INOUT|INSENSITIVE|INSERT|INTERVAL|ISNULL|ITERATE|
24
+ JOIN|KILL|LEADING|LEAVE|LIMIT|LINEAR|LINES|LOAD|LOAD_FILE|LOCALTIME|LOCALTIMESTAMP|LOCK|LONG|LONGBLOB|LONGTEXT|LOOP|LOW_PRIORITY|
25
+ MASTER_SSL_VERIFY_SERVER_CERT|MATCH|MAXVALUE|MEDIUMBLOB|MEDIUMINT|MEDIUMTEXT|MID|MIDDLEINT|MINUTE_MICROSECOND|MINUTE_SECOND|MODIFIES|
26
+ NATURAL|NO_WRITE_TO_BINLOG|NULL|NUMERIC|OPTION|ORD|ORDER|OUTER|OUTFILE|
27
+ PRECISION|PRIMARY|PRIVILEGES|PROCEDURE|PROCESSLIST|PURGE|
28
+ RANGE|READ_WRITE|REGEXP|RELEASE|REPEAT|REQUIRE|RESIGNAL|RESTRICT|RETURN|REVOKE|RLIKE|ROLLBACK|
29
+ SCHEMA|SCHEMAS|SECOND_MICROSECOND|SELECT|SENSITIVE|SEPARATOR|SHOW|SIGNAL|SLEEP|SMALLINT|SPATIAL|SPECIFIC|SQLEXCEPTION|SQLSTATE|SQLWARNING|SQL_BIG_RESULT|SQL_CALC_FOUND_ROWS|SQL_SMALL_RESULT|STARTING|STRAIGHT_JOIN|SUBSTR|
30
+ TABLE|TERMINATED|TINYBLOB|TINYINT|TINYTEXT|TRAILING|TRANSACTION|TRIGGER|
31
+ UNDO|UNHEX|UNION|UNLOCK|UNSIGNED|UPDATE|UPDATEXML|USAGE|USING|UTC_DATE|UTC_TIME|UTC_TIMESTAMP|
32
+ VALUES|VARBINARY|VARCHAR|VARCHARACTER|VARYING|WHEN|WHERE|WHILE|WRITE|YEAR_MONTH|ZEROFILL)(?=[^\\w]|$)/ix';
33
+
34
+ const XSSREGEX = '/(?:
35
+ #tags
36
+ (?:\\<|\\+ADw\\-|\\xC2\\xBC)(script|iframe|svg|object|embed|applet|link|style|meta|\\/\\/|\\?xml\\-stylesheet)(?:[^\\w]|\\xC2\\xBE)|
37
+ #protocols
38
+ (?:^|[^\\w])(?:(?:\\s*(?:&\\#(?:x0*6a|0*106)|j)\\s*(?:&\\#(?:x0*61|0*97)|a)\\s*(?:&\\#(?:x0*76|0*118)|v)\\s*(?:&\\#(?:x0*61|0*97)|a)|\\s*(?:&\\#(?:x0*76|0*118)|v)\\s*(?:&\\#(?:x0*62|0*98)|b)|\\s*(?:&\\#(?:x0*65|0*101)|e)\\s*(?:&\\#(?:x0*63|0*99)|c)\\s*(?:&\\#(?:x0*6d|0*109)|m)\\s*(?:&\\#(?:x0*61|0*97)|a)|\\s*(?:&\\#(?:x0*6c|0*108)|l)\\s*(?:&\\#(?:x0*69|0*105)|i)\\s*(?:&\\#(?:x0*76|0*118)|v)\\s*(?:&\\#(?:x0*65|0*101)|e))\\s*(?:&\\#(?:x0*73|0*115)|s)\\s*(?:&\\#(?:x0*63|0*99)|c)\\s*(?:&\\#(?:x0*72|0*114)|r)\\s*(?:&\\#(?:x0*69|0*105)|i)\\s*(?:&\\#(?:x0*70|0*112)|p)\\s*(?:&\\#(?:x0*74|0*116)|t)|\\s*(?:&\\#(?:x0*6d|0*109)|m)\\s*(?:&\\#(?:x0*68|0*104)|h)\\s*(?:&\\#(?:x0*74|0*116)|t)\\s*(?:&\\#(?:x0*6d|0*109)|m)\\s*(?:&\\#(?:x0*6c|0*108)|l)|\\s*(?:&\\#(?:x0*6d|0*109)|m)\\s*(?:&\\#(?:x0*6f|0*111)|o)\\s*(?:&\\#(?:x0*63|0*99)|c)\\s*(?:&\\#(?:x0*68|0*104)|h)\\s*(?:&\\#(?:x0*61|0*97)|a)|\\s*(?:&\\#(?:x0*64|0*100)|d)\\s*(?:&\\#(?:x0*61|0*97)|a)\\s*(?:&\\#(?:x0*74|0*116)|t)\\s*(?:&\\#(?:x0*61|0*97)|a)(?!(?:&\\#(?:x0*3a|0*58)|\\:)(?:&\\#(?:x0*69|0*105)|i)(?:&\\#(?:x0*6d|0*109)|m)(?:&\\#(?:x0*61|0*97)|a)(?:&\\#(?:x0*67|0*103)|g)(?:&\\#(?:x0*65|0*101)|e)(?:&\\#(?:x0*2f|0*47)|\\/)(?:(?:&\\#(?:x0*70|0*112)|p)(?:&\\#(?:x0*6e|0*110)|n)(?:&\\#(?:x0*67|0*103)|g)|(?:&\\#(?:x0*62|0*98)|b)(?:&\\#(?:x0*6d|0*109)|m)(?:&\\#(?:x0*70|0*112)|p)|(?:&\\#(?:x0*67|0*103)|g)(?:&\\#(?:x0*69|0*105)|i)(?:&\\#(?:x0*66|0*102)|f)|(?:&\\#(?:x0*70|0*112)|p)?(?:&\\#(?:x0*6a|0*106)|j)(?:&\\#(?:x0*70|0*112)|p)(?:&\\#(?:x0*65|0*101)|e)(?:&\\#(?:x0*67|0*103)|g)|(?:&\\#(?:x0*74|0*116)|t)(?:&\\#(?:x0*69|0*105)|i)(?:&\\#(?:x0*66|0*102)|f)(?:&\\#(?:x0*66|0*102)|f)|(?:&\\#(?:x0*73|0*115)|s)(?:&\\#(?:x0*76|0*118)|v)(?:&\\#(?:x0*67|0*103)|g)(?:&\\#(?:x0*2b|0*43)|\\+)(?:&\\#(?:x0*78|0*120)|x)(?:&\\#(?:x0*6d|0*109)|m)(?:&\\#(?:x0*6c|0*108)|l))(?:(?:&\\#(?:x0*3b|0*59)|;)(?:&\\#(?:x0*63|0*99)|c)(?:&\\#(?:x0*68|0*104)|h)(?:&\\#(?:x0*61|0*97)|a)(?:&\\#(?:x0*72|0*114)|r)(?:&\\#(?:x0*73|0*115)|s)(?:&\\#(?:x0*65|0*101)|e)(?:&\\#(?:x0*74|0*116)|t)(?:&\\#(?:x0*3d|0*61)|=)[\\-a-z0-9]+)?(?:(?:&\\#(?:x0*3b|0*59)|;)(?:&\\#(?:x0*62|0*98)|b)(?:&\\#(?:x0*61|0*97)|a)(?:&\\#(?:x0*73|0*115)|s)(?:&\\#(?:x0*65|0*101)|e)(?:&\\#(?:x0*36|0*54)|6)(?:&\\#(?:x0*34|0*52)|4))?(?:&\\#(?:x0*2c|0*44)|,)))\\s*(?:&\\#(?:x0*3a|0*58)|&colon|\\:)|
39
+ #css expression
40
+ (?:^|[^\\w])(?:(?:\\\\0*65|\\\\0*45|e)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*78|\\\\0*58|x)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*70|\\\\0*50|p)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*72|\\\\0*52|r)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*65|\\\\0*45|e)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*73|\\\\0*53|s)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*73|\\\\0*53|s)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*69|\\\\0*49|i)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6f|\\\\0*4f|o)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6e|\\\\0*4e|n))[^\\w]*?(?:\\\\0*28|\\()|
41
+ #css properties
42
+ (?:^|[^\\w])(?:(?:(?:\\\\0*62|\\\\0*42|b)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*65|\\\\0*45|e)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*68|\\\\0*48|h)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*61|\\\\0*41|a)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*76|\\\\0*56|v)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*69|\\\\0*49|i)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6f|\\\\0*4f|o)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*72|\\\\0*52|r)(?:\\/\\*.*?\\*\\/)*)|(?:(?:\\\\0*2d|\\\\0*2d|-)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6d|\\\\0*4d|m)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6f|\\\\0*4f|o)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*7a|\\\\0*5a|z)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*2d|\\\\0*2d|-)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*62|\\\\0*42|b)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*69|\\\\0*49|i)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6e|\\\\0*4e|n)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*64|\\\\0*44|d)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*69|\\\\0*49|i)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6e|\\\\0*4e|n)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*67|\\\\0*47|g)(?:\\/\\*.*?\\*\\/)*))[^\\w]*(?:\\\\0*3a|\\\\0*3a|:)[^\\w]*(?:\\\\0*75|\\\\0*55|u)(?:\\\\0*72|\\\\0*52|r)(?:\\\\0*6c|\\\\0*4c|l)|
43
+ #properties
44
+ (?:^|[^\\w])(?:on(?:abort|activate|afterprint|afterupdate|autocomplete|autocompleteerror|beforeactivate|beforecopy|beforecut|beforedeactivate|beforeeditfocus|beforepaste|beforeprint|beforeunload|beforeupdate|blur|bounce|cancel|canplay|canplaythrough|cellchange|change|click|close|contextmenu|controlselect|copy|cuechange|cut|dataavailable|datasetchanged|datasetcomplete|dblclick|deactivate|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|durationchange|emptied|encrypted|ended|error|errorupdate|filterchange|finish|focus|focusin|focusout|formchange|forminput|hashchange|help|input|invalid|keydown|keypress|keyup|languagechange|layoutcomplete|load|loadeddata|loadedmetadata|loadstart|losecapture|message|mousedown|mouseenter|mouseleave|mousemove|mouseout|mouseover|mouseup|mousewheel|move|moveend|movestart|mozfullscreenchange|mozfullscreenerror|mozpointerlockchange|mozpointerlockerror|offline|online|page|pagehide|pageshow|paste|pause|play|playing|popstate|progress|propertychange|ratechange|readystatechange|reset|resize|resizeend|resizestart|rowenter|rowexit|rowsdelete|rowsinserted|scroll|search|seeked|seeking|select|selectstart|show|stalled|start|storage|submit|suspend|timer|timeupdate|toggle|unload|volumechange|waiting|webkitfullscreenchange|webkitfullscreenerror|wheel)|formaction|data\\-bind|ev:event)[^\\w]
45
+ )/ix';
46
+
47
+ const BYPASS_COOKIE = "bvfw-bypass-cookie";
48
+ const IP_COOKIE = "bvfw-ip-cookie";
49
+
50
+ public function __construct($logger, $confHash, $ip, $bvinfo, $ipstore) {
51
+ $this->config = new BVFWConfig($confHash);
52
+ $this->request = new BVWPRequest($ip);
53
+ $this->bvinfo = $bvinfo;
54
+ $this->ipstore = $ipstore;
55
+ $this->logger = $logger;
56
+ }
57
+
58
+ public function setcookie($name, $value, $expire) {
59
+ $path = $this->config->cookiePath;
60
+ $cookie_domain = $this->config->cookieDomain;
61
+
62
+ if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
63
+ $secure = function_exists('is_ssl') ? is_ssl() : false;
64
+ @setcookie($name, $value, $expire, $path, $cookie_domain, $secure, true);
65
+ } else {
66
+ @setcookie($name, $value, $expire, $path);
67
+ }
68
+ }
69
+
70
+ public function setBypassCookie() {
71
+ if (function_exists('is_user_logged_in') && is_user_logged_in() && !$this->hasValidBypassCookie()) {
72
+ $roleLevel = $this->getCurrentRoleLevel();
73
+ $bypassLevel = $this->config->bypassLevel;
74
+ if ($roleLevel >= $bypassLevel) {
75
+ $cookie = $this->generateBypassCookie();
76
+ $this->setcookie(BVFW::BYPASS_COOKIE, $cookie, time() + 43200);
77
+ }
78
+ }
79
+ }
80
+
81
+ public function generateBypassCookie() {
82
+ $time = floor(time() / 43200);
83
+ $bypassLevel = $this->config->bypassLevel;
84
+ $cookiekey = $this->config->cookieKey;
85
+ return sha1($bypassLevel.$time.$cookiekey);
86
+ }
87
+
88
+ public function hasValidBypassCookie() {
89
+ $cookie = (string) $this->request->getCookies(BVFW::BYPASS_COOKIE);
90
+ return ($this->canSetAdminCookie() && ($cookie === $this->generateBypassCookie()));
91
+ }
92
+
93
+ public function setIPCookie() {
94
+ if (!$this->request->getCookies(BVFW::IP_COOKIE)) {
95
+ $ip = $this->request->getIP();
96
+ $cookiekey = $this->config->cookieKey;
97
+ $time = floor(time() / 86400);
98
+ $cookie = sha1($ip.$time.$cookiekey);
99
+ $this->setcookie(BVFW::IP_COOKIE, $cookie, time() + 86400);
100
+ }
101
+ }
102
+
103
+ public function getBVCookies() {
104
+ $cookies = array();
105
+ if ($this->request->getCookies(BVFW::IP_COOKIE) !== NULL) {
106
+ $cookies[BVFW::IP_COOKIE] = (string) $this->request->getCookies(BVFW::IP_COOKIE);
107
+ }
108
+ return $cookies;
109
+ }
110
+
111
+ public function getCurrentRoleLevel() {
112
+ if (function_exists('current_user_can')) {
113
+ if (function_exists('is_super_admin') && is_super_admin()) {
114
+ return BVFWConfig::ROLE_LEVEL_ADMIN;
115
+ }
116
+ foreach ($this->config->customRoles as $role) {
117
+ if (current_user_can($role)) {
118
+ return BVFWConfig::ROLE_LEVEL_CUSTOM;
119
+ }
120
+ }
121
+ foreach (BVFWConfig::$roleLevels as $role => $level) {
122
+ if (current_user_can($role)) {
123
+ return $level;
124
+ }
125
+ }
126
+ }
127
+ return 0;
128
+ }
129
+
130
+ public function isActive() {
131
+ return $this->config->isActive();
132
+ }
133
+ public function canSetAdminCookie() {
134
+ return ($this->config->adminCookieMode === BVFWConfig::ADMIN_COOKIE_MODE_ENABLED);
135
+ }
136
+
137
+ public function canSetIPCookie() {
138
+ return ($this->config->ipCookieMode === BVFWConfig::IP_COOKIE_MODE_ENABLED);
139
+ }
140
+
141
+ public function setResponseCode() {
142
+ if (!function_exists('http_response_code')) {
143
+ return false;
144
+ }
145
+
146
+ $this->request->setRespCode(http_response_code());
147
+ return true;
148
+ }
149
+
150
+ public function canLog() {
151
+ $canlog = false;
152
+
153
+ if ($this->config->isCompleteLoggingEnabled()) {
154
+ $canlog = true;
155
+ } else if ($this->config->isVisitorLoggingEnabled()) {
156
+ $canlog = !$this->hasValidBypassCookie() &&
157
+ (!function_exists('is_user_logged_in') || !is_user_logged_in());
158
+ }
159
+ return $canlog;
160
+ }
161
+
162
+ public function log() {
163
+ if ($this->canLog()) {
164
+ $this->setResponseCode();
165
+ $this->logger->log($this->request->getDataToLog());
166
+ }
167
+ }
168
+
169
+ public function terminateRequest($category = BVWPRequest::NORMAL) {
170
+ $this->request->setCategory($category);
171
+ $this->request->setStatus(BVWPRequest::BLOCKED);
172
+ $this->request->setRespCode(403);
173
+ header("Cache-Control: no-cache, no-store, must-revalidate");
174
+ header("Pragma: no-cache");
175
+ header("Expires: 0");
176
+ header('HTTP/1.0 403 Forbidden');
177
+ $brandname = $this->bvinfo->getBrandName().' Firewall';
178
+ die("
179
+ <div style='height: 98vh;'>
180
+ <div style='text-align: center; padding: 10% 0; font-family: Arial, Helvetica, sans-serif;'>
181
+ <div><p>$brandname</p></div>
182
+ <p>Blocked because of Malicious Activities</p>
183
+ </div>
184
+ </div>
185
+ ");
186
+ }
187
+
188
+ public function isBlacklistedIP() {
189
+ return $this->ipstore->isFWIPBlacklisted($this->request->getIP());
190
+ }
191
+
192
+ public function isWhitelistedIP() {
193
+ return $this->ipstore->isFWIPWhitelisted($this->request->getIP());
194
+ }
195
+
196
+ public function canBypassFirewall() {
197
+ if ($this->isWhitelistedIP() || $this->hasValidBypassCookie()) {
198
+ $this->request->setCategory(BVWPRequest::WHITELISTED);
199
+ $this->request->setStatus(BVWPRequest::BYPASSED);
200
+ return true;
201
+ }
202
+ return false;
203
+ }
204
+
205
+ public function execute() {
206
+ if ($this->config->canProfileReqInfo()) {
207
+ $result = array();
208
+
209
+ if ($this->request->getMethod() === 'POST' &&
210
+ preg_match('/(admin-ajax.php|admin-post.php)$/', $this->request->getPath())) {
211
+ $result += $this->profileRequestInfo(array("action" => $this->request->getBody('action')),
212
+ true, 'BODY[');
213
+ }
214
+ $result += $this->profileRequestInfo($this->request->getBody(),
215
+ $this->config->isReqProfilingModeDebug(), 'BODY[');
216
+ $result += $this->profileRequestInfo($this->request->getQueryString(),
217
+ true, 'GET[');
218
+ $result += $this->profileRequestInfo($this->request->getFiles(),
219
+ true, 'FILES[');
220
+ $result += $this->profileRequestInfo($this->getBVCookies(),
221
+ true, 'COOKIES[');
222
+ $this->request->updateReqInfo($result);
223
+ }
224
+
225
+ if (!$this->canBypassFirewall() && $this->config->isProtecting()) {
226
+ if ($this->isBlacklistedIP()) {
227
+ $this->terminateRequest(BVWPRequest::BLACKLISTED);
228
+ }
229
+ }
230
+ }
231
+
232
+ public function matchCount($pattern, $subject) {
233
+ $count = 0;
234
+ if (is_array($subject)) {
235
+ foreach ($subject as $val) {
236
+ $count += $this->matchCount($pattern, $val);
237
+ }
238
+ return $count;
239
+ } else {
240
+ $count = preg_match_all((string) $pattern, (string) $subject, $matches);
241
+ return ($count === false ? 0 : $count);
242
+ }
243
+ }
244
+
245
+ public function getLength($val) {
246
+ $length = 0;
247
+ if (is_array($val)) {
248
+ foreach ($val as $v) {
249
+ $length += $this->getLength($v);
250
+ }
251
+ return $length;
252
+ } else {
253
+ return strlen((string) $val);
254
+ }
255
+ }
256
+
257
+ public function profileRequestInfo($params, $debug = false, $prefix = '', $obraces = 1) {
258
+ $result = array();
259
+ if (is_array($params)) {
260
+ foreach ($params as $key => $value) {
261
+ $key = $prefix . $key;
262
+ if (is_array($value)) {
263
+ $result = $result + $this->profileRequestInfo($value, $debug, $key . '[', $obraces + 1);
264
+ } else {
265
+ $key = $key . str_repeat(']', $obraces);
266
+ $result[$key] = array();
267
+ $valsize = $this->getLength($value);
268
+ $result[$key]["size"] = $valsize;
269
+ if ($debug === true && $valsize < 256) {
270
+ $result[$key]["value"] = $value;
271
+ continue;
272
+ }
273
+
274
+ if (preg_match('/^\d+$/', $value)) {
275
+ $result[$key]["numeric"] = true;
276
+ } else if (preg_match('/^\w+$/', $value)) {
277
+ $result[$key]["regular_word"] = true;
278
+ } else if (preg_match('/^\S+$/', $value)) {
279
+ $result[$key]["special_word"] = true;
280
+ } else if (preg_match('/^[\w\s]+$/', $value)) {
281
+ $result[$key]["regular_sentence"] = true;
282
+ } else if (preg_match('/^[\w\W]+$/', $value)) {
283
+ $result[$key]["special_chars_sentence"] = true;
284
+ }
285
+
286
+ if (preg_match('/^\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}
287
+ (25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b$/x', $value)) {
288
+ $result[$key]["ipv4"] = true;
289
+ } else if (preg_match('/\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}
290
+ (25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b/x', $value)) {
291
+ $result[$key]["embeded_ipv4"] = true;
292
+ } else if (preg_match('/^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|
293
+ ([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|
294
+ ([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}
295
+ (:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|
296
+ ([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|
297
+ :((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|
298
+ ::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3}
299
+ (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|
300
+ (2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$/x', $value)) {
301
+ $result[$key]["ipv6"] = true;
302
+ } else if (preg_match('/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|
303
+ ([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|
304
+ ([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}
305
+ (:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|
306
+ ([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|
307
+ :((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|
308
+ ::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3}
309
+ (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|
310
+ (2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/x', $value)) {
311
+ $result[$key]["embeded_ipv6"] = true;
312
+ }
313
+
314
+ if (preg_match('/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}$/', $value)) {
315
+ $result[$key]["email"] = true;
316
+ } else if (preg_match('/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}/', $value)) {
317
+ $result[$key]["embeded_email"] = true;
318
+ }
319
+
320
+ if (preg_match('/^(http|ftp)s?:\/\/\S+$/i', $value)) {
321
+ $result[$key]["link"] = true;
322
+ } else if (preg_match('/(http|ftp)s?:\/\/\S+$/i', $value)) {
323
+ $result[$key]["embeded_link"] = true;
324
+ }
325
+
326
+ if (preg_match('/<(html|head|title|base|link|meta|style|picture|source|img|
327
+ iframe|embed|object|param|video|audio|track|map|area|form|label|input|button|
328
+ select|datalist|optgroup|option|textarea|output|progress|meter|fieldset|legend|
329
+ script|noscript|template|slot|canvas)/ix', $value)) {
330
+ $result[$key]["embeded_html"] = true;
331
+ }
332
+
333
+ if (preg_match('/\.(jpg|jpeg|png|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|zip|gzip|
334
+ xlsx|psd|mp3|m4a|ogg|wav|mp4|m4v|mov|wmv|avi|mpg|ogv|3gp|3g2|php|html|phtml|js|css)/ix', $value)) {
335
+ $result[$key]["file"] = true;
336
+ }
337
+
338
+ if ($this->matchCount(BVFW::SQLIREGEX, $value) >= 2) {
339
+ $result[$key]["sql"] = true;
340
+ }
341
+ }
342
+ }
343
+ }
344
+ return $result;
345
+ }
346
+ }
347
+ endif;
protect/{wp_fw → fw}/request.php RENAMED
@@ -1,7 +1,8 @@
1
  <?php
2
 
