MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall - Version 4.51

Version Description

  • Removed files and db access check
  • On uninstall remove prepend configuration
  • minor bug fixes
Download this release

Release Info

Developer ritesh.soni36
Plugin Icon 128x128 MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall
Version 4.51
Comparing to
See all releases

Code changes from version 4.4 to 4.51

Files changed (11) hide show
  1. callback/wings/db.php +3 -19
  2. callback/wings/fs.php +0 -18
  3. callback/wings/fs_write.php +3 -3
  4. callback/wings/info.php +1 -0
  5. callback/wings/misc.php +8 -0
  6. info.php +1 -1
  7. malcare.php +5 -4
  8. protect/fw/fw.php +10 -1
  9. protect/wp/protect.php +78 -2
  10. readme.txt +6 -1
  11. wp_site_info.php +6 -0
callback/wings/db.php CHANGED
@@ -15,7 +15,6 @@ class BVDBCallback extends BVCallbackBase {
15
  $this->db = $callback_handler->db;
16
  $this->account = $callback_handler->account;
17
  $this->siteinfo = $callback_handler->siteinfo;
18
- $this->bvinfo = $callback_handler->bvinfo;
19
  }
20
 
21
  public function getLastID($pkeys, $end_row) {
@@ -43,7 +42,9 @@ class BVDBCallback extends BVCallbackBase {
43
  $data = array();
44
  $data["offset"] = $offset;
45
  $data["size"] = $srows;
46
- $data["md5"] = md5(serialize($rows));
 
 
47
  array_push($tinfo, $data);
48
  if (!empty($pkeys) && $srows > 0) {
49
  $end_row = end($rows);
@@ -69,23 +70,6 @@ class BVDBCallback extends BVCallbackBase {
69
  $params = $request->params;
70
  $stream_init_info = BVStream::startStream($this->account, $request);
71
 
72
- if($this->bvinfo->canSetCWBranding()) {
73
- $bv_table = $params['table'];
74
- if (!empty($bv_table)) {
75
- $allowed = false;
76
- foreach(BVDBCallback::$bvTables as $table) {
77
- if ($bv_table == $table || $bv_table == $db->getBVTable($table)) {
78
- $allowed = true;
79
- break;
80
- }
81
- }
82
- if (!$allowed) {
83
- return $stream_init_info;
84
- }
85
- }
86
- }
87
-
88
-
89
  if (array_key_exists('stream', $stream_init_info)) {
90
  $this->stream = $stream_init_info['stream'];
91
  switch ($request->method) {
15
  $this->db = $callback_handler->db;
16
  $this->account = $callback_handler->account;
17
  $this->siteinfo = $callback_handler->siteinfo;
 
18
  }
19
 
20
  public function getLastID($pkeys, $end_row) {
42
  $data = array();
43
  $data["offset"] = $offset;
44
  $data["size"] = $srows;
45
+ $serialized_rows = serialize($rows);
46
+ $data['md5'] = md5($serialized_rows);
47
+ $data['length'] = strlen($serialized_rows);
48
  array_push($tinfo, $data);
49
  if (!empty($pkeys) && $srows > 0) {
50
  $end_row = end($rows);
70
  $params = $request->params;
71
  $stream_init_info = BVStream::startStream($this->account, $request);
72
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
73
  if (array_key_exists('stream', $stream_init_info)) {
74
  $this->stream = $stream_init_info['stream'];
75
  switch ($request->method) {
callback/wings/fs.php CHANGED
@@ -12,7 +12,6 @@ class BVFSCallback extends BVCallbackBase {
12
 
13
  public function __construct($callback_handler) {
14
  $this->account = $callback_handler->account;
15
- $this->bvinfo = $callback_handler->bvinfo;
16
  }
17
 
18
  function fileStat($relfile, $md5 = false) {
@@ -247,23 +246,6 @@ class BVFSCallback extends BVCallbackBase {
247
  $params = $request->params;
248
  $stream_init_info = BVStream::startStream($this->account, $request);
249
 
