SiteGuard WP Plugin - Version 1.7.0

Version Description

  • Removed ability to get client IP address from X-Forwarded-For due to IP spoofing risk
Download this release

Release Info

Developer jp-secure
Plugin Icon 128x128 SiteGuard WP Plugin
Version 1.7.0
Comparing to
See all releases

Code changes from version 1.6.1 to 1.7.0

Files changed (7) hide show
  1. admin/siteguard-menu-advanced-setting.php +0 -96
  2. admin/siteguard-menu-dashboard.php +0 -4
  3. admin/siteguard-menu-init.php +0 -8
  4. classes/siteguard-admin-filter.php +6 -47
  5. classes/siteguard-base.php +12 -34
  6. readme.txt +4 -2
  7. siteguard.php +9 -1
admin/siteguard-menu-advanced-setting.php DELETED
@@ -1,96 +0,0 @@
1
- <?php
2
-
3
- class SiteGuard_Menu_Advanced_Setting extends SiteGuard_Base {
4
- function __construct( ) {
5
- $this->render_page( );
6
- }
7
- function is_ip_mode_value( $value ) {
8
- $items = array( '0', '1', '2', '3' );
9
- if ( in_array( $value, $items ) ) {
10
- return true;
11
- }
12
- return false;
13
- }
14
- function render_page( ) {
15
- global $siteguard_config, $siteguard_admin_filter;
16
-
17
- $ip_mode = $siteguard_config->get( 'ip_mode' );
18
- if ( empty( $ip_mode ) ) {
19
- $ip_mode = '0';
20
- $siteguard_config->set( 'ip_mode', $ip_mode );
21
- $siteguard_config->update( );
22
- }
23
- if ( isset( $_POST['update'] ) && check_admin_referer( 'siteguard-menu-advanced-setting-submit' ) ) {
24
- $error = false;
25
- $errors = siteguard_check_multisite( );
26
- if ( is_wp_error( $errors ) ) {
27
- echo '<div class="error settings-error"><p><strong>';
28
- esc_html_e( $errors->get_error_message( ), 'siteguard' );
29
- echo '</strong></p></div>';
30
- $error = true;
31
- }
32
- if ( ( false === $error ) && ( false === $this->is_ip_mode_value( $_POST[ 'ip_mode' ] ) ) ) {
33
- echo '<div class="error settings-error"><p><strong>';
34
- esc_html_e( 'ERROR: Invalid input value.', 'siteguard' );
35
- echo '</strong></p></div>';
36
- $error = true;
37
- }
38
- if ( false === $error ) {
39
- $ip_mode = $_POST[ 'ip_mode' ];
40
- $siteguard_config->set( 'ip_mode', $ip_mode );
41
- $siteguard_config->update( );
42
- if ( 1 == $siteguard_config->get( 'admin_filter_enable' ) ) {
43
- $siteguard_admin_filter->feature_on( $this->get_ip( ) );
44
- }
45
- ?>
46
- <div class="updated"><p><strong><?php esc_html_e( 'Options saved.', 'siteguard' ); ?></strong></p></div>
47
- <?php
48
- }
49
- }
50
-
51
- echo '<div class="wrap">';
52
- echo '<img src="' . SITEGUARD_URL_PATH . 'images/sg_wp_plugin_logo_40.png" alt="SiteGuard Logo" />';
53
- echo '<h2>' . esc_html__( 'Advanced Setting', 'siteguard' ) . '</h2>';
54
- echo '<div class="siteguard-description">'
55
- . esc_html__( 'You can find docs about this function on ', 'siteguard' )
56
- . '<a href="' . esc_url( __( 'https://www.jp-secure.com/siteguard_wp_plugin_en/howto/advanced_setting/', 'siteguard' ) )