3
- if (!defined('ABSPATH')) exit;
4
  if (!class_exists('BVWPRequest')) :
 
5
  class BVWPRequest {
6
  private $fileNames;
7
  private $files;
@@ -43,13 +44,13 @@ class BVWPRequest {
43
  $this->setCategory(BVWPRequest::NORMAL);
44
  $this->setStatus(BVWpRequest::ALLOWED);
45
  $this->setTimestamp(time());
46
- $this->setQueryString(BVWPRequest::removeMagicQuotes($_GET));
47
- $this->setCookies(BVWPRequest::removeMagicQuotes($_COOKIE));
48
- $this->setBody(BVWPRequest::removeMagicQuotes($_POST));
49
- $this->setFiles(BVWPRequest::removeMagicQuotes($_FILES));
50
  if (!empty($_FILES)) {
51
  foreach ($_FILES as $input => $file) {
52
- $fileNames[$input] = BVWPRequest::removeMagicQuotes($file['name']);
53
  }
54
  }
55
  $this->setFileNames($fileNames);
@@ -60,30 +61,30 @@ class BVWPRequest {
60
  $header = str_replace(array(' ', '_'), array('', ' '), $header);
61
  $header = ucwords(strtolower($header));
62
  $header = str_replace(' ', '-', $header);
63
- $headers[$header] = BVWPRequest::removeMagicQuotes($value);
64
  }
65
  }
66
  if (array_key_exists('CONTENT_TYPE', $_SERVER)) {
67
- $headers['Content-Type'] = BVWPRequest::removeMagicQuotes($_SERVER['CONTENT_TYPE']);
68
  }
69
  if (array_key_exists('CONTENT_LENGTH', $_SERVER)) {
70
- $headers['Content-Length'] = BVWPRequest::removeMagicQuotes($_SERVER['CONTENT_LENGTH']);
71
  }
72
  if (array_key_exists('REFERER', $_SERVER)) {
73
- $headers['Referer'] = BVWPRequest::removeMagicQuotes($_SERVER['REFERER']);
74
  }
75
  if (array_key_exists('HTTP_USER_AGENT', $_SERVER)) {
76
- $headers['User-Agent'] = BVWPRequest::removeMagicQuotes($_SERVER['HTTP_USER_AGENT']);
77
  }
78
 
79
  if (array_key_exists('Host', $headers)) {
80
  $host = $headers['Host'];
81
  } else if (array_key_exists('SERVER_NAME', $_SERVER)) {
82
- $host = BVWPRequest::removeMagicQuotes($_SERVER['SERVER_NAME']);
83
  }
84
 
85
- $method = array_key_exists('REQUEST_METHOD', $_SERVER) ? BVWPRequest::removeMagicQuotes($_SERVER['REQUEST_METHOD']) : 'GET';
86
- $uri = array_key_exists('REQUEST_URI', $_SERVER) ? BVWPRequest::removeMagicQuotes($_SERVER['REQUEST_URI']) : '';
87
  $_uri = parse_url($uri);
88
  $path = (is_array($_uri) && array_key_exists('path', $_uri)) ? $_uri['path'] : $uri;
89
  }
@@ -180,27 +181,20 @@ class BVWPRequest {
180
  return $this->category;
181
  }
182
 
183
- public function captureRespCode($status_header) {
184
- if (preg_match('/HTTP\/(\\d\\.\\d)\\s*(\\d+)\\s*(.*)/', $status_header, $tokens)) {
185
- $this->setRespCode(intval($tokens[2]));
186
- }
187
- return $status_header;
188
- }
189
-
190
  public function getDataToLog() {
191
  $referer = $this->getHeader('Referer') ? $this->getHeader('Referer') : '';
192
  $user_agent = $this->getHeader('User-Agent') ? $this->getHeader('User-Agent') : '';
193
- $rules_info = maybe_serialize($this->getRulesInfo());
194
- $req_info = maybe_serialize($this->getReqInfo());
195
  if (strlen($req_info) > 16000) {
196
- $req_info = maybe_serialize(array("keys" => array_keys($this->getReqInfo())));
197
  if (strlen($req_info) > 16000) {
198
- $req_info = maybe_serialize(array("bv_over_size" => true));
199
  }
200
  }
201
  $data = array(
202
  "path" => $this->getPath(),
203
- "filenames" => maybe_serialize($this->getFileNames()),
204
  "host" => $this->getHost(),
205
  "time" => $this->getTimeStamp(),
206
  "ip" => $this->getIP(),
@@ -304,21 +298,5 @@ class BVWPRequest {
304
  public function getTimestamp() {
305
  return $this->timestamp;
306
  }
307
-
308
- public static function removeMagicQuotes($value) {
309
- if (function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc()) {
310
- return BVWPRequest::removeSlashesRecursively($value);
311
- }
312
- return $value;
313
- }
314
-
315
- public static function removeSlashesRecursively($value) {
316
- if (is_array($value)) {
317
- $value = array_map(array('self', 'removeSlashesRecursively',), $value);
318
- } else if (is_string($value)) {
319
- $value = stripslashes($value);
320
- }
321
- return $value;
322
- }
323
  }
324
- endif;
1
  <?php
2
 
3
+ if (! (defined('ABSPATH') || defined('MCDATAPATH')) ) exit;
4
  if (!class_exists('BVWPRequest')) :
5
+
6
  class BVWPRequest {
7
  private $fileNames;
8
  private $files;
44
  $this->setCategory(BVWPRequest::NORMAL);
45
  $this->setStatus(BVWpRequest::ALLOWED);
46
  $this->setTimestamp(time());
47
+ $this->setQueryString($_GET);
48
+ $this->setCookies($_COOKIE);
49
+ $this->setBody($_POST);
50
+ $this->setFiles($_FILES);
51
  if (!empty($_FILES)) {
52
  foreach ($_FILES as $input => $file) {
53
+ $fileNames[$input] = $file['name'];
54
  }
55
  }
56
  $this->setFileNames($fileNames);
61
  $header = str_replace(array(' ', '_'), array('', ' '), $header);
62
  $header = ucwords(strtolower($header));
63
  $header = str_replace(' ', '-', $header);
64
+ $headers[$header] = $value;
65
  }
66
  }
67
  if (array_key_exists('CONTENT_TYPE', $_SERVER)) {
68
+ $headers['Content-Type'] = $_SERVER['CONTENT_TYPE'];
69
  }
70
  if (array_key_exists('CONTENT_LENGTH', $_SERVER)) {
71
+ $headers['Content-Length'] = $_SERVER['CONTENT_LENGTH'];
72
  }
73
  if (array_key_exists('REFERER', $_SERVER)) {
74
+ $headers['Referer'] = $_SERVER['REFERER'];
75
  }
76
  if (array_key_exists('HTTP_USER_AGENT', $_SERVER)) {
77
+ $headers['User-Agent'] = $_SERVER['HTTP_USER_AGENT'];
78
  }
79
 
80
  if (array_key_exists('Host', $headers)) {
81
  $host = $headers['Host'];
82
  } else if (array_key_exists('SERVER_NAME', $_SERVER)) {
83
+ $host = $_SERVER['SERVER_NAME'];
84
  }
85
 
86
+ $method = array_key_exists('REQUEST_METHOD', $_SERVER) ? $_SERVER['REQUEST_METHOD'] : 'GET';
87
+ $uri = array_key_exists('REQUEST_URI', $_SERVER) ? $_SERVER['REQUEST_URI'] : '';
88
  $_uri = parse_url($uri);
89
  $path = (is_array($_uri) && array_key_exists('path', $_uri)) ? $_uri['path'] : $uri;
90
  }
181
  return $this->category;
182
  }
183
 
 
 
 
 
 
 