250
- if($this->bvinfo->canSetCWBranding()) {
251
- if(array_key_exists('initdir', $params)) {
252
- return $stream_init_info;
253
- }
254
-
255
- if (array_key_exists('files', $params)) {
256
- $files = $params['files'];
257
-
258
- foreach($files as $file) {
259
- if (!in_array($file, BVFSCallback::$cwAllowedFiles)) {
260
- return $stream_init_info;
261
- }
262
- }
263
- }
264
- }
265
-
266
-
267
  if (array_key_exists('stream', $stream_init_info)) {
268
  $this->stream = $stream_init_info['stream'];
269
  switch ($request->method) {
12
 
13
  public function __construct($callback_handler) {
14
  $this->account = $callback_handler->account;
 
15
  }
16
 
17
  function fileStat($relfile, $md5 = false) {
246
  $params = $request->params;
247
  $stream_init_info = BVStream::startStream($this->account, $request);
248
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
249
  if (array_key_exists('stream', $stream_init_info)) {
250
  $this->stream = $stream_init_info['stream'];
251
  switch ($request->method) {
callback/wings/fs_write.php CHANGED
@@ -35,7 +35,7 @@ class BVFSWriteCallback extends BVCallbackBase {
35
  return $result;
36
  }
37
 
38
- public function makeDirs($dirs) {
39
  $result = array();
40
 
41
  foreach($dirs as $dir) {
@@ -53,7 +53,7 @@ class BVFSWriteCallback extends BVCallbackBase {
53
 
54
  } else {
55
 
56
- $dir_result['status'] = mkdir($dir);
57
  if ($dir_result['status'] === false) {
58
  $dir_result['error'] = "MKDIR_FAILED";
59
  }
@@ -411,7 +411,7 @@ class BVFSWriteCallback extends BVCallbackBase {
411
  $resp = $this->doChmod($params['pathinfos']);
412
  break;
413
  case "mkdr":
414
- $resp = $this->makeDirs($params['dirs']);
415
  break;
416
  case "rmdr":
417
  $resp = $this->removeDirs($params['dirs']);
35
  return $result;
36
  }
37
 
38
+ public function makeDirs($dirs, $permissions = 0777, $recursive = true) {
39
  $result = array();
40
 
41
  foreach($dirs as $dir) {
53
 
54
  } else {
55
 
56
+ $dir_result['status'] = mkdir($dir, $permissions, $recursive);
57
  if ($dir_result['status'] === false) {
58
  $dir_result['error'] = "MKDIR_FAILED";
59
  }
411
  $resp = $this->doChmod($params['pathinfos']);
412
  break;
413
  case "mkdr":
414
+ $resp = $this->makeDirs($params['dirs'], $params['permissions'], $params['recursive']);
415
  break;
416
  case "rmdr":
417
  $resp = $this->removeDirs($params['dirs']);
callback/wings/info.php CHANGED
@@ -129,6 +129,7 @@ class BVInfoCallback extends BVCallbackBase {
129
  'dbprefix' => $db->dbprefix(),
130
  'wpmu' => $siteinfo->isMultisite(),
131
  'mainsite' => $siteinfo->isMainSite(),
 
132
  'name' => get_bloginfo('name'),
133
  'siteurl' => $siteinfo->siteurl(),
134
  'homeurl' => $siteinfo->homeurl(),
129
  'dbprefix' => $db->dbprefix(),
130
  'wpmu' => $siteinfo->isMultisite(),
131
  'mainsite' => $siteinfo->isMainSite(),
132
+ 'main_site_id' => $siteinfo->getMainSiteId(),
133
  'name' => get_bloginfo('name'),
134
  'siteurl' => $siteinfo->siteurl(),
135
  'homeurl' => $siteinfo->homeurl(),
callback/wings/misc.php CHANGED
@@ -8,12 +8,14 @@ class BVMiscCallback extends BVCallbackBase {
8
  public $bvinfo;
9
  public $siteinfo;
10
  public $account;
 
11
 
12
  public function __construct($callback_handler) {
13
  $this->settings = $callback_handler->settings;
14
  $this->siteinfo = $callback_handler->siteinfo;
15
  $this->account = $callback_handler->account;
16
  $this->bvinfo = new MCInfo($callback_handler->settings);
 
17
  }
18
 
19
  public function refreshPluginUpdates() {
@@ -53,6 +55,12 @@ class BVMiscCallback extends BVCallbackBase {
53
  $resp = array_merge($resp, $this->account->info());
54
  $resp = array_merge($resp, $this->bvinfo->info());
55
  break;
 