57
- . '" target="_blank">'
58
- . esc_html__( 'here', 'siteguard' )
59
- . '</a>'
60
- . esc_html__( '.', 'siteguard' )
61
- . '</div>';
62
- ?>
63
- <form name="form1" method="post" action="">
64
- <table class="form-table">
65
- <tr>
66
- <th scope="row"><?php esc_html_e( 'IP Address Mode', 'siteguard' ); ?></th>
67
- <td>
68
- <input type="radio" name="ip_mode" id="ip_mode_ra" value="0" <?php checked( $ip_mode, '0' ) ?> >
69
- <label for="ip_mode_ra"><?php esc_html_e( 'REMOTE_ADDR', 'siteguard' ) ?></label>
70
- <br />
71
- <input type="radio" name="ip_mode" id="ip_mode_xff1" value="1" <?php checked( $ip_mode, '1' ) ?> >
72
- <label for="ip_mode_xff1"><?php esc_html_e( 'X-Forwarded-For Level:1', 'siteguard' ) ?></label>
73
- <br />
74
- <input type="radio" name="ip_mode" id="ip_mode_xff2" value="2" <?php checked( $ip_mode, '2' ) ?> >
75
- <label for="ip_mode_xff2"><?php esc_html_e( 'X-Forwarded-For Level:2', 'siteguard' ) ?></label>
76
- <br />
77
- <input type="radio" name="ip_mode" id="ip_mode_xff3" value="3" <?php checked( $ip_mode, '3' ) ?> >
78
- <label for="ip_mode_xff3"><?php esc_html_e( 'X-Forwarded-For Level:3', 'siteguard' ) ?></label>
79
- </td>
80
- </tr>
81
- </table>
82
- <div class="siteguard-description">
83
- <?php esc_html_e( "Set the method for acquiring the IP address. Normally you should select a remote address. If there is a proxy or load balancer in front of the web server and you can not obtain the client's IP address with remote address, you can obtain the IP address from X-Forwarded-For. Level represents the number from the right end of the value of X-Forwarded-For.", 'siteguard' ) ?>
84
- </div>
85
- <input type="hidden" name="update" value="Y">
86
- <hr />
87
-
88
- <?php
89
- wp_nonce_field( 'siteguard-menu-advanced-setting-submit' );
90
- submit_button();
91
- ?>
92
- </form>
93
- </div>
94
- <?php
95
- }
96
- }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
admin/siteguard-menu-dashboard.php CHANGED
@@ -91,10 +91,6 @@ class SiteGuard_Menu_Dashboard extends SiteGuard_Base {
91
  <td><?php esc_html_e( 'The exclude rule for WAF (SiteGuard Lite) is created.', 'siteguard' ) ?></td>
92
  </tr><tr>
93
  <th scope="row">
94
- <a href="?page=siteguard_advanced_setting"><?php esc_html_e( 'Advanced Setting', 'siteguard' ) ?></a></th>
95
- <td><?php esc_html_e( 'Set the method for acquiring the IP address.', 'siteguard' ) ?></td>
96
- </tr><tr>
97
- <th scope="row">
98
  <a href="?page=siteguard_login_history"><?php echo esc_html__( 'Login history', 'siteguard' ) ?></a>
99
  <td><?php esc_html_e( 'Login history can be referenced.', 'siteguard' ) ?></td>
100
  </tr>
91
  <td><?php esc_html_e( 'The exclude rule for WAF (SiteGuard Lite) is created.', 'siteguard' ) ?></td>
92
  </tr><tr>
93
  <th scope="row">
 