 
184
  public function getDataToLog() {
185
  $referer = $this->getHeader('Referer') ? $this->getHeader('Referer') : '';
186
  $user_agent = $this->getHeader('User-Agent') ? $this->getHeader('User-Agent') : '';
187
+ $rules_info = serialize($this->getRulesInfo());
188
+ $req_info = serialize($this->getReqInfo());
189
  if (strlen($req_info) > 16000) {
190
+ $req_info = serialize(array("keys" => array_keys($this->getReqInfo())));
191
  if (strlen($req_info) > 16000) {
192
+ $req_info = serialize(array("bv_over_size" => true));
193
  }
194
  }
195
  $data = array(
196
  "path" => $this->getPath(),
197
+ "filenames" => serialize($this->getFileNames()),
198
  "host" => $this->getHost(),
199
  "time" => $this->getTimeStamp(),
200
  "ip" => $this->getIP(),
298
  public function getTimestamp() {
299
  return $this->timestamp;
300
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
301
  }
302
+ endif;
protect/prepend/ignitor.php ADDED
@@ -0,0 +1,9 @@
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+ if (!defined('MCDATAPATH')) exit;
3
+
4
+ if (defined('MCCONFKEY')) {
5
+ require_once dirname( __FILE__ ) . '/protect.php';
6
+
7
+ $mcProtect = new BVPrependProtect();
8
+ $mcProtect->run();
9
+ }
protect/prepend/info.php ADDED
@@ -0,0 +1,17 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+ if (!defined('MCDATAPATH')) exit;
3
+
4
+ if (!class_exists('BVPrependInfo')) :
5
+ class BVPrependInfo {
6
+ public $brandName;
7
+
8
+ function __construct($brand) {
9
+ $this->brandName = $brand;
10
+ }
11
+
12
+ public function getBrandName() {
13
+ return $this->brandName;
14
+ }
15
+
16
+ }
17
+ endif;
protect/prepend/ipstore.php ADDED
@@ -0,0 +1,49 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+ if (!defined('MCDATAPATH')) exit;
3
+
4
+ if (!class_exists('BVPrependIPStore')) :
5
+ class BVPrependIPStore {
6
+ public $whitelistedIPs;
7
+ public $blacklistedIPs;
8
+
9
+ #TYPE
10
+ const BLACKLISTED = 1;
11
+ const WHITELISTED = 2;
12
+
13
+ #CATEGORY
14
+ const FW = 3;
15
+
16
+ function __construct($confHash) {
17
+ $this->whitelistedIPs = array_key_exists('whitelisted', $confHash) ? $confHash['whitelisted'] : array();
18
+ $this->blacklistedIPs = array_key_exists('blacklisted', $confHash) ? $confHash['blacklisted'] : array();
19
+ }
20
+
21
+ public function isFWIPBlacklisted($ip) {
22
+ return $this->checkIPPresent($ip, BVPrependIPStore::BLACKLISTED);
23
+ }
24
+
25
+ public function isFWIPWhitelisted($ip) {
26
+ return $this->checkIPPresent($ip, BVPrependIPStore::WHITELISTED);
27
+ }
28
+
29
+ public function checkIPPresent($ip, $type) {
30
+ $flag = false;
31
+
32
+ switch($type) {
33
+
34
+ case BVPrependIPStore::BLACKLISTED:
35
+ if (isset($this->blacklistedIPs[$ip]))
36
+ $flag = true;
37
+ break;
38
+
39
+ case BVPrependIPStore::WHITELISTED:
40
+ if (isset($this->whitelistedIPs[$ip]))
41
+ $flag = true;
42
+ break;
43
+ }
44
+
45
+ return $flag;
46
+ }
47
+
48
+ }
49
+ endif;
protect/prepend/logger.php ADDED
@@ -0,0 +1,20 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+ if (!defined('MCDATAPATH')) exit;
3
+
4
+ if (!class_exists('BVPrependLogger')) :
5
+ class BVPrependLogger {
6
+ public $logFile;
7
+
8
+ function __construct() {
9
+ $this->logFile = MCDATAPATH . MCCONFKEY . '-mc.log';
10
+ }
11
+
12
+ public function log($data) {
13
+ $_data = serialize($data);
14
+ $str = "bvlogbvlogbvlog" . ":";
15
+ $str .= strlen($_data) . ":" . $_data;
16
+ error_log($str, 3, $this->logFile);
17
+ }
18
+
19
+ }
20
+ endif;
protect/prepend/protect.php ADDED
@@ -0,0 +1,76 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+ if (!defined('MCDATAPATH')) exit;
3
+
4
+ if (!class_exists('BVPrependProtect')) :
5
+
6
+ require_once dirname( __FILE__ ) . '/../base.php';
7
+ require_once dirname( __FILE__ ) . '/../fw/fw.php';
8
+ require_once dirname( __FILE__ ) . '/../fw/request.php';
9
+ require_once dirname( __FILE__ ) . '/../fw/config.php';
10
+ require_once dirname( __FILE__ ) . '/info.php';
11
+ require_once dirname( __FILE__ ) . '/ipstore.php';
12
+ require_once dirname( __FILE__ ) . '/logger.php';
13
+
14
+ class BVPrependProtect {
15
+ public $mcConfFile;
16
+ public $mcIPsFile;
17
+
18
+ function __construct() {
19
+ $this->mcConfFile = MCDATAPATH . MCCONFKEY . '-' . 'mc.conf';
20
+ $this->mcIPsFile = MCDATAPATH . MCCONFKEY . '-' . 'mc_ips.conf';
21
+ }
22
+
23
+ public function parseFile($fname) {
24
+ $result = array();
25
+
26
+ if (file_exists($fname)) {
27
+ $content = file_get_contents($fname);
28
+ if (($content !== false) && is_string($content)) {
29
+ $result = json_decode($content, true);
30
+ }
31
+ }
32
+
33
+ return $result;
34
+ }
35
+
36
+ public function run() {
37
+ $mcConf = $this->parseFile($this->mcConfFile);
38
+ $mcIPsConf = $this->parseFile($this->mcIPsFile);
39
+
40
+ if (!array_key_exists('time', $mcConf) || !isset($mcConf['time']) || !($mcConf['time'] > time() - (48*3600))) {
41
+ return false;
42
+ }
43
+
44
+ if (empty($mcConf) || empty($mcIPsConf)) {
45
+ return false;
46
+ }
47
+
48
+ $brand = array_key_exists('brandname', $mcConf) ? $mcConf['brandname'] : "Protect";
49
+ $bvinfo = new BVPrependInfo($brand);
50
+ $bvipstore = new BVPrependIPStore($mcIPsConf);
51
+
52
+ $ipHeader = array_key_exists('ipheader', $mcConf) ? $mcConf['ipheader'] : false;
53
+ $ip = BVProtectBase::getIP($ipHeader);
54
+
55
+ $fwlogger = new BVPrependLogger();
56
+
57
+ $fwConfHash = array_key_exists('fw', $mcConf) ? $mcConf['fw'] : array();
58
+ $fw = new BVFW($fwlogger, $fwConfHash, $ip, $bvinfo, $bvipstore);
59
+
60
+ if ($fw->isActive()) {
61
+
62
+ if ($fw->canSetIPCookie()) {
63
+ $fw->setIPCookie();
64
+ }
65
+
66
+ register_shutdown_function(array($fw, 'log'));
67
+
68
+ $fw->execute();
69
+ define('MCFWLOADED', true);
70
+ }
71
+
72
+ return true;
73
+ }
74
+
75
+ }
76
+ endif;
protect/protect.php DELETED
@@ -1,58 +0,0 @@
1
- <?php
2
- if (!defined('ABSPATH')) exit;
3
- if (!class_exists('BVProtect')) :
4
-
5
- require_once dirname( __FILE__ ) . '/logger.php';
6
- require_once dirname( __FILE__ ) . '/ipstore.php';
7
- require_once dirname( __FILE__ ) . '/wp_fw/fw.php';
8
- require_once dirname( __FILE__ ) . '/wp_lp/lp.php';
9
-
10
- class BVProtect {
11
- public $db;
12
- public $settings;
13
-
14
- function __construct($db, $settings) {
15
- $this->settings = $settings;
16
- $this->db = $db;
17
- }
18
-
19
- public function init() {
20
- $bvipstore = new BVIPStore($this->db);
21
- $bvipstore->init();
22
- $ip = $this->getIP();
23
- $fw = new BVWPFW($this->db, $this->settings, $ip, $bvipstore);
24
- if ($fw->config->isActive()) {
25
- $fw->init();
26
- $fw->execute();
27
- }
28
- add_action('clear_fw_config', array($fw->config, 'clear'));
29
- $lp = new BVWPLP($this->db, $this->settings, $ip, $bvipstore);
30
- if ($lp->isActive()) {
31
- $lp->init();
32
- }
33
- add_action('clear_lp_config', array($lp->config, 'clear'));
34
- }
35
-
36
- public function getIP() {
37
- $ip = '127.0.0.1';
38
- $bvinfo = new BVInfo($this->settings);
39
- if (($ipHeader = $this->settings->getOption($bvinfo->ip_header_option)) && is_array($ipHeader)) {
40
- if (array_key_exists($ipHeader['hdr'], $_SERVER)) {
41
- $_ips = preg_split("/(,| |\t)/", $_SERVER[$ipHeader['hdr']]);
42
- if (array_key_exists(intval($ipHeader['pos']), $_ips)) {
43
- $ip = $_ips[intval($ipHeader['pos'])];
44
- }
45
- }
46
- } else if (array_key_exists('REMOTE_ADDR', $_SERVER)) {
47
- $ip = $_SERVER['REMOTE_ADDR'];
48
- }
49
- $ip = trim($ip);
50
- if (preg_match('/^\[([0-9a-fA-F:]+)\](:[0-9]+)$/', $ip, $matches)) {
51
- $ip = $matches[1];
52
- } elseif (preg_match('/^([0-9.]+)(:[0-9]+)$/', $ip, $matches)) {
53
- $ip = $matches[1];
54
- }
55
- return $ip;
56
- }
57
- }
58
- endif;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
protect/{ipstore.php → wp/ipstore.php} RENAMED
@@ -76,6 +76,23 @@ if (!class_exists('BVIPStore')) :
76
  return false;
77
  }
78
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
79
  public function checkIPPresent($ip, $type, $category) {
80
  $db = $this->db;
81
  $table = $db->getBVTable(BVIPStore::$name);
76
  return false;
77
  }
78
 
79
+ public function isLPIPBlacklisted($ip) {
80
+ return $this->checkIPPresent($ip, BVIPStore::BLACKLISTED, BVIPStore::LP);
81
+ }
82
+
83
+ public function isLPIPWhitelisted($ip) {
84
+ return $this->checkIPPresent($ip, BVIPStore::WHITELISTED, BVIPStore::LP);
85
+ }
86
+
87
+
88
+ public function isFWIPBlacklisted($ip) {
89
+ return $this->checkIPPresent($ip, BVIPStore::BLACKLISTED, BVIPStore::FW);
90
+ }
91
+
92
+ public function isFWIPWhitelisted($ip) {
93
+ return $this->checkIPPresent($ip, BVIPStore::WHITELISTED, BVIPStore::FW);
94
+ }
95
+
96
  public function checkIPPresent($ip, $type, $category) {
97
  $db = $this->db;
98
  $table = $db->getBVTable(BVIPStore::$name);
protect/{logger.php → wp/logger.php} RENAMED
File without changes
protect/wp/lp/config.php ADDED
@@ -0,0 +1,25 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if (!defined('ABSPATH')) exit;
4
+ if (!class_exists('BVWPLPConfig')) :
5
+ class BVWPLPConfig {
6
+ public $mode;
7
+ public $captchaLimit;
8
+ public $tempBlockLimit;
9
+ public $blockAllLimit;
10
+
11
+ public static $requests_table = 'lp_requests';
12
+
13
+ #mode
14
+ const DISABLED = 1;
15
+ const AUDIT = 2;
16
+ const PROTECT = 3;
17
+
18
+ public function __construct($confHash) {
19
+ $this->mode = array_key_exists('mode', $confHash) ? intval($confHash['mode']) : BVWPLPConfig::DISABLED;
20
+ $this->captchaLimit = array_key_exists('captchalimit', $confHash) ? intval($confHash['captchalimit']) : 3;
21
+ $this->tempBlockLimit = array_key_exists('tempblocklimit', $confHash) ? intval($confHash['tempblocklimit']) : 10;
22
+ $this->blockAllLimit = array_key_exists('blockalllimit', $confHash) ? intval($confHash['blockalllimit']) : 100;
23
+ }
24
+ }
25
+ endif;
protect/{wp_lp → wp/lp}/lp.php RENAMED
@@ -3,7 +3,6 @@
3
  if (!defined('ABSPATH')) exit;
4
  if (!class_exists('BVWPLP')) :
5
 
6
- require_once dirname( __FILE__ ) . '/config.php';
7
 
8
  class BVWPLP {
9
  public $db;
@@ -33,11 +32,11 @@ class BVWPLP {
33
  const BYPASSED = 6;
34
  const ALLOWED = 7;
35
 
36
- public function __construct($db, $settings, $ip, $ipstore) {
37
  $this->db = $db;
38
  $this->settings = $settings;
39
  $this->ip = $ip;
40
- $this->config = new BVWPLPConfig($db, $settings);
41
  $this->ipstore = $ipstore;
42
  $this->logger = new BVLogger($db, BVWPLPConfig::$requests_table);
43
  $this->time = strtotime(date("Y-m-d H:i:s"));
@@ -81,15 +80,15 @@ class BVWPLP {
81
  }
82
 
83
  public function getCaptchaLimit() {
84
- return $this->config->getCaptchaLimit();
85
  }
86
 
87
  public function getTempBlockLimit() {
88
- return $this->config->getTempBlockLimit();
89
  }
90
 
91
  public function getBlockAllLimit() {
92
- return $this->config->getBlockAllLimit();
93
  }
94
 
95
  public function getLoginLogsTable() {
@@ -107,7 +106,7 @@ class BVWPLP {
107
 
108
  public function terminateTemplate() {
109
  $info = new BVInfo($this->settings);
110
- $brandname = $info->getBrandName();
111
  $templates = array (
112
  1 => "<p>Too many failed attempts, You are barred from logging into this site.</p><a href=".$this->getCaptchaLink()."
113
  class='btn btn-default'>Click here</a> to unblock yourself.",
@@ -119,7 +118,7 @@ class BVWPLP {
119
  return "
120
  <div style='height: 98vh;'>
121
  <div style='text-align: center; padding: 10% 0; font-family: Arial, Helvetica, sans-serif;'>
122
- <div><p><img src=".plugins_url('/../../img/icon.png', __FILE__)."><h2>Login Protection</h2><h3>powered by</h3><h2>"
123
  .$brandname."</h2></p><div>
124
  <p>" . $templates[$this->getCategory()]. "</p>
125
  </div>
@@ -127,19 +126,19 @@ class BVWPLP {
127
  }
128
 
129
  public function isProtecting() {
130
- return ($this->config->getMode() === BVWPLPConfig::PROTECT);
131
  }
132
 
133
  public function isActive() {
134
- return ($this->config->getMode() !== BVWPLPConfig::DISABLED);
135
  }
136
 
137
  public function isBlacklistedIP() {
138
- return $this->ipstore->checkIPPresent($this->ip, BVIPStore::BLACKLISTED, BVIPStore::LP);
139
  }
140
 
141
  public function isWhitelistedIP() {
142
- return $this->ipstore->checkIPPresent($this->ip, BVIPStore::WHITELISTED, BVIPStore::LP);
143
  }
144
 