 
 
 
 
 
56
  case "enablebadge":
57
  $option = $bvinfo->badgeinfo;
58
  $badgeinfo = array();
8
  public $bvinfo;
9
  public $siteinfo;
10
  public $account;
11
+ public $bvapi;
12
 
13
  public function __construct($callback_handler) {
14
  $this->settings = $callback_handler->settings;
15
  $this->siteinfo = $callback_handler->siteinfo;
16
  $this->account = $callback_handler->account;
17
  $this->bvinfo = new MCInfo($callback_handler->settings);
18
+ $this->bvapi = new MCWPAPI($callback_handler->settings);
19
  }
20
 
21
  public function refreshPluginUpdates() {
55
  $resp = array_merge($resp, $this->account->info());
56
  $resp = array_merge($resp, $this->bvinfo->info());
57
  break;
58
+ case "pngbv":
59
+ $info = array();
60
+ $this->siteinfo->basic($info);
61
+ $this->bvapi->pingbv('/bvapi/pingbv', $info);
62
+ $resp = array("status" => true);
63
+ break;
64
  case "enablebadge":
65
  $option = $bvinfo->badgeinfo;
66
  $badgeinfo = array();
info.php CHANGED
@@ -9,7 +9,7 @@ if (!class_exists('MCInfo')) :
9
  public $badgeinfo = 'mcbadge';
10
  public $ip_header_option = 'mcipheader';
11
  public $brand_option = 'mcbrand';
12
- public $version = '4.4';
13
  public $webpage = 'https://www.malcare.com';
14
  public $appurl = 'https://app.malcare.com';
15
  public $slug = 'malcare-security/malcare.php';
9
  public $badgeinfo = 'mcbadge';
10
  public $ip_header_option = 'mcipheader';
11
  public $brand_option = 'mcbrand';
12
+ public $version = '4.51';
13
  public $webpage = 'https://www.malcare.com';
14
  public $appurl = 'https://app.malcare.com';
15
  public $slug = 'malcare-security/malcare.php';
malcare.php CHANGED
@@ -5,7 +5,7 @@ Plugin URI: https://www.malcare.com
5
  Description: MalCare Security - Free Malware Scanner, Protection & Security for WordPress
6
  Author: MalCare Security
7
  Author URI: https://www.malcare.com
8
- Version: 4.4
9
  Network: True
10
  */
11
 
@@ -136,9 +136,10 @@ if ((array_key_exists('bvplugname', $_REQUEST)) && ($_REQUEST['bvplugname'] == "
136
  $response->terminate($resp);
137
  }
138
  } else {
139
- if ($bvinfo->isProtectModuleEnabled()) {
140
- require_once dirname( __FILE__ ) . '/protect/wp/protect.php';
141
- $bvprotect = new BVProtect($bvdb, $bvsettings);
 
142
  $bvprotect->run();
143
  }
144
 
5
  Description: MalCare Security - Free Malware Scanner, Protection & Security for WordPress
6
  Author: MalCare Security
7
  Author URI: https://www.malcare.com
8
+ Version: 4.51
9
  Network: True
10
  */
11
 
136
  $response->terminate($resp);
137
  }
138
  } else {
139
+ require_once dirname( __FILE__ ) . '/protect/wp/protect.php';
140
+ $bvprotect = new BVProtect($bvdb, $bvsettings);
141
+ $bvprotect->init();
142
+ if ($bvinfo->isProtectModuleEnabled() && !(defined( 'WP_CLI' ) && WP_CLI)) {
143
  $bvprotect->run();
144
  }
145
 
protect/fw/fw.php CHANGED
@@ -202,6 +202,14 @@ class BVFW {
202
  return false;
203
  }
204
 
 
 
 
 
 
 
 
 
205
  public function execute() {
206
  if ($this->config->canProfileReqInfo()) {
207
  $result = array();
@@ -258,6 +266,7 @@ class BVFW {
258
  $result = array();
259
  if (is_array($params)) {
260
  foreach ($params as $key => $value) {
 