 
 
 
94
  <a href="?page=siteguard_login_history"><?php echo esc_html__( 'Login history', 'siteguard' ) ?></a>
95
  <td><?php esc_html_e( 'Login history can be referenced.', 'siteguard' ) ?></td>
96
  </tr>
admin/siteguard-menu-init.php CHANGED
@@ -59,10 +59,6 @@ class SiteGuard_Menu_INIT extends SiteGuard_Base {
59
  esc_html__( 'WAF Tuning Support', 'siteguard' ), 'manage_options', 'siteguard_waf_tuning_support', array( $this, 'menu_waf_tuning_support' ) );
60
  add_action( 'admin_print_styles-' . $page, array( $this, 'menu_styles' ) );
61
 
62
- $page = add_submenu_page( 'siteguard', esc_html__( 'Advanced Setting', 'siteguard' ),
63
- esc_html__( 'Advanced Setting', 'siteguard' ), 'manage_options', 'siteguard_advanced_setting', array( $this, 'menu_advanced_setting' ) );
64
- add_action( 'admin_print_styles-' . $page, array( $this, 'menu_styles' ) );
65
-
66
  $page = add_submenu_page( 'siteguard', esc_html__( 'Login history', 'siteguard' ),
67
  esc_html__( 'Login history', 'siteguard' ), 'manage_options', 'siteguard_login_history', array( $this, 'menu_login_history' ) );
68
  add_action( 'admin_print_styles-' . $page, array( $this, 'menu_styles' ) );
@@ -120,8 +116,4 @@ class SiteGuard_Menu_INIT extends SiteGuard_Base {
120
  include( 'siteguard-menu-waf-tuning-support.php' );
121
  $waf_tuning_support_menu = new SiteGuard_Menu_WAF_Tuning_Support( );
122
  }
123
- function menu_advanced_setting( ) {
124
- include( 'siteguard-menu-advanced-setting.php' );
125
- $advanced_setting = new SiteGuard_Menu_Advanced_Setting( );
126
- }
127
  }
59
  esc_html__( 'WAF Tuning Support', 'siteguard' ), 'manage_options', 'siteguard_waf_tuning_support', array( $this, 'menu_waf_tuning_support' ) );
60
  add_action( 'admin_print_styles-' . $page, array( $this, 'menu_styles' ) );
61
 
 
 
 
 
62
  $page = add_submenu_page( 'siteguard', esc_html__( 'Login history', 'siteguard' ),
63
  esc_html__( 'Login history', 'siteguard' ), 'manage_options', 'siteguard_login_history', array( $this, 'menu_login_history' ) );
64
  add_action( 'admin_print_styles-' . $page, array( $this, 'menu_styles' ) );
116
  include( 'siteguard-menu-waf-tuning-support.php' );
117
  $waf_tuning_support_menu = new SiteGuard_Menu_WAF_Tuning_Support( );
118
  }
 
 
 