145
  public function isUnBlockedIP() {
@@ -239,4 +238,4 @@ class BVWPLP {
239
  return intval($rows[0]['count']);
240
  }
241
  }
242
- endif;
3
  if (!defined('ABSPATH')) exit;
4
  if (!class_exists('BVWPLP')) :
5
 
 
6
 
7
  class BVWPLP {
8
  public $db;
32
  const BYPASSED = 6;
33
  const ALLOWED = 7;
34
 
35
+ public function __construct($db, $settings, $ip, $ipstore, $confHash) {
36
  $this->db = $db;
37
  $this->settings = $settings;
38
  $this->ip = $ip;
39
+ $this->config = new BVWPLPConfig($confHash);
40
  $this->ipstore = $ipstore;
41
  $this->logger = new BVLogger($db, BVWPLPConfig::$requests_table);
42
  $this->time = strtotime(date("Y-m-d H:i:s"));
80
  }
81
 
82
  public function getCaptchaLimit() {
83
+ return $this->config->captchaLimit;
84
  }
85
 
86
  public function getTempBlockLimit() {
87
+ return $this->config->tempBlockLimit;
88
  }
89
 
90
  public function getBlockAllLimit() {
91
+ return $this->config->blockAllLimit;
92
  }
93
 
94
  public function getLoginLogsTable() {
106
 
107
  public function terminateTemplate() {
108
  $info = new BVInfo($this->settings);
109
+ $brandname = $info->getBrandName().' Firewall';
110
  $templates = array (
111
  1 => "<p>Too many failed attempts, You are barred from logging into this site.</p><a href=".$this->getCaptchaLink()."
112
  class='btn btn-default'>Click here</a> to unblock yourself.",
118
  return "
119
  <div style='height: 98vh;'>
120
  <div style='text-align: center; padding: 10% 0; font-family: Arial, Helvetica, sans-serif;'>
121
+ <div><p><img src=".plugins_url('/../../../img/icon.png', __FILE__)."><h2>Login Protection</h2><h3>powered by</h3><h2>"
122
  .$brandname."</h2></p><div>
123
  <p>" . $templates[$this->getCategory()]. "</p>
124
  </div>
126
  }
127
 
128
  public function isProtecting() {
129
+ return ($this->config->mode === BVWPLPConfig::PROTECT);
130
  }
131
 
132
  public function isActive() {
133
+ return ($this->config->mode !== BVWPLPConfig::DISABLED);
134
  }
135
 
136
  public function isBlacklistedIP() {
137
+ return $this->ipstore->isLPIPBlacklisted($this->ip);
138
  }
139
 
140
  public function isWhitelistedIP() {
141
+ return $this->ipstore->isLPIPWhitelisted($this->ip);
142
  }
143
 