261
  $key = $prefix . $key;
262
  if (is_array($value)) {
263
  $result = $result + $this->profileRequestInfo($value, $debug, $key . '[', $obraces + 1);
@@ -266,7 +275,7 @@ class BVFW {
266
  $result[$key] = array();
267
  $valsize = $this->getLength($value);
268
  $result[$key]["size"] = $valsize;
269
- if ($debug === true && $valsize < 256) {
270
  $result[$key]["value"] = $value;
271
  continue;
272
  }
202
  return false;
203
  }
204
 
205
+ public function canLogValue($key) {
206
+ $skip_keys = array('password' => true, 'passwd' => true, 'pwd' => true);
207
+ if (isset($skip_keys[$key])) {
208
+ return false;
209
+ }
210
+ return true;
211
+ }
212
+
213
  public function execute() {
214
  if ($this->config->canProfileReqInfo()) {
215
  $result = array();
266
  $result = array();
267
  if (is_array($params)) {
268
  foreach ($params as $key => $value) {
269
+ $original_key = $key;
270
  $key = $prefix . $key;
271
  if (is_array($value)) {
272
  $result = $result + $this->profileRequestInfo($value, $debug, $key . '[', $obraces + 1);
275
  $result[$key] = array();
276
  $valsize = $this->getLength($value);
277
  $result[$key]["size"] = $valsize;
278
+ if ($debug === true && $valsize < 256 && $this->canLogValue($original_key)) {
279
  $result[$key]["value"] = $value;
280
  continue;
281
  }
protect/wp/protect.php CHANGED
@@ -20,6 +20,10 @@ class BVProtect {
20
  $this->db = $db;
21
  }
22
 
 
 
 
 
23
  public function run() {
24
  $bvipstore = new BVIPStore($this->db);
25
  $bvipstore->init();
@@ -55,8 +59,6 @@ class BVProtect {
55
  }
56
  }
57
 
58
- add_action('clear_pt_config', array($this, 'uninstall'));
59
-
60
  $lpConfHash = array_key_exists('lp', $config) ? $config['lp'] : array();
61
  $lp = new BVWPLP($this->db, $this->settings, $ip, $bvipstore, $lpConfHash);
62
  if ($lp->isActive()) {
@@ -69,7 +71,81 @@ class BVProtect {
69
  $this->db->dropBVTable(BVFWConfig::$requests_table);
70
  $this->db->dropBVTable(BVWPLPConfig::$requests_table);
71
  $this->settings->deleteOption('bvptplug');
 
 
 
72
  return true;
73
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
74
  }
75
  endif;
20
  $this->db = $db;
21
  }
22
 
23
+ public function init() {
24
+ add_action('clear_pt_config', array($this, 'uninstall'));
25
+ }
26
+
27
  public function run() {
28
  $bvipstore = new BVIPStore($this->db);
29
  $bvipstore->init();
59
  }
60
  }
61
 
 
 