144
  public function isUnBlockedIP() {
238
  return intval($rows[0]['count']);
239
  }
240
  }
241
+ endif;
protect/wp/protect.php ADDED
@@ -0,0 +1,75 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+ if (!defined('ABSPATH')) exit;
3
+ if (!class_exists('BVProtect')) :
4
+
5
+ require_once dirname( __FILE__ ) . '/../base.php';
6
+ require_once dirname( __FILE__ ) . '/logger.php';
7
+ require_once dirname( __FILE__ ) . '/ipstore.php';
8
+ require_once dirname( __FILE__ ) . '/../fw/fw.php';
9
+ require_once dirname( __FILE__ ) . '/../fw/config.php';
10
+ require_once dirname( __FILE__ ) . '/../fw/request.php';
11
+ require_once dirname( __FILE__ ) . '/lp/lp.php';
12
+ require_once dirname( __FILE__ ) . '/lp/config.php';
13
+
14
+ class BVProtect {
15
+ public $db;
16
+ public $settings;
17
+
18
+ function __construct($db, $settings) {
19
+ $this->settings = $settings;
20
+ $this->db = $db;
21
+ }
22
+
23
+ public function run() {
24
+ $bvipstore = new BVIPStore($this->db);
25
+ $bvipstore->init();
26
+ $bvinfo = new BVInfo($this->settings);
27
+
28
+ $config = $this->settings->getOption('bvptconf');
29
+ if (!$config) {
30
+ $config = array();
31
+ }
32
+
33
+ $ipHeader = array_key_exists('ipheader', $config) ? $config['ipheader'] : false;
34
+ $ip = BVProtectBase::getIP($ipHeader);
35
+
36
+ $fwLogger = new BVLogger($this->db, BVFWConfig::$requests_table);
37
+
38
+ $fwConfHash = array_key_exists('fw', $config) ? $config['fw'] : array();
39
+ $fw = new BVFW($fwLogger, $fwConfHash, $ip, $bvinfo, $bvipstore);
40
+
41
+ if ($fw->isActive()) {
42
+
43
+ if ($fw->canSetAdminCookie()) {
44
+ add_action('init', array($fw, 'setBypassCookie'));
45
+ }
46
+
47
+ if (!defined('MCFWLOADED') && $fw->canSetIPCookie()) {
48
+ $fw->setIPCookie();
49
+ }
50
+
51
+ if (!defined('MCFWLOADED')) {
52
+ register_shutdown_function(array($fw, 'log'));
53
+
54
+ $fw->execute();
55
+ }
56
+ }
57
+
58
+ add_action('clear_pt_config', array($this, 'uninstall'));
59
+
60
+ $lpConfHash = array_key_exists('lp', $config) ? $config['lp'] : array();
61
+ $lp = new BVWPLP($this->db, $this->settings, $ip, $bvipstore, $lpConfHash);
62
+ if ($lp->isActive()) {
63
+ $lp->init();
64
+ }
65
+ }
66
+
67
+ public function uninstall() {
68
+ $this->settings->deleteOption('bvptconf');
69
+ $this->db->dropBVTable(BVFWConfig::$requests_table);
70
+ $this->db->dropBVTable(BVWPLPConfig::$requests_table);
71
+ $this->settings->deleteOption('bvptplug');
72
+ return true;
73
+ }
74
+ }
75
+ endif;
protect/wp_fw/config.php DELETED
@@ -1,251 +0,0 @@
1
- <?php
2
-
3
- if (!defined('ABSPATH')) exit;
4
- if (!class_exists('BVWPFWConfig')) :
5
- class BVWPFWConfig {
6
- public $db;
7
- public $settings;
8
- public static $requests_table = 'fw_requests';
9
- public static $allRules = array(108, 112, 114, 115, 132, 133, 145, 146, 155, 156, 165, 167, 168, 169, 171, 172, 173, 174, 175, 176, 177, 178);
10
- public static $roleLevels = array(
11
- 'administrator' => BVWPFWConfig::ROLE_LEVEL_ADMIN,
12
- 'editor' => BVWPFWConfig::ROLE_LEVEL_EDITOR,
13
- 'author' => BVWPFWConfig::ROLE_LEVEL_AUTHOR,
14
- 'contributor' => BVWPFWConfig::ROLE_LEVEL_CONTRIBUTOR,
15
- 'subscriber' => BVWPFWConfig::ROLE_LEVEL_SUBSCRIBER
16
- );
17
-
18
- function __construct($db, $settings) {
19
- $this->db = $db;
20
- $this->settings = $settings;
21
- }
22
-
23
- #mode
24
- const DISABLED = 1;
25
- const AUDIT = 2;
26
- const PROTECT = 3;
27
-
28
- #Rule Mode
29
- const DISABLEDRULE = 1;
30
- const AUDITRULE = 2;
31
- const PROTECTRULE = 3;
32
-
33
- #Request Profiling Mode
34
- const REQ_PROFILING_MODE_DISABLED = 1;
35
- const REQ_PROFILING_MODE_NORMAL = 2;
36
- const REQ_PROFILING_MODE_DEBUG = 3;
37
-
38
- #Cookie Mode
39
- const COOKIE_MODE_ENABLED = 1;
40
- const COOKIE_MODE_DISABLED = 2;
41
-
42
- #Role Level
43
- const ROLE_LEVEL_SUBSCRIBER = 1;
44
- const ROLE_LEVEL_CONTRIBUTOR = 2;
45
- const ROLE_LEVEL_AUTHOR = 3;
46
- const ROLE_LEVEL_EDITOR = 4;
47
- const ROLE_LEVEL_ADMIN = 5;
48
- const ROLE_LEVEL_CUSTOM = 6;
49
-
50
- public static function isDisabledRule($mode) {
51
- return ($mode === BVWPFWConfig::DISABLEDRULE);
52
- }
53
-
54
- public static function isProtectingRule($mode) {
55
- return ($mode === BVWPFWConfig::PROTECTRULE);
56
- }
57
-
58
- public static function isAuditingRule($mode) {
59
- return ($mode === BVWPFWConfig::AUDITRULE);
60
- }
61
-
62
- public function isActive() {
63
- return ($this->getMode() !== BVWPFWConfig::DISABLED);
64
- }
65
-
66
- public function isProtecting() {
67
- return ($this->getMode() === BVWPFWConfig::PROTECT);
68
- }
69
-
70
- public function isAuditing() {
71
- return ($this->getMode() === BVWPFWConfig::AUDIT);
72
- }
73
-
74
- public function isReqProfilingModeDebug() {
75
- return ($this->getReqProfilingMode() === BVWPFWConfig::REQ_PROFILING_MODE_DEBUG);
76
- }
77
-
78
- public function canProfileReqInfo() {
79
- return ($this->getReqProfilingMode() !== BVWPFWConfig::REQ_PROFILING_MODE_DISABLED);
80
- }
81
-
82
- public function canSetCookie() {
83
- return ($this->getCookieMode() === BVWPFWConfig::COOKIE_MODE_ENABLED);
84
- }
85
-
86
- public function getRules() {
87
- $rules = array("audit" => array(), "protect" => array());
88
- $isAudit = false;
89
- $rulesMode = $this->getRulesMode();
90
- if (BVWPFWConfig::isDisabledRule($rulesMode)) {
91
- return $rules;
92
- }
93
- $isAudit = ($this->isAuditing() || BVWPFWConfig::isAuditingRule($rulesMode));
94
- $rulesInfo = array();
95
- foreach ($this->getAuditRules() as $rule)
96
- $rulesInfo[$rule] = BVWPFWConfig::AUDITRULE;
97
- foreach ($this->getDisabledRules() as $rule)
98
- $rulesInfo[$rule] = BVWPFWConfig::DISABLEDRULE;
99
- foreach (BVWPFWConfig::$allRules as $rule) {
100
- if (isset($rulesInfo[$rule])) {
101
- if (BVWPFWConfig::isAuditingRule($rulesInfo[$rule])) {
102
- $rules["audit"][$rule] = BVWPFWConfig::AUDITRULE;
103
- }
104
- } else {
105
- if ($isAudit) {
106
- $rules["audit"][$rule] = BVWPFWConfig::AUDITRULE;
107
- } else {
108
- $rules["protect"][$rule] = BVWPFWConfig::PROTECTRULE;
109
- }
110
- }
111
- }
112
- return $rules;
113
- }
114
-
115
- public function setMode($mode) {
116
- if (!$mode) {
117
- $this->settings->deleteOption('bvfwmode');
118
- } else {
119
- $this->settings->updateOption('bvfwmode', intval($mode));
120
- }
121
- }
122
-
123
- public function setRulesMode($mode) {
124
- if (!$mode) {
125
- $this->settings->deleteOption('bvfwrulesmode');
126
- } else {
127
- $this->settings->updateOption('bvfwrulesmode', intval($mode));
128
- }
129
- }
130
-
131
- public function setCookieMode($mode) {
132
- if (!$mode) {
133
- $this->settings->deleteOption('bvfwcookiemode');
134
- } else {
135
- $this->settings->updateOption('bvfwcookiemode', intval($mode));
136
- }
137
- }
138
-
139
- public function setCookieKey($key) {
140
- if (!$key) {
141
- $this->settings->deleteOption('bvfwcookiekey');
142
- } else {
143
- $this->settings->updateOption('bvfwcookiekey', strval($key));
144
- }
145
- }
146
-
147
- public function setReqProfilingMode($mode) {
148
- if (!$mode) {
149
- $this->settings->deleteOption('bvfwreqprofilingmode');
150
- } else {
151
- $this->settings->updateOption('bvfwreqprofilingmode', intval($mode));
152
- }
153
- }
154
-
155
- public function setDisabledRules($rules) {
156
- if (!$rules) {
157
- $this->settings->deleteOption('bvfwdisabledrules');
158
- } else {
159
- $this->settings->updateOption('bvfwdisabledrules', $rules);
160
- }
161
- }
162
-
163
- public function setBypassLevel($level) {
164
- if (!$level) {
165
- $this->settings->deleteOption('bvfwbypasslevel');
166
- } else {
167
- $this->settings->updateOption('bvfwbypasslevel', $level);
168
- }
169
- }
170
-
171
- public function setCustomRoles($roles) {
172
- if (!$roles) {
173
- $this->settings->deleteOption('bvfwcutomroles');
174
- } else {
175
- $this->settings->updateOption('bvfwcustomroles', $roles);
176
- }
177
- }
178
-
179
- public function setAuditRules($rules) {
180
- if (!$rules) {
181
- $this->settings->deleteOption('bvfwauditrules');
182
- } else {
183
- $this->settings->updateOption('bvfwauditrules', $rules);
184
- }
185
- }
186
-
187
- public function getMode() {
188
- $mode = $this->settings->getOption('bvfwmode');
189
- return intval($mode ? $mode : BVWPFWConfig::DISABLED);
190
- }
191
-
192
- public function getRulesMode() {
193
- $mode = $this->settings->getOption('bvfwrulesmode');
194
- return intval($mode ? $mode : BVWPFWConfig::DISABLED);
195
- }
196
-
197
- public function getCookieMode() {
198
- $mode = $this->settings->getOption('bvfwcookiemode');
199
- return intval($mode ? $mode : BVWPFWConfig::COOKIE_MODE_DISABLED);
200
- }
201
-
202
- public function getCookieKey() {
203
- $key = (string) $this->settings->getOption('bvfwcookiekey');
204
- if ($key === '') {
205
- $key = BVAccount::randString(32);
206
- $this->setCookieKey($key);
207
- }
208
- return $key;
209
- }
210
-
211
- public function getReqProfilingMode() {
212
- $mode = $this->settings->getOption('bvfwreqprofilingmode');
213
- return intval($mode ? $mode : BVWPFWConfig::REQ_PROFILING_MODE_DISABLED);
214
- }
215
-
216
- public function getDisabledRules() {
217
- $rules = $this->settings->getOption('bvfwdisabledrules');
218
- return ($rules ? $rules : array());
219
- }
220
-
221
- public function getAuditRules() {
222
- $rules = $this->settings->getOption('bvfwauditrules');
223
- return ($rules ? $rules : array());
224
- }
225
-
226
- public function getBypassLevel() {
227
- $level = $this->settings->getOption('bvfwbypasslevel');
228
- return intval($level ? $level : BVWPFWConfig::ROLE_LEVEL_CONTRIBUTOR);
229
- }
230
-
231
- public function getCustomRoles() {
232
- $roles = $this->settings->getOption('bvfwcustomroles');
233
- return ($roles ? $roles : array());
234
- }
235
-
236
- public function clear() {
237
- $this->setMode(false);
238
- $this->setRulesMode(false);
239
- $this->setBypassLevel(false);
240
- $this->setCustomRoles(false);
241
- $this->setCookieMode(false);
242
- $this->setCookieKey(false);
243
- $this->setDisabledRules(false);
244
- $this->setAuditRules(false);
245
- $this->setReqProfilingMode(false);
246
- $this->db->dropBVTable(BVWPFWConfig::$requests_table);
247
- $this->settings->deleteOption('bvptplug');
248
- return true;
249
- }
250
- }
251
- endif;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
protect/wp_fw/fw.php DELETED
@@ -1,597 +0,0 @@
1
- <?php
2
-
3
- if (!defined('ABSPATH')) exit;
4
- if (!class_exists('BVWPFW')) :
5
-
6
- require_once dirname( __FILE__ ) . '/config.php';
7
- require_once dirname( __FILE__ ) . '/request.php';
8
-
9
- class BVWPFW {
10
- public $db;
11
- public $settings;
12
- public $request;
13
- public $config;
14
- public $ipstore;
15
- public $category;
16
- public $logger;
17
- private $currRuleInfo;
18
-
19
- const SQLIREGEX = '/(?:[^\\w<]|\\/\\*\\![0-9]*|^)(?:
20
- @@HOSTNAME|
21
- ALTER|ANALYZE|ASENSITIVE|
22
- BEFORE|BENCHMARK|BETWEEN|BIGINT|BINARY|BLOB|
23
- CALL|CASE|CHANGE|CHAR|CHARACTER|CHAR_LENGTH|COLLATE|COLUMN|CONCAT|CONDITION|CONSTRAINT|CONTINUE|CONVERT|CREATE|CROSS|CURRENT_DATE|CURRENT_TIME|CURRENT_TIMESTAMP|CURRENT_USER|CURSOR|
24
- DATABASE|DATABASES|DAY_HOUR|DAY_MICROSECOND|DAY_MINUTE|DAY_SECOND|DECIMAL|DECLARE|DEFAULT|DELAYED|DELETE|DESCRIBE|DETERMINISTIC|DISTINCT|DISTINCTROW|DOUBLE|DROP|DUAL|DUMPFILE|
25
- EACH|ELSE|ELSEIF|ELT|ENCLOSED|ESCAPED|EXISTS|EXIT|EXPLAIN|EXTRACTVALUE|
26
- FETCH|FLOAT|FLOAT4|FLOAT8|FORCE|FOREIGN|FROM|FULLTEXT|
27
- GRANT|GROUP|HAVING|HEX|HIGH_PRIORITY|HOUR_MICROSECOND|HOUR_MINUTE|HOUR_SECOND|
28
- IFNULL|IGNORE|INDEX|INFILE|INNER|INOUT|INSENSITIVE|INSERT|INTERVAL|ISNULL|ITERATE|
29
- JOIN|KILL|LEADING|LEAVE|LIMIT|LINEAR|LINES|LOAD|LOAD_FILE|LOCALTIME|LOCALTIMESTAMP|LOCK|LONG|LONGBLOB|LONGTEXT|LOOP|LOW_PRIORITY|
30
- MASTER_SSL_VERIFY_SERVER_CERT|MATCH|MAXVALUE|MEDIUMBLOB|MEDIUMINT|MEDIUMTEXT|MID|MIDDLEINT|MINUTE_MICROSECOND|MINUTE_SECOND|MODIFIES|
31
- NATURAL|NO_WRITE_TO_BINLOG|NULL|NUMERIC|OPTION|ORD|ORDER|OUTER|OUTFILE|
32
- PRECISION|PRIMARY|PRIVILEGES|PROCEDURE|PROCESSLIST|PURGE|
33
- RANGE|READ_WRITE|REGEXP|RELEASE|REPEAT|REQUIRE|RESIGNAL|RESTRICT|RETURN|REVOKE|RLIKE|ROLLBACK|
34
- SCHEMA|SCHEMAS|SECOND_MICROSECOND|SELECT|SENSITIVE|SEPARATOR|SHOW|SIGNAL|SLEEP|SMALLINT|SPATIAL|SPECIFIC|SQLEXCEPTION|SQLSTATE|SQLWARNING|SQL_BIG_RESULT|SQL_CALC_FOUND_ROWS|SQL_SMALL_RESULT|STARTING|STRAIGHT_JOIN|SUBSTR|
35
- TABLE|TERMINATED|TINYBLOB|TINYINT|TINYTEXT|TRAILING|TRANSACTION|TRIGGER|
36
- UNDO|UNHEX|UNION|UNLOCK|UNSIGNED|UPDATE|UPDATEXML|USAGE|USING|UTC_DATE|UTC_TIME|UTC_TIMESTAMP|
37
- VALUES|VARBINARY|VARCHAR|VARCHARACTER|VARYING|WHEN|WHERE|WHILE|WRITE|YEAR_MONTH|ZEROFILL)(?=[^\\w]|$)/ix';
38
-
39
- const XSSREGEX = '/(?:
40
- #tags
41
- (?:\\<|\\+ADw\\-|\\xC2\\xBC)(script|iframe|svg|object|embed|applet|link|style|meta|\\/\\/|\\?xml\\-stylesheet)(?:[^\\w]|\\xC2\\xBE)|
42
- #protocols
43
- (?:^|[^\\w])(?:(?:\\s*(?:&\\#(?:x0*6a|0*106)|j)\\s*(?:&\\#(?:x0*61|0*97)|a)\\s*(?:&\\#(?:x0*76|0*118)|v)\\s*(?:&\\#(?:x0*61|0*97)|a)|\\s*(?:&\\#(?:x0*76|0*118)|v)\\s*(?:&\\#(?:x0*62|0*98)|b)|\\s*(?:&\\#(?:x0*65|0*101)|e)\\s*(?:&\\#(?:x0*63|0*99)|c)\\s*(?:&\\#(?:x0*6d|0*109)|m)\\s*(?:&\\#(?:x0*61|0*97)|a)|\\s*(?:&\\#(?:x0*6c|0*108)|l)\\s*(?:&\\#(?:x0*69|0*105)|i)\\s*(?:&\\#(?:x0*76|0*118)|v)\\s*(?:&\\#(?:x0*65|0*101)|e))\\s*(?:&\\#(?:x0*73|0*115)|s)\\s*(?:&\\#(?:x0*63|0*99)|c)\\s*(?:&\\#(?:x0*72|0*114)|r)\\s*(?:&\\#(?:x0*69|0*105)|i)\\s*(?:&\\#(?:x0*70|0*112)|p)\\s*(?:&\\#(?:x0*74|0*116)|t)|\\s*(?:&\\#(?:x0*6d|0*109)|m)\\s*(?:&\\#(?:x0*68|0*104)|h)\\s*(?:&\\#(?:x0*74|0*116)|t)\\s*(?:&\\#(?:x0*6d|0*109)|m)\\s*(?:&\\#(?:x0*6c|0*108)|l)|\\s*(?:&\\#(?:x0*6d|0*109)|m)\\s*(?:&\\#(?:x0*6f|0*111)|o)\\s*(?:&\\#(?:x0*63|0*99)|c)\\s*(?:&\\#(?:x0*68|0*104)|h)\\s*(?:&\\#(?:x0*61|0*97)|a)|\\s*(?:&\\#(?:x0*64|0*100)|d)\\s*(?:&\\#(?:x0*61|0*97)|a)\\s*(?:&\\#(?:x0*74|0*116)|t)\\s*(?:&\\#(?:x0*61|0*97)|a)(?!(?:&\\#(?:x0*3a|0*58)|\\:)(?:&\\#(?:x0*69|0*105)|i)(?:&\\#(?:x0*6d|0*109)|m)(?:&\\#(?:x0*61|0*97)|a)(?:&\\#(?:x0*67|0*103)|g)(?:&\\#(?:x0*65|0*101)|e)(?:&\\#(?:x0*2f|0*47)|\\/)(?:(?:&\\#(?:x0*70|0*112)|p)(?:&\\#(?:x0*6e|0*110)|n)(?:&\\#(?:x0*67|0*103)|g)|(?:&\\#(?:x0*62|0*98)|b)(?:&\\#(?:x0*6d|0*109)|m)(?:&\\#(?:x0*70|0*112)|p)|(?:&\\#(?:x0*67|0*103)|g)(?:&\\#(?:x0*69|0*105)|i)(?:&\\#(?:x0*66|0*102)|f)|(?:&\\#(?:x0*70|0*112)|p)?(?:&\\#(?:x0*6a|0*106)|j)(?:&\\#(?:x0*70|0*112)|p)(?:&\\#(?:x0*65|0*101)|e)(?:&\\#(?:x0*67|0*103)|g)|(?:&\\#(?:x0*74|0*116)|t)(?:&\\#(?:x0*69|0*105)|i)(?:&\\#(?:x0*66|0*102)|f)(?:&\\#(?:x0*66|0*102)|f)|(?:&\\#(?:x0*73|0*115)|s)(?:&\\#(?:x0*76|0*118)|v)(?:&\\#(?:x0*67|0*103)|g)(?:&\\#(?:x0*2b|0*43)|\\+)(?:&\\#(?:x0*78|0*120)|x)(?:&\\#(?:x0*6d|0*109)|m)(?:&\\#(?:x0*6c|0*108)|l))(?:(?:&\\#(?:x0*3b|0*59)|;)(?:&\\#(?:x0*63|0*99)|c)(?:&\\#(?:x0*68|0*104)|h)(?:&\\#(?:x0*61|0*97)|a)(?:&\\#(?:x0*72|0*114)|r)(?:&\\#(?:x0*73|0*115)|s)(?:&\\#(?:x0*65|0*101)|e)(?:&\\#(?:x0*74|0*116)|t)(?:&\\#(?:x0*3d|0*61)|=)[\\-a-z0-9]+)?(?:(?:&\\#(?:x0*3b|0*59)|;)(?:&\\#(?:x0*62|0*98)|b)(?:&\\#(?:x0*61|0*97)|a)(?:&\\#(?:x0*73|0*115)|s)(?:&\\#(?:x0*65|0*101)|e)(?:&\\#(?:x0*36|0*54)|6)(?:&\\#(?:x0*34|0*52)|4))?(?:&\\#(?:x0*2c|0*44)|,)))\\s*(?:&\\#(?:x0*3a|0*58)|&colon|\\:)|
44
- #css expression
45
- (?:^|[^\\w])(?:(?:\\\\0*65|\\\\0*45|e)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*78|\\\\0*58|x)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*70|\\\\0*50|p)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*72|\\\\0*52|r)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*65|\\\\0*45|e)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*73|\\\\0*53|s)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*73|\\\\0*53|s)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*69|\\\\0*49|i)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6f|\\\\0*4f|o)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6e|\\\\0*4e|n))[^\\w]*?(?:\\\\0*28|\\()|
46
- #css properties
47
- (?:^|[^\\w])(?:(?:(?:\\\\0*62|\\\\0*42|b)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*65|\\\\0*45|e)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*68|\\\\0*48|h)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*61|\\\\0*41|a)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*76|\\\\0*56|v)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*69|\\\\0*49|i)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6f|\\\\0*4f|o)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*72|\\\\0*52|r)(?:\\/\\*.*?\\*\\/)*)|(?:(?:\\\\0*2d|\\\\0*2d|-)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6d|\\\\0*4d|m)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6f|\\\\0*4f|o)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*7a|\\\\0*5a|z)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*2d|\\\\0*2d|-)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*62|\\\\0*42|b)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*69|\\\\0*49|i)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6e|\\\\0*4e|n)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*64|\\\\0*44|d)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*69|\\\\0*49|i)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*6e|\\\\0*4e|n)(?:\\/\\*.*?\\*\\/)*(?:\\\\0*67|\\\\0*47|g)(?:\\/\\*.*?\\*\\/)*))[^\\w]*(?:\\\\0*3a|\\\\0*3a|:)[^\\w]*(?:\\\\0*75|\\\\0*55|u)(?:\\\\0*72|\\\\0*52|r)(?:\\\\0*6c|\\\\0*4c|l)|
48
- #properties
49
- (?:^|[^\\w])(?:on(?:abort|activate|afterprint|afterupdate|autocomplete|autocompleteerror|beforeactivate|beforecopy|beforecut|beforedeactivate|beforeeditfocus|beforepaste|beforeprint|beforeunload|beforeupdate|blur|bounce|cancel|canplay|canplaythrough|cellchange|change|click|close|contextmenu|controlselect|copy|cuechange|cut|dataavailable|datasetchanged|datasetcomplete|dblclick|deactivate|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|durationchange|emptied|encrypted|ended|error|errorupdate|filterchange|finish|focus|focusin|focusout|formchange|forminput|hashchange|help|input|invalid|keydown|keypress|keyup|languagechange|layoutcomplete|load|loadeddata|loadedmetadata|loadstart|losecapture|message|mousedown|mouseenter|mouseleave|mousemove|mouseout|mouseover|mouseup|mousewheel|move|moveend|movestart|mozfullscreenchange|mozfullscreenerror|mozpointerlockchange|mozpointerlockerror|offline|online|page|pagehide|pageshow|paste|pause|play|playing|popstate|progress|propertychange|ratechange|readystatechange|reset|resize|resizeend|resizestart|rowenter|rowexit|rowsdelete|rowsinserted|scroll|search|seeked|seeking|select|selectstart|show|stalled|start|storage|submit|suspend|timer|timeupdate|toggle|unload|volumechange|waiting|webkitfullscreenchange|webkitfullscreenerror|wheel)|formaction|data\\-bind|ev:event)[^\\w]
50
- )/ix';
51
-
52
- const BYPASS_COOKIE = "bvfw-bypass-cookie";
53
- const IP_COOKIE = "bvfw-ip-cookie";
54
-
55
- public function __construct($db, $settings, $ip, $ipstore) {
56
- $this->db = $db;
57
- $this->settings = $settings;
58
- $this->config = new BVWPFWConfig($db, $settings);
59
- $this->request = new BVWPRequest($ip);
60
- $this->ipstore = $ipstore;
61
- $this->logger = new BVLogger($db, BVWPFWConfig::$requests_table);
62
- }
63
-
64
- public function init() {
65
- if ($this->config->canSetCookie()) {
66
- add_action('init', array($this, 'setBypassCookie'));
67
- $this->setIPCookie();
68
- }
69
- add_filter('status_header', array($this->request, 'captureRespCode'));
70
- register_shutdown_function(array($this, 'log'));
71
- }
72
-
73
- public function setcookie($name, $value, $expire, $path = COOKIEPATH, $domain = COOKIE_DOMAIN) {
74
- if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
75
- $secure = function_exists('is_ssl') ? is_ssl() : false;
76
- @setcookie($name, $value, $expire, $path, $domain, $secure, true);
77
- } else {
78
- @setcookie($name, $value, $expire, $path);
79
- }
80
- }
81
-
82
- public function setBypassCookie() {
83
- if (function_exists('is_user_logged_in') && is_user_logged_in() && !$this->hasValidBypassCookie()) {
84
- $roleLevel = $this->getCurrentRoleLevel();
85
- $bypassLevel = $this->config->getBypassLevel();
86
- if ($roleLevel >= $bypassLevel) {
87
- $cookie = $this->generateBypassCookie();
88
- $this->setcookie(BVWPFW::BYPASS_COOKIE, $cookie, time() + 43200);
89
- }
90
- }
91
- }
92
-
93
- public function generateBypassCookie() {
94
- $time = floor(time() / 43200);
95
- $bypassLevel = $this->config->getBypassLevel();
96
- $cookiekey = $this->config->getCookieKey();
97
- return sha1($bypassLevel.$time.$cookiekey);
98
- }
99
-
100
- public function hasValidBypassCookie() {
101
- $cookie = (string) $this->request->getCookies(BVWPFW::BYPASS_COOKIE);
102
- return ($this->config->canSetCookie() && ($cookie === $this->generateBypassCookie()));
103
- }
104
-
105
- public function setIPCookie() {
106
- if (!$this->request->getCookies(BVWPFW::IP_COOKIE)) {
107
- $ip = $this->request->getIP();
108
- $cookiekey = $this->config->getCookieKey();
109
- $time = floor(time() / 3600);
110
- $cookie = sha1($ip.$time.$cookiekey);
111
- $this->setcookie(BVWPFW::IP_COOKIE, $cookie, time() + 3600);
112
- }
113
- }
114
-
115
- public function getBVCookies() {
116
- $cookies = array();
117
- $cookies[BVWPFW::IP_COOKIE] = (string) $this->request->getCookies(BVWPFW::IP_COOKIE);
118
- return $cookies;
119
- }
120
-
121
- public function getCurrentRoleLevel() {
122
- if (function_exists('current_user_can')) {
123
- if (function_exists('is_super_admin') && is_super_admin()) {
124
- return BVWPFWConfig::ROLE_LEVEL_ADMIN;
125
- }
126
- foreach ($this->config->getCustomRoles() as $role) {
127
- if (current_user_can($role)) {
128
- return BVWPFWConfig::ROLE_LEVEL_CUSTOM;
129
- }
130
- }
131
- foreach (BVWPFWConfig::$roleLevels as $role => $level) {
132
- if (current_user_can($role)) {
133
- return $level;
134
- }
135
- }
136
- }
137
- return 0;
138
- }
139
-
140
- public function log() {
141
- if ($this->config->canSetCookie()) {
142
- $canlog = !$this->hasValidBypassCookie();
143
- } else {
144
- $canlog = (!function_exists('is_user_logged_in') || !is_user_logged_in());
145
- }
146
- if ($canlog) {
147
- $this->logger->log($this->request->getDataToLog());
148
- }
149
- }
150
-
151
- public function terminateRequest($category = BVWPRequest::NORMAL) {
152
- $info = new BVInfo($this->settings);
153
- $this->request->setCategory($category);
154
- $this->request->setStatus(BVWPRequest::BLOCKED);
155
- $this->request->setRespCode(403);
156
- header("Cache-Control: no-cache, no-store, must-revalidate");
157
- header("Pragma: no-cache");
158
- header("Expires: 0");
159
- header('HTTP/1.0 403 Forbidden');
160
- $brandname = $info->getBrandName();
161
- die("
162
- <div style='height: 98vh;'>
163
- <div style='text-align: center; padding: 10% 0; font-family: Arial, Helvetica, sans-serif;'>
164
- <div><p><img src=".plugins_url('/../../img/icon.png', __FILE__)."><h2>Firewall</h2><h3>powered by</h3><h2>"
165
- .$brandname."</h2></p><div>
166
- <p>Blocked because of Malicious Activities</p>
167
- </div>
168
- </div>
169
- ");
170
- }
171
-
172
- public function isBlacklistedIP() {
173
- return $this->ipstore->checkIPPresent($this->request->getIP(), BVIPStore::BLACKLISTED, BVIPStore::FW);
174
- }
175
-
176
- public function isWhitelistedIP() {
177
- return $this->ipstore->checkIPPresent($this->request->getIP(), BVIPStore::WHITELISTED, BVIPStore::FW);
178
- }
179
-
180
- public function canBypassFirewall() {
181
- if ($this->isWhitelistedIP() || $this->hasValidBypassCookie()) {
182
- $this->request->setCategory(BVWPRequest::WHITELISTED);
183
- $this->request->setStatus(BVWPRequest::BYPASSED);
184
- return true;
185
- }
186
- return false;
187
- }
188
-
189
- public function execute() {
190
- if ($this->config->canProfileReqInfo()) {
191
- $result = array();
192
- $result += $this->profileRequestInfo($this->request->getBody(),
193
- $this->config->isReqProfilingModeDebug(), 'BODY_');
194
- $result += $this->profileRequestInfo($this->request->getQueryString(),
195
- true, 'GET_');
196
- $result += $this->profileRequestInfo($this->request->getFiles(),
197
- true, 'FILES_');
198
- $result += $this->profileRequestInfo($this->getBVCookies(),
199
- true, 'COOKIES_');
200
- if (strpos($this->request->getPath(), 'admin-ajax.php') !== false) {
201
- $result += array('BODY_ADMIN_AJAX_ACTION' => $this->request->getBody('action'));
202
- $result += array('GET_ADMIN_AJAX_ACTION' => $this->request->getQueryString('action'));
203
- }
204
- if (strpos($this->request->getPath(), 'admin-post.php') !== false) {
205
- $result += array('BODY_ADMIN_POST_ACTION' => $this->request->getBody('action'));
206
- $result += array('GET_ADMIN_POST_ACTION' => $this->request->getQueryString('action'));
207
- }
208
- $this->request->updateReqInfo($result);
209
- }
210
- if (!$this->canBypassFirewall()) {
211
- $rules = $this->config->getRules();
212
- $this->matchRules($rules["audit"]);
213
- if ($this->config->isProtecting()) {
214
- if ($this->isBlacklistedIP()) {
215
- $this->terminateRequest(BVWPRequest::BLACKLISTED);
216
- }
217
- if ($this->matchRules($rules["protect"], true)) {
218
- $this->terminateRequest();
219
- }
220
- }
221
- }
222
- }
223
-
224
- public function getServerValue($key) {
225
- if (isset($_SERVER) && array_key_exists($key, $_SERVER)) {
226
- return $_SERVER[$key];
227
- }
228
- return null;
229
- }
230
-
231
- public function match($pattern, $subject, $key = NULL) {
232
- if (is_array($subject)) {
233
- foreach ($subject as $k => $v) {
234
- $k = ($key !== NULL) ? $key.'-'.$k : NULL;
235
- if ($this->match($pattern, $v, $k)) {
236
- return true;
237
- }
238
- }
239
- } else {
240
- if (preg_match((string) $pattern, (string) $subject) > 0) {
241
- if ($key !== NULL) {
242
- $this->currRuleInfo[$key] = $this->getLength($subject);
243
- }
244
- return true;
245
- }
246
- }
247
- return false;
248
- }
249
-
250
- public function matchCount($pattern, $subject) {
251
- $count = 0;
252
- if (is_array($subject)) {
253
- foreach ($subject as $val) {
254
- $count += $this->matchCount($pattern, $val);
255
- }
256
- return $count;
257
- } else {
258
- $count = preg_match_all((string) $pattern, (string) $subject, $matches);
259
- return ($count === false ? 0 : $count);
260
- }
261
- }
262
-
263
- public function matchMD5($str, $val) {
264
- return md5((string) $str) === $val;
265
- }
266
-
267
- public function getLength($val) {
268
- $length = 0;
269
- if (is_array($val)) {
270
- foreach ($val as $v) {
271
- $length += $this->getLength($v);
272
- }
273
- return $length;
274
- } else {
275
- return strlen((string) $val);
276
- }
277
- }
278
-
279
- public function equals($value, $subject) {
280
- return $value == $subject;
281
- }
282
-
283
- public function notEquals($value, $subject) {
284
- return $value != $subject;
285
- }
286
-
287
- public function profileRequestInfo($params, $debug = false, $prefix = '') {
288
- $result = array();
289
- if (is_array($params)) {
290
- foreach ($params as $key => $value) {
291
- $currkey = $prefix . $key;
292
- if (is_array($value)) {
293
- $result = $result + $this->profileRequestInfo($value, $debug, $currkey . '_');
294
- } else {
295
- $result[$currkey] = array();
296
- $valsize = $this->getLength($value);
297
- $result[$currkey]["size"] = $valsize;
298
- if ($debug === true && $valsize < 256) {
299
- $result[$currkey]["value"] = $value;
300
- continue;
301
- }
302
-
303
- if (preg_match('/^\d+$/', $value)) {
304
- $result[$currkey]["numeric"] = true;
305
- } else if (preg_match('/^\w+$/', $value)) {
306
- $result[$currkey]["regular_word"] = true;
307
- } else if (preg_match('/^\S+$/', $value)) {
308
- $result[$currkey]["special_word"] = true;
309
- } else if (preg_match('/^[\w\s]+$/', $value)) {
310
- $result[$currkey]["regular_sentence"] = true;
311
- } else if (preg_match('/^[\w\W]+$/', $value)) {
312
- $result[$currkey]["special_chars_sentence"] = true;
313
- }
314
-
315
- if (preg_match('/^\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}
316
- (25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b$/x', $value)) {
317
- $result[$currkey]["ipv4"] = true;
318
- } else if (preg_match('/\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}
319
- (25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b/x', $value)) {
320
- $result[$currkey]["embeded_ipv4"] = true;
321
- } else if (preg_match('/^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|
322
- ([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|
323
- ([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}
324
- (:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|
325
- ([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|
326
- :((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|
327
- ::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3}
328
- (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|
329
- (2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$/x', $value)) {
330
- $result[$currkey]["ipv6"] = true;
331
- } else if (preg_match('/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|
332
- ([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|
333
- ([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}
334
- (:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|
335
- ([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|
336
- :((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|
337
- ::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3}
338
- (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|
339
- (2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/x', $value)) {
340
- $result[$currkey]["embeded_ipv6"] = true;
341
- }
342
-
343
- if (preg_match('/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}$/', $value)) {
344
- $result[$currkey]["email"] = true;
345
- } else if (preg_match('/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}/', $value)) {
346
- $result[$currkey]["embeded_email"] = true;
347
- }
348
-
349
- if (preg_match('/^(http|ftp)s?:\/\/\S+$/i', $value)) {
350
- $result[$currkey]["link"] = true;
351
- } else if (preg_match('/(http|ftp)s?:\/\/\S+$/i', $value)) {
352
- $result[$currkey]["embeded_link"] = true;
353
- }
354
-
355
- if (preg_match('/<(html|head|title|base|link|meta|style|picture|source|img|
356
- iframe|embed|object|param|video|audio|track|map|area|form|label|input|button|
357
- select|datalist|optgroup|option|textarea|output|progress|meter|fieldset|legend|
358
- script|noscript|template|slot|canvas)/ix', $value)) {
359
- $result[$currkey]["embeded_html"] = true;
360
- }
361
-
362
- if (preg_match('/\.(jpg|jpeg|png|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|zip|gzip|
363
- xlsx|psd|mp3|m4a|ogg|wav|mp4|m4v|mov|wmv|avi|mpg|ogv|3gp|3g2|php|html|phtml|js|css)/ix', $value)) {
364
- $result[$currkey]["file"] = true;
365
- }
366
-
367
- if ($this->matchCount(BVWPFW::SQLIREGEX, $value) >= 2) {
368
- $result[$currkey]["sql"] = true;
369
- }
370
- }
371
- }
372
- }
373
- return $result;
374
- }
375
-
376
- public function matchRules($rules = array(), $isProtect = false) {
377
- if (empty($rules)) {
378
- return false;
379
- }
380
- if (isset($rules[108])) {
381
- $this->currRuleInfo = array();
382
- if ($this->match(BVWPFW::XSSREGEX, $this->request->getQueryString(), "GET")) {
383
- $this->request->updateRulesInfo(108, $this->currRuleInfo);
384
- if ($isProtect) return true;
385
- }
386
- }
387
- if (isset($rules[112])) {
388
- $this->currRuleInfo = array();
389
- if ($this->match('/\\/wp\\-admin[\\/]+admin\\-ajax\\.php/', $this->request->getPath()) &&
390
- (($this->equals('revslider_show_image', $this->request->getQueryString('action')) && $this->match('/\\.php$/i', $this->request->getQueryString('img'), "img")) or
391
- ($this->equals('revslider_show_image', $this->request->getBody('action')) && $this->match('/\\.php$/i', $this->request->getQueryString('img'), "img")))) {
392
- $this->request->updateRulesInfo(112, $this->currRuleInfo);
393
- if ($isProtect) return true;
394
- }
395
- }
396
- if (isset($rules[114])) {
397
- $this->currRuleInfo = array();
398
- if ($this->match('/<\\!(?:DOCTYPE|ENTITY)\\s+(?:%\\s*)?\\w+\\s+SYSTEM/i', $this->request->getBody(), "BODY") or
399
- $this->match('/<\\!(?:DOCTYPE|ENTITY)\\s+(?:%\\s*)?\\w+\\s+SYSTEM/i', $this->request->getQueryString(), "GET")) {
400
- $this->request->updateRulesInfo(114, $this->currRuleInfo);
401
- if ($isProtect) return true;
402
- }
403
- }
404
- if (isset($rules[115])) {
405
- $this->currRuleInfo = array();
406
- if ($this->match('#/wp\\-admin/admin\\-ajax\\.php$#i', $this->getServerValue('SCRIPT_FILENAME')) &&
407
- ($this->equals('update-plugin', $this->request->getBody('action')) or $this->equals('update-plugin', $this->request->getQueryString('action'))) && ($this->match('/(^|\\/|\\\\|%2f|%5c)\\.\\.(\\\\|\\/|%2f|%5c)/i', $this->request->getBody(), "BODY") or
408
- ($this->match('/(^|\\/|\\\\|%2f|%5c)\\.\\.(\\\\|\\/|%2f|%5c)/i', $this->request->getQueryString(), "GET")))) {
409
- $this->request->updateRulesInfo(115, $this->currRuleInfo);
410
- if ($isProtect) return true;
411
- }
412
- }
413
- if (isset($rules[132])) {
414
- $this->currRuleInfo = array();
415
- if (($this->equals('Y', $this->request->getBody('kentopvc_hidden'))) &&
416
- ((!$this->match('/^1?$/', $this->request->getBody('kento_pvc_hide'), "kento_pvc_hide")) or