62
  $lpConfHash = array_key_exists('lp', $config) ? $config['lp'] : array();
63
  $lp = new BVWPLP($this->db, $this->settings, $ip, $bvipstore, $lpConfHash);
64
  if ($lp->isActive()) {
71
  $this->db->dropBVTable(BVFWConfig::$requests_table);
72
  $this->db->dropBVTable(BVWPLPConfig::$requests_table);
73
  $this->settings->deleteOption('bvptplug');
74
+ $this->remove_wp_prepend();
75
+ $this->remove_php_prepend();
76
+ $this->remove_mcdata();
77
  return true;
78
  }
79
+
80
+ private function remove_wp_prepend() {
81
+ $wp_conf_paths = array(ABSPATH . "wp-config.php", ABSPATH . "../wp-config.php");
82
+ if (file_exists($wp_conf_paths[0])) {
83
+ $fname = $wp_conf_paths[0];
84
+ } elseif (file_exists($wp_conf_paths[1])) {
85
+ $fname = $wp_conf_paths[1];
86
+ } else {
87
+ return;
88
+ }
89
+
90
+ $content = file_get_contents($fname);
91
+ if ($content) {
92
+ $pattern = "@include '" . ABSPATH . "malcare-waf.php" . "';";
93
+ $modified_content = str_replace($pattern, "", $content);
94
+ if ($content !== $modified_content) {
95
+ file_put_contents($fname, $modified_content);
96
+ }
97
+ }
98
+ }
99
+
100
+ private function remove_php_prepend() {
101
+ $this->remove_htaccess_prepend();
102
+ $this->remove_userini_prepend();
103
+ }
104
+
105
+ private function remove_prepend($fname, $pattern) {
106
+ if (!file_exists($fname)) return;
107
+
108
+ $content = file_get_contents($fname);
109
+ if ($content) {
110
+ $modified_content = preg_replace($pattern, "", $content);
111
+ if ($content !== $modified_content) {
112
+ file_put_contents($fname, $modified_content);
113
+ }
114
+ }
115
+ }
116
+
117
+ private function remove_htaccess_prepend() {
118
+ $pattern = "/# MalCare WAF(.|\n)*# END MalCare WAF/i";
119
+ $this->remove_prepend(ABSPATH . ".htaccess", $pattern);
120
+ }
121
+
122
+ private function remove_userini_prepend() {
123
+ $pattern = "/; MalCare WAF(.|\n)*; END MalCare WAF/i";
124
+ $this->remove_prepend(ABSPATH . ".user.ini", $pattern);
125
+ }
126
+
127
+ private function remove_mcdata() {
128
+ $this->rrmdir($this->get_contdir() . "mc_data");
129
+ }
130
+
131
+ private function rrmdir($dir) {
132
+ if (is_dir($dir)) {
133
+ $objects = scandir($dir);
134
+ foreach ($objects as $object) {
135
+ if ($object != "." && $object != "..") {
136
+ if (is_dir($dir . "/" . $object) && !is_link($dir . "/" . $object)) {
137
+ rrmdir($dir . "/" . $object);
138
+ } else {
139
+ unlink($dir . "/" . $object);
140
+ }
141
+ }
142
+ }
143
+ rmdir($dir);
144
+ }
145
+ }
146
+
147
+ public function get_contdir() {
148
+ return defined('WP_CONTENT_DIR') ? WP_CONTENT_DIR . "/" : ABSPATH . "wp-content/";
149
+ }
150
  }
151
  endif;
readme.txt CHANGED
@@ -6,7 +6,7 @@ Donate link: https://www.malcare.com
6
  Requires at least: 4.0
7
  Tested up to: 5.6
8
  Requires PHP: 5.4.0
9
- Stable tag: 4.4
10
  License: GPLv2 or later
11
  License URI: [http://www.gnu.org/licenses/gpl-2.0.html](http://www.gnu.org/licenses/gpl-2.0.html)
12
 
@@ -397,6 +397,11 @@ These are available on our website: [Terms of Service](https://www.malcare.com/t
397
  8. MalCare’s Uptime Monitoring notifies if a website goes down so that you can handle the situation before starting to lose visitors.
398
 
399
  == CHANGELOG ==
 
 
 
 
 
400
  = 4.4 =
401
  * Disabling deactivate for botprotection accounts
402
  * Disconnect functionality through wpcli with params account_gid and account_type
6
  Requires at least: 4.0
7
  Tested up to: 5.6
8
  Requires PHP: 5.4.0
9
+ Stable tag: 4.51
10
  License: GPLv2 or later
11
  License URI: [http://www.gnu.org/licenses/gpl-2.0.html](http://www.gnu.org/licenses/gpl-2.0.html)
12
 
397
  8. MalCare’s Uptime Monitoring notifies if a website goes down so that you can handle the situation before starting to lose visitors.
398
 
399
  == CHANGELOG ==
400
+ = 4.51 =
401
+ * Removed files and db access check
402
+ * On uninstall remove prepend configuration
403
+ * minor bug fixes
404
+
405
  = 4.4 =
406
  * Disabling deactivate for botprotection accounts
407
  * Disconnect functionality through wpcli with params account_gid and account_type
wp_site_info.php CHANGED
@@ -39,6 +39,12 @@ class MCWPSiteInfo {
39
  return is_main_site();
40
  }
41
 
 
 
 
 
 
 
42
  public function info() {
43
  $info = array();
44
  $this->basic($info);
39
  return is_main_site();
40
  }
41
 
42
+ public function getMainSiteId() {
43
+ if (!function_exists('get_main_site_id'))
44
+ return 0;
45
+ return get_main_site_id();
46
+ }
47
+
48
  public function info() {
49
  $info = array();
50
  $this->basic($info);