417
- (!$this->match('/^1?$/', $this->request->getBody('kento_pvc_uniq'), "kento_pvc_uniq")) or
418
- (!$this->match('/^1?$/', $this->request->getBody('kento_pvc_posttype'), "kento_pvc_posttype")) or
419
- ($this->match(BVWPFW::XSSREGEX, $this->request->getBody('kento_pvc_today_text'), "kento_pvc_today_text")) or
420
- ($this->match(BVWPFW::XSSREGEX, $this->request->getBody('kento_pvc_total_text'), "kento_pvc_total_text")) or
421
- ($this->match(BVWPFW::XSSREGEX, $this->request->getBody('kento_pvc_numbers_lang'), "kento_pvc_numbers_lang")))) {
422
- $this->request->updateRulesInfo(132, $this->currRuleInfo);
423
- if ($isProtect) return true;
424
- }
425
- }
426
- if (isset($rules[133])) {
427
- $this->currRuleInfo = array();
428
- if ((($this->match('#/wp\\-mobile\\-detector[/]+resize\\.php#i', $this->request->getPath())) or
429
- ($this->match('#/wp\\-mobile\\-detector[/]+timthumb\\.php#i', $this->request->getPath()))) &&
430
- ((($this->getLength($this->request->getBody('src')) > 0) &&
431
- (!$this->match('/\\.(?:png|gif|jpg|jpeg|jif|jfif|svg)$/i', $this->request->getBody('src'), "src"))) or
432
- (($this->getLength($this->request->getQueryString('src'))) &&
433
- (!$this->match('/\\.(?:png|gif|jpg|jpeg|jif|jfif|svg)$/i', $this->request->getQueryString('src'), "src"))))) {
434
- $this->request->updateRulesInfo(133, $this->currRuleInfo);
435
- if ($isProtect) return true;
436
- }
437
- }
438
- if (isset($rules[145])) {
439
- $this->currRuleInfo = array();
440
- if ((($this->match('/Abonti|aggregator|AhrefsBot|asterias|BDCbot|BLEXBot|BuiltBotTough|Bullseye|BunnySlippers|ca\\-crawler|CCBot|Cegbfeieh|CheeseBot|CherryPicker|CopyRightCheck|cosmos|Crescent|discobot|DittoSpyder|DotBot|Download Ninja|EasouSpider|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|ExtractorPro|Fasterfox|FeedBooster|Foobot|Genieo|grub\\-client|Harvest|hloader|httplib|HTTrack|humanlinks|ieautodiscovery|InfoNaviRobot|IstellaBot|Java\\/1\\.|JennyBot|k2spider|Kenjin Spider|Keyword Density\\/0\\.9|larbin|LexiBot|libWeb|libwww|LinkextractorPro|linko|LinkScan\\/8\\.1a Unix|LinkWalker|LNSpiderguy|lwp\\-trivial|magpie|Mata Hari|MaxPointCrawler|MegaIndex|Microsoft URL Control|MIIxpc|Mippin|Missigua Locator|Mister PiX|MJ12bot|moget|MSIECrawler|NetAnts|NICErsPRO|Niki\\-Bot|NPBot|Nutch|Offline Explorer|Openfind|panscient\\.com|PHP\\/5\\.\\{|ProPowerBot\\/2\\.14|ProWebWalker|Python\\-urllib|QueryN Metasearch|RepoMonkey|RMA|SemrushBot|SeznamBot|SISTRIX|sitecheck\\.Internetseer\\.com|SiteSnagger|SnapPreviewBot|Sogou|SpankBot|spanner|spbot|Spinn3r|suzuran|Szukacz\\/1\\.4|Teleport|Telesoft|The Intraformant|TheNomad|TightTwatBot|Titan|toCrawl\\/UrlDispatcher|True_Robot|turingos|TurnitinBot|UbiCrawler|UnisterBot|URLy Warning|VCI|WBSearchBot|Web Downloader\\/6\\.9|Web Image Collector|WebAuto|WebBandit|WebCopier|WebEnhancer|WebmasterWorldForumBot|WebReaper|WebSauger|Website Quester|Webster Pro|WebStripper|WebZip|Wotbox|wsr\\-agent|WWW\\-Collector\\-E|Xenu|Zao|Zeus|ZyBORG|coccoc|Incutio|lmspider|memoryBot|SemrushBot|serf|Unknown|uptime files/i', $this->request->getHeader('User-Agent'), "User-Agent")) &&
441
- ($this->match(BVWPFW::XSSREGEX, $this->request->getHeader('User-Agent'), "User-Agent"))) or
442
- (($this->match('/semalt\\.com|kambasoft\\.com|savetubevideo\\.com|buttons\\-for\\-website\\.com|sharebutton\\.net|soundfrost\\.org|srecorder\\.com|softomix\\.com|softomix\\.net|myprintscreen\\.com|joinandplay\\.me|fbfreegifts\\.com|openmediasoft\\.com|zazagames\\.org|extener\\.org|openfrost\\.com|openfrost\\.net|googlsucks\\.com|best\\-seo\\-offer\\.com|buttons\\-for\\-your\\-website\\.com|www\\.Get\\-Free\\-Traffic\\-Now\\.com|best\\-seo\\-solution\\.com|buy\\-cheap\\-online\\.info|site3\\.free\\-share\\-buttons\\.com|webmaster\\-traffic\\.co/i', $this->request->getHeader('Referer'), "Referer")) &&
443
- ($this->match(BVWPFW::XSSREGEX, $this->request->getHeader('User-Agent'), "User-Agent")))) {
444
- $this->request->updateRulesInfo(145, $this->currRuleInfo);
445
- if ($isProtect) return true;
446
- }
447
- }
448
- if (isset($rules[146])) {
449
- $this->currRuleInfo = array();
450
- if ($this->match('/sitemap_.*?<.*?(:?_\\d+)?\\.xml(:?\\.gz)?/i', $this->request->getPath())) {
451
- $this->request->updateRulesInfo(146, $this->currRuleInfo);
452
- if ($isProtect) return true;
453
- }
454
- }
455
- if (isset($rules[155])) {
456
- $this->currRuleInfo = array();
457
- if (($this->match(BVWPFW::XSSREGEX, $this->request->getHeader('Client-IP'), "Client-IP")) or
458
- ($this->match(BVWPFW::XSSREGEX, $this->request->getHeader('X-Forwarded'), "X-Forwarded")) or
459
- ($this->match(BVWPFW::XSSREGEX, $this->request->getHeader('X-Cluster-Client-IP'), "X-Cluster-Client-IP")) or
460
- ($this->match(BVWPFW::XSSREGEX, $this->request->getHeader('Forwarded-For'), "Forwarded-For")) or
461
- ($this->match(BVWPFW::XSSREGEX, $this->request->getHeader('Forwarded'), "Forwarded"))) {
462
- $this->request->updateRulesInfo(155, $this->currRuleInfo);
463
- if ($isProtect) return true;
464
- }
465
- }
466
- if (isset($rules[156])) {
467
- $this->currRuleInfo = array();
468
- if ($this->match('#/wp\\-admin/admin\\-ajax\\.php$#i', $this->getServerValue('SCRIPT_FILENAME')) and
469
- (($this->match(BVWPFW::SQLIREGEX, $this->request->getBody('umm_user'), "umm_user")) or
470
- ($this->match(BVWPFW::SQLIREGEX, $this->request->getQueryString('umm_user'), "umm_user")))) {
471
- $this->request->updateRulesInfo(156, $this->currRuleInfo);
472
- if ($isProtect) return true;
473
- }
474
- }
475
- if (isset($rules[165])) {
476
- $this->currRuleInfo = array();
477
- if ($this->match('/O:\\d+:"(?!stdClass")[^"]+":/', $this->request->getCookies('ecwid_oauth_state'), "ecwid_oauth_state")) {
478
- $this->request->updateRulesInfo(165, $this->currRuleInfo);
479
- if ($isProtect) return true;
480
- }
481
- }
482
- if (isset($rules[167])) {
483
- $this->currRuleInfo = array();
484
- if ((!$this->match('/\\.(jpe?g|png|mpeg|mov|flv|pdf|docx?|txt|csv|avi|mp3|wma|wav)($|\\.)/i', $this->request->getFileNames())) &&
485
- ($this->getLength($this->request->getBody('save_bepro_listing')) > 0)) {
486
- $this->request->updateRulesInfo(167, $this->currRuleInfo);
487
- if ($isProtect) return true;
488
- }
489
- }
490
- if (isset($rules[168])) {
491
- $this->currRuleInfo = array();
492
- if (($this->match('#/wp\\-admin/admin\\-ajax\\.php$#i', $this->getServerValue('SCRIPT_FILENAME'))) &&
493
- ($this->equals('master-slider', $this->request->getQueryString('page'))) &&
494
- ($this->getLength($this->request->getBody('page')) > 0) &&
495
- ($this->notEquals('master-slider', $this->request->getBody('page')))) {
496
- $this->request->updateRulesInfo(168, $this->currRuleInfo);
497
- if ($isProtect) return true;
498
- }
499
- }
500
- if (isset($rules[169])) {
501
- $this->currRuleInfo = array();
502
- if (($this->equals('fancybox-for-wordpress', $this->request->getQueryString('page'))) &&
503
- ($this->match(BVWPFW::XSSREGEX, $this->request->getBody('mfbfw'), "mfbfw"))) {
504
- $this->request->updateRulesInfo(169, $this->currRuleInfo);
505
- if ($isProtect) return true;
506
- }
507
- }
508
- if (isset($rules[171])) {
509
- $this->currRuleInfo = array();
510
- if ((($this->match('#wp-json/wp/v\\d+/posts/#i', $this->request->getPath())) or
511
- ($this->match('#/wp/v\\d+/posts/#i', $this->request->getQueryString('rest_route'), "rest_route"))) &&
512
- ($this->match('/[^0-9]/', $this->request->getQueryString('id'), "id"))) {
513
- $this->request->updateRulesInfo(171, $this->currRuleInfo);
514
- if ($isProtect) return true;
515
- }
516
- }
517
- if (isset($rules[172])) {
518
- $this->currRuleInfo = array();
519
- $pattern = '`\b(?i:(?:conf(?:ig(?:ur(?:e|ation)|\.inc|_global)?)?)|settings?(?:\.?inc)?)\.php$`';
520
- if ((($this->match($pattern, $this->getServerValue('SCRIPT_FILENAME'), "SCRIPT_FILENAME")) or
521
- ($this->match($pattern, $this->request->getQueryString(), "GET")))) {
522
- $this->request->updateRulesInfo(172, $this->currRuleInfo);
523
- if ($isProtect) return true;
524
- }
525
- }
526
- if (isset($rules[173])) {
527
- $this->currRuleInfo = array();
528
- $pattern = '`(?:\.{2}[\/]+)`';
529
- if ((($this->match($pattern, $this->request->getBody(), "BODY")) or
530
- ($this->match($pattern, $this->request->getQueryString(), "GET")) or
531
- ($this->match($pattern, $this->request->getCookies(), "COOKIE")) or
532
- ($this->match($pattern, $this->request->getHeader('User-Agent'), "HEADER")))) {
533
- $this->request->updateRulesInfo(173, $this->currRuleInfo);
534
- if ($isProtect) return true;
535
- }
536
- }
537
- if (isset($rules[174])) {
538
- $this->currRuleInfo = array();
539
- $pattern = '`\\b(?:\\$?_(COOKIE|ENV|FILES|(?:GE|POS|REQUES)T|SE(RVER|SSION))|HTTP_(?:(?:POST|GET)_VARS|RAW_POST_DATA)|GLOBALS)\\s*[=\\[)]|\\W\\$\\{\\s*[\'"]\\w+[\'"]`';
540
- if ((($this->match($pattern, $this->request->getBody(), "BODY")) or
541
- ($this->match($pattern, $this->request->getQueryString(), "GET")) or
542
- ($this->match($pattern, $this->request->getCookies(), "COOKIE")) or
543
- ($this->match($pattern, $this->request->getHeader('User-Agent'), "User-Agent")) or
544
- ($this->match($pattern, $this->request->getHeader('Referer'), "Referer")) or
545
- ($this->match($pattern, $this->getServerValue('PATH_INFO'), "PATH_INFO")))) {
546
- $this->request->updateRulesInfo(174, $this->currRuleInfo);
547
- if ($isProtect) return true;
548
- }
549
- }
550
- if (isset($rules[175])) {
551
- $this->currRuleInfo = array();
552
- $pattern = '`\\b(?i:eval)\\s*\\(\\s*(?i:base64_decode|exec|file_get_contents|gzinflate|passthru|shell_exec|stripslashes|system)\\s*\\(`';
553
- if ((($this->match($pattern, $this->request->getBody(), "BODY")) or
554
- ($this->match($pattern, $this->request->getQueryString(), "GET")) or
555
- ($this->match($pattern, $this->request->getCookies(), "COOKIE")) or
556
- ($this->match($pattern, $this->request->getHeader('User-Agent'), "User-Agent")))) {
557
- $this->request->updateRulesInfo(175, $this->currRuleInfo);
558
- if ($isProtect) return true;
559
- }
560
- }
561
- if (isset($rules[176])) {
562
- $this->currRuleInfo = array();
563
- $pattern = '`(?:<\\?(?![Xx][Mm][Ll]).*?(?:\\$_?(?:COOKIE|ENV|FILES|GLOBALS|(?:GE|POS|REQUES)T|SE(RVER|SSION))\\s*[=\\[)]|\\b(?i:array_map|assert|base64_(?:de|en)code|curl_exec|eval|(?:ex|im)plode|file(?:_get_contents)?|fsockopen|function_exists|gzinflate|move_uploaded_file|passthru|[ep]reg_replace|phpinfo|stripslashes|strrev|substr|system|(?:shell_)?exec)\\s*(?:/\\*.+?\\*/\\s*)?\\())|#!/(?:usr|bin)/.+?\\s|\\W\\$\\{\\s*[\'"]\\w+[\'"]`';
564
- if ((($this->match($pattern, $this->request->getBody(), "BODY")) or
565
- ($this->match($pattern, $this->request->getQueryString(), "GET")) or
566
- ($this->match($pattern, $this->request->getCookies(), "COOKIE")) or
567
- ($this->match($pattern, $this->request->getHeader('User-Agent'), "User-Agent")))) {
568
- $this->request->updateRulesInfo(176, $this->currRuleInfo);
569
- if ($isProtect) return true;
570
- }
571
- }
572
- if (isset($rules[177])) {
573
- $this->currRuleInfo = array();
574
- if ((($this->matchCount(BVWPFW::SQLIREGEX, $this->request->getBody()) > 2) or
575
- ($this->matchCount(BVWPFW::SQLIREGEX, $this->request->getQueryString()) > 2) or
576
- ($this->matchCount(BVWPFW::SQLIREGEX, $this->request->getCookies()) > 2) or
577
- ($this->matchCount(BVWPFW::SQLIREGEX, $this->request->getHeader('User-Agent')) > 2))) {
578
- $this->request->updateRulesInfo(177, $this->currRuleInfo);
579
- if ($isProtect) return true;
580
- }
581
- }
582
- if (isset($rules[178])) {
583
- $this->currRuleInfo = array();
584
- $pattern = '`(?: \\W(?:background(-image)?|-moz-binding)\\s*:[^}]*?\\burl\\s*\\([^)]+?(https?:)?//\\w|<(?i:applet|div|embed|form|i?frame(?:set)?|i(?:mg|sindex)|link|m(?:eta|arquee)|object|script|textarea)\\b.*=.*?>|\\bdocument\\s*\\.\\s*(?:body|cookie|domain|location|open|write(?:ln)?)\\b|\\blocation\\s*\\.\\s*(?:href|replace)\\b|\\bwindow\\s*\\.\\s*(?:open|location)\\b|\\b(?:alert|confirm|eval|expression|prompt|set(?:Timeout|Interval)|String\\s*\\.\\s*fromCharCode|\\.\\s*substr)\\b\\s*\\(.*?\\)|(?i)<\\s*s\\s*t\\s*y\\s*l\\s*e\\b.*?>.*?<\\s*/\\s*s\\s*t\\s*y\\s*l\\s*e\\b.*?>|(?i)<[a-z].+?\\bon[a-z]{3,29}\\b\\s*=.{5}|(?i)<.+?\\bon[a-z]{3,29}\\b\\s*=\\s*[\'"](?!\\s*return false\\b).*?[\'"].+?>|(?i)<\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t\\b.*?>.*?<\\s*/\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t.*?>|<.+?(?i)\\b(?:href|(?:form)?action|background|code|data|location|name|poster|src|value)\\s*=\\s*[\'"]?(?:(?:f|ht)tps?:)?//\\w+\\.\\w|\\batob\\s*(?:[\'"\\x60]\\s*\\]\\s*)?\\(\\s*([\'"\\x60])[a-zA-Z0-9/+=]+\\1\\s*\\)|<.+?(?i)[a-z]+\\s*=.*?(?:java|vb)script:.+?> |<x:script\\b.*?>.*?</x:script.*?>|\\+A(?:Dw|ACIAPgA8)-.+?\\+AD4(?:APAAi)?-|[{}+[\\]\\s]\\+\\s*\\[\\s*]\\s*\\)\\s*\\[[{!}+[\\]\\s]|(?i)<[a-z]+/[a-z]+.+?=.+?>|\\[\\s*\\]\\s*\\[\\s*[\'"\\x60]filter[\'"\\x60]\\s*\\]\\s*\\[\\s*[\'"\\x60]constructor[\'"\\x60]\\s*\\]\\s*\\(\\s*|\\b(?:document|window|this)\\s*\\[.+?\\]\\s*[\\[(]|(?:(?:\\b(?:self|this|top|window)\\s*\\[.+?\\]|\\(\\s*(?:alert|confirm|eval|expression|prompt)\\s*\\)|\\[.*?\\]\\s*\\.\\s*find)|(?:\\.\\s*(?:re(?:ject|place)|constructor)))\\s*\\(.*?\\)|\\b(\\w+)\\s*=\\s*(?:alert|confirm|eval|expression|prompt)\\s*[;,]\\1\\s*\\(.*?\\))`';
585
- if ((($this->match($pattern, $this->request->getBody(), "BODY")) or
586
- ($this->match($pattern, $this->request->getQueryString(), "GET")) or
587
- ($this->match($pattern, $this->request->getCookies(), "COOKIE")) or
588
- ($this->match($pattern, $this->request->getHeader('User-Agent'), "User-Agent")) or
589
- ($this->match($pattern, $this->request->getHeader('Referer'), "Referer")))) {
590
- $this->request->updateRulesInfo(178, $this->currRuleInfo);
591
- if ($isProtect) return true;
592
- }
593
- }
594
- return false;
595
- }
596
- }
597
- endif;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
protect/wp_lp/config.php DELETED
@@ -1,82 +0,0 @@
1
- <?php
2
-
3
- if (!defined('ABSPATH')) exit;
4
- if (!class_exists('BVWPLPConfig')) :
5
- class BVWPLPConfig {
6
- public $db;
7
- public $settings;
8
- public static $requests_table = 'lp_requests';
9
-
10
- #mode
11
- const DISABLED = 1;
12
- const AUDIT = 2;
13
- const PROTECT = 3;
14
-
15
- public function __construct($db, $settings) {
16
- $this->db = $db;
17
- $this->settings = $settings;
18
- }
19
-
20
- public function setMode($mode) {
21
- if (!$mode) {
22
- $this->settings->deleteOption('bvlpmode');
23
- } else {
24
- $this->settings->updateOption('bvlpmode', intval($mode));
25
- }
26
- }
27
-
28
- public function setCaptchaLimit($count) {
29
- if (!$count) {
30
- $this->settings->deleteOption('bvlpcaptchaLimit');
31
- } else {
32
- $this->settings->updateOption('bvlpcaptchaLimit', intval($count));
33
- }
34
- }
35
-
36
- public function setTempBlockLimit($count) {
37
- if (!$count) {
38
- $this->settings->deleteOption('bvlptempblocklimit');
39
- } else {
40
- $this->settings->updateOption('bvlptempblocklimit', intval($count));
41
- }
42
- }
43
-
44
- public function setBlockAllLimit($count) {
45
- if (!$count) {
46
- $this->settings->deleteOption('bvlpblockalllimit');
47
- } else {
48
- $this->settings->updateOption('bvlpblockalllimit', intval($count));
49
- }
50
- }
51
-
52
- public function getMode() {
53
- $mode = $this->settings->getOption('bvlpmode');
54
- return intval($mode ? $mode : BVWPLPConfig::DISABLED);
55
- }
56
-
57
- public function getCaptchaLimit() {
58
- $limit = $this->settings->getOption('bvlpcaptchalimit');
59
- return ($limit ? $limit : 3);
60
- }
61
-
62
- public function getTempBlockLimit() {
63
- $limit = $this->settings->getOption('bvlptempblocklimit');
64
- return ($limit ? $limit : 10);
65
- }
66
-
67
- public function getBlockAllLimit() {
68
- $limit = $this->settings->getOption('bvlpblockAlllimit');
69
- return ($limit ? $limit : 100);
70
- }
71
-
72
- public function clear() {
73
- $this->setMode(false);
74
- $this->setCaptchaLimit(false);
75
- $this->setTempBlockLimit(false);
76
- $this->setBlockAllLimit(false);
77
- $this->db->dropBVTable(BVWPLPConfig::$requests_table);
78
- $this->settings->deleteOption('bvptplug');
79
- return true;
80
- }
81
- }
82
- endif;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
readme.txt CHANGED
@@ -4,9 +4,9 @@ Tags: backup, wordpress backup, backup plugin, cloud backup, database backup, ba
4
  Plugin URI: https://blogvault.net/
5
  Donate link: https://app.blogvault.net/home/signup
6
  Requires at least: 4.0
7
- Requires PHP: 5.4.0
8
  Tested up to: 5.4
9
- Stable tag: 3.4
 
10
  License: GPLv2 or later
11
  License URI: [http://www.gnu.org/licenses/gpl-2.0.html](http://www.gnu.org/licenses/gpl-2.0.html)
12
 
@@ -240,6 +240,12 @@ Thank you. We really appreciate these kind words, and it makes our day. We would
240
  9. We power WordPress migration for WPEngine, Pantheon, FlyWheel, LiquidWeb, Cloudways, Savvii and many more. Need we say more?
241
 
242
  == CHANGELOG ==
 
 
 
 
 
 
243
  = 3.4 =
244
  * Updating account authentication structure
245
  * Adding params validation
4
  Plugin URI: https://blogvault.net/
5
  Donate link: https://app.blogvault.net/home/signup
6
  Requires at least: 4.0
 
7
  Tested up to: 5.4
8
+ Requires PHP: 5.4.0
9
+ Stable tag: 4.2
10
  License: GPLv2 or later
11
  License URI: [http://www.gnu.org/licenses/gpl-2.0.html](http://www.gnu.org/licenses/gpl-2.0.html)
12
 
240
  9. We power WordPress migration for WPEngine, Pantheon, FlyWheel, LiquidWeb, Cloudways, Savvii and many more. Need we say more?
241
 
242
  == CHANGELOG ==
243
+ = 4.2 =
244
+ * Firewall in prepend mode
245
+ * Robust Firewall and Login protection
246
+ * Robust write callbacks
247
+ * Without FTP cleanup and restore support
248
+
249
  = 3.4 =
250
  * Updating account authentication structure
251
  * Adding params validation
recover.php CHANGED
@@ -44,4 +44,4 @@ if (!class_exists('BVRecover')) :
44
  return $account;
45
  }
46
  }
47
- endif;
44
  return $account;
45
  }
46
  }
47
+ endif;
wp_actions.php CHANGED
@@ -36,8 +36,7 @@ if (!class_exists('BVWPAction')) :
36
  }
37
 
38
  public static function uninstall() {
39
- do_action('clear_lp_config');
40
- do_action('clear_fw_config');
41
  do_action('clear_ip_store');
42
  do_action('clear_dynsync_config');
43
  }
36
  }
37
 
38
  public static function uninstall() {
39
+ do_action('clear_pt_config');
 
40
  do_action('clear_ip_store');
41
  do_action('clear_dynsync_config');
42
  }
wp_admin.php CHANGED
@@ -7,10 +7,12 @@ class BVWPAdmin {
7
  public $settings;
8
  public $siteinfo;
9
  public $bvinfo;
 
10
 
11
- function __construct($settings, $siteinfo) {
12
  $this->settings = $settings;
13
  $this->siteinfo = $siteinfo;
 
14
  $this->bvinfo = new BVInfo($this->settings);
15
  }
16
 
@@ -22,6 +24,13 @@ class BVWPAdmin {
22
  }
23
  }
24
 
 
 
 
 
 
 
 
25
  public function initHandler() {
26
  if (!current_user_can('activate_plugins'))
27
  return;
@@ -50,8 +59,9 @@ class BVWPAdmin {
50
  $brand = $this->bvinfo->getBrandInfo();
51
  if (!$brand || (!array_key_exists('hide', $brand) && !array_key_exists('hide_from_menu', $brand))) {
52
  $bname = $this->bvinfo->getBrandName();
 
53
  add_menu_page($bname, $bname, 'manage_options', $this->bvinfo->plugname,
54
- array($this, 'adminPage'), plugins_url('img/icon.png', __FILE__ ));
55
  }
56
  }
57
 
@@ -133,6 +143,9 @@ class BVWPAdmin {
133
  wp_enqueue_style( 'bvsurface', plugins_url('css/bvmui.min.css', __FILE__));
134
  wp_enqueue_style( 'bvplugin', plugins_url('css/bvplugin.min.css', __FILE__));
135
  if (isset($_REQUEST['bvnonce']) && wp_verify_nonce( $_REQUEST['bvnonce'], 'bvnonce' )) {
 
 
 
136
  BVAccount::remove($this->settings, $_REQUEST['pubkey']);
137
  }
138
  require_once dirname( __FILE__ ) . '/admin/header.php';
@@ -186,4 +199,4 @@ class BVWPAdmin {
186
  return $plugins;
187
  }
188
  }
189
- endif;
7
  public $settings;
8
  public $siteinfo;
9
  public $bvinfo;
10
+ public $bvapi;
11
 
12
+ function __construct($settings, $siteinfo, $bvapi) {
13
  $this->settings = $settings;
14
  $this->siteinfo = $siteinfo;
15
+ $this->bvapi = $bvapi;
16
  $this->bvinfo = new BVInfo($this->settings);
17
  }
18
 
24
  }
25
  }
26
 
27
+ function removeAdminNotices() {
28
+ if (array_key_exists('page', $_REQUEST) && $_REQUEST['page'] == $this->bvinfo->plugname) {
29
+ remove_all_actions('admin_notices');
30
+ remove_all_actions('all_admin_notices');
31
+ }
32
+ }
33
+
34
  public function initHandler() {
35
  if (!current_user_can('activate_plugins'))
36
  return;
59
  $brand = $this->bvinfo->getBrandInfo();
60
  if (!$brand || (!array_key_exists('hide', $brand) && !array_key_exists('hide_from_menu', $brand))) {
61
  $bname = $this->bvinfo->getBrandName();
62
+ $icon = $this->bvinfo->getBrandIcon();
63
  add_menu_page($bname, $bname, 'manage_options', $this->bvinfo->plugname,
64
+ array($this, 'adminPage'), plugins_url($icon, __FILE__ ));
65
  }
66
  }
67
 
143
  wp_enqueue_style( 'bvsurface', plugins_url('css/bvmui.min.css', __FILE__));
144
  wp_enqueue_style( 'bvplugin', plugins_url('css/bvplugin.min.css', __FILE__));
145
  if (isset($_REQUEST['bvnonce']) && wp_verify_nonce( $_REQUEST['bvnonce'], 'bvnonce' )) {
146
+ $info = array();
147
+ $this->siteinfo->basic($info);
148
+ $this->bvapi->pingbv('/bvapi/disconnect', $info, $_REQUEST['pubkey']);
149
  BVAccount::remove($this->settings, $_REQUEST['pubkey']);
150
  }
151
  require_once dirname( __FILE__ ) . '/admin/header.php';
199
  return $plugins;
200
  }
201
  }
202
+ endif;
wp_api.php CHANGED
@@ -8,14 +8,14 @@ if (!class_exists('BVWPAPI')) :
8
  public function __construct($settings) {
9
  $this->settings = $settings;
10
  }
11
-
12
  public function pingbv($method, $body, $public = false) {
13
  if ($public) {
14
  $this->create_request_params($method, $body, $public);
15
  } else {
16
- $accounts = BVAccount::allAccounts($this->settings);
17
- foreach ($accounts as $pubkey => $value ) {
18
- $this->create_request_params($method, $body, $pubkey);
19
  }
20
  }
21
  }
@@ -26,13 +26,16 @@ if (!class_exists('BVWPAPI')) :
26
  $this->http_request($url, $body);
27
  }
28
 
29
- public function http_request($url, $body) {
30
  $_body = array(
31
  'method' => 'POST',
32
  'timeout' => 15,
33
- 'body' => $body);
34
-
 
 
 
35
  return wp_remote_post($url, $_body);
36
  }
37
  }
38
- endif;
8
  public function __construct($settings) {
9
  $this->settings = $settings;
10
  }
11
+
12
  public function pingbv($method, $body, $public = false) {
13
  if ($public) {
14
  $this->create_request_params($method, $body, $public);
15
  } else {
16
+ $api_public_key = $this->settings->getOption('bvApiPublic');
17
+ if (!empty($api_public_key) && (strlen($api_public_key) >= 32)) {
18
+ $this->create_request_params($method, $body, $api_public_key);
19
  }
20
  }
21
  }
26
  $this->http_request($url, $body);
27
  }
28
 
29
+ public function http_request($url, $body, $headers = array()) {
30
  $_body = array(
31
  'method' => 'POST',
32
  'timeout' => 15,
33
+ 'body' => $body
34
+ );
35
+ if (!empty($headers)) {
36
+ $_body['headers'] = $headers;
37
+ }
38
  return wp_remote_post($url, $_body);
39
  }
40
  }
41
+ endif;
wp_db.php CHANGED
@@ -168,5 +168,19 @@ class BVWPDb {
168
  $table = $this->getBVTable($name);
169
  return $wpdb->replace($table, $value);
170
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
171
  }
172
- endif;
168
  $table = $this->getBVTable($name);
169
  return $wpdb->replace($table, $value);
170
  }
171
+
172
+ public function tinfo($name) {
173
+ $result = array();
174
+ $table = $this->getBVTable($name);
175
+
176
+ $result['name'] = $table;
177
+
178
+ if ($this->isTablePresent($table)) {
179
+ $result['exists'] = true;
180
+ $result['createquery'] = $this->showTableCreate($table);
181
+ }
182
+
183
+ return $result;
184
+ }
185
  }
186
+ endif;
wp_site_info.php CHANGED
@@ -39,7 +39,7 @@ class BVWPSiteInfo {
39
  return is_main_site();
40
  }
41
 
42
- public function respInfo() {
43
  $info = array();
44
  $this->basic($info);
45
  $info['dbsig'] = $this->dbsig(false);
@@ -51,12 +51,18 @@ class BVWPSiteInfo {
51
  $info['wpurl'] = $this->wpurl();
52
  $info['siteurl'] = $this->siteurl();
53
  $info['homeurl'] = $this->homeurl();
54
- $info['serverip'] = $_SERVER['SERVER_ADDR'];
 
 
55
  $info['abspath'] = ABSPATH;
56
  }
57
 
58
  public function serversig($full = false) {
59
- $sig = sha1($_SERVER['SERVER_ADDR'].ABSPATH);
 
 
 
 
60
  if ($full)
61
  return $sig;
62
  else
@@ -75,5 +81,9 @@ class BVWPSiteInfo {
75
  else
76
  return substr($sig, 0, 6);
77
  }
 
 
 
 
78
  }
79
  endif;
39
  return is_main_site();
40
  }
41
 
42
+ public function info() {
43
  $info = array();
44
  $this->basic($info);
45
  $info['dbsig'] = $this->dbsig(false);
51
  $info['wpurl'] = $this->wpurl();
52
  $info['siteurl'] = $this->siteurl();
53
  $info['homeurl'] = $this->homeurl();
54
+ if (array_key_exists('SERVER_ADDR', $_SERVER)) {
55
+ $info['serverip'] = $_SERVER['SERVER_ADDR'];
56
+ }
57
  $info['abspath'] = ABSPATH;
58
  }
59
 
60
  public function serversig($full = false) {
61
+ $sig_param = ABSPATH;
62
+ if (array_key_exists('SERVER_ADDR', $_SERVER)) {
63
+ $sig_param = $_SERVER['SERVER_ADDR'].ABSPATH;
64
+ }
65
+ $sig = sha1($sig_param);
66
  if ($full)
67
  return $sig;
68
  else
81
  else
82
  return substr($sig, 0, 6);
83
  }
84
+
85
+ public static function isCWServer() {
86
+ return isset($_SERVER['cw_allowed_ip']);
87
+ }
88
  }
89
  endif;