 
119
  }
classes/siteguard-admin-filter.php CHANGED
@@ -45,47 +45,8 @@ class SiteGuard_AdminFilter extends SiteGuard_Base {
45
  $table_name = $wpdb->prefix . SITEGUARD_TABLE_LOGIN;
46
  $wpdb->update( $table_name, array( 'status' => 0 ), array( 'ip_address' => $ip_address ) );
47
  }
48
- function get_ip_mode( ) {
49
- global $siteguard_config;
50
- if ( ! is_object( $siteguard_config ) ) {
51
- $siteguard_config = new SiteGuard_Config( );
52
- }
53
- $ip_mode = $siteguard_config->get( 'ip_mode' );
54
- if ( ! in_array( $ip_mode, SiteGuard_Base::$ip_mode_items ) ) {
55
- $ip_mode = '0';
56
- }
57
- $ip_mode_num = intval( $ip_mode );
58
-
59
- return $ip_mode_num;
60
- }
61
- function get_rewrite_postfix( $ip_mode ) {
62
- $postfix = '';
63
- switch ( $ip_mode ) {
64
- case 2:
65
- $postfix = '\s*,\s*[^,]+';
66
- break;
67
- case 3:
68
- $postfix = '(\s*,\s*[^,]+){2}';
69
- break;
70
- default:
71
- $postfix = '';
72
- }
73
- return $postfix;
74
- }
75
- function get_rewrite_pre_cond( $ip_mode ) {
76
- if ( 0 === $ip_mode ) {
77
- return '';
78
- }
79
- $postfix = $this->get_rewrite_postfix( $ip_mode );
80
- $result = ' RewriteCond %{HTTP:X-Forwarded-For} [^,]+' . $postfix . "$\n";
81
- return $result;
82
- }
83
- function get_rewrite_cond( $ip, $ip_mode ) {
84
- if ( 0 === $ip_mode ) {
85
- return ' RewriteCond %{REMOTE_ADDR} !^' . str_replace( '.', '\.', $ip ) . "$\n";
86
- }
87
- $postfix = $this->get_rewrite_postfix( $ip_mode );
88
- return ' RewriteCond %{HTTP:X-Forwarded-For} !' . str_replace( '.', '\.', $ip ) . $postfix . "$\n";
89
  }
90
  function update_settings( $ip_address ) {
91
  global $wpdb, $siteguard_config;
@@ -127,20 +88,18 @@ class SiteGuard_AdminFilter extends SiteGuard_Base {
127
  foreach ( $exclude_paths as $path ) {
128
  $htaccess_str .= ' RewriteRule ^wp-admin/' . trim( str_replace( '.', '\.', $path ) ) . " - [L]\n";
129
  }
130
- $ip_mode = $this->get_ip_mode( );
131
- $htaccess_str .= $this->get_rewrite_pre_cond( $ip_mode );
132
  $results = $wpdb->get_col( $wpdb->prepare( "SELECT ip_address FROM $table_name WHERE status = %d;", SITEGUARD_LOGIN_SUCCESS ) );
133
  if ( $results ) {
134
  foreach ( $results as $ip ) {
135
- $htaccess_str .= $this->get_rewrite_cond( $ip, $ip_mode );
136
  }
137
  }
138
  $server_ip = $this->get_server_ip( );
139
  if ( false !== $server_ip ) {
140
- $htaccess_str .= $this->get_rewrite_cond( $server_ip, 0 );
141
  }
142
- $htaccess_str .= $this->get_rewrite_cond( '127.0.0.1', 0 );
143
- $htaccess_str .= $this->get_rewrite_cond( '::1', 0 );
144
  $htaccess_str .= " RewriteRule ^wp-admin 404-siteguard [L]\n";
145
  $htaccess_str .= "</IfModule>\n";
146
 
45
  $table_name = $wpdb->prefix . SITEGUARD_TABLE_LOGIN;
46
  $wpdb->update( $table_name, array( 'status' => 0 ), array( 'ip_address' => $ip_address ) );
47
  }
48
+ function get_rewrite_cond( $ip ) {
49
+ return ' RewriteCond %{REMOTE_ADDR} !^' . str_replace( '.', '\.', $ip ) . "$\n";
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
50
  }
51
  function update_settings( $ip_address ) {
52
  global $wpdb, $siteguard_config;
88
  foreach ( $exclude_paths as $path ) {
89
  $htaccess_str .= ' RewriteRule ^wp-admin/' . trim( str_replace( '.', '\.', $path ) ) . " - [L]\n";
90
  }
 
 
91
  $results = $wpdb->get_col( $wpdb->prepare( "SELECT ip_address FROM $table_name WHERE status = %d;", SITEGUARD_LOGIN_SUCCESS ) );
92
  if ( $results ) {
93
  foreach ( $results as $ip ) {
94
+ $htaccess_str .= $this->get_rewrite_cond( $ip );
95
  }
96
  }
97
  $server_ip = $this->get_server_ip( );
98
  if ( false !== $server_ip ) {
99
+ $htaccess_str .= $this->get_rewrite_cond( $server_ip );
100
  }
101
+ $htaccess_str .= $this->get_rewrite_cond( '127.0.0.1' );
102
+ $htaccess_str .= $this->get_rewrite_cond( '::1' );
103
  $htaccess_str .= " RewriteRule ^wp-admin 404-siteguard [L]\n";
104
  $htaccess_str .= "</IfModule>\n";
105
 
classes/siteguard-base.php CHANGED
@@ -132,39 +132,17 @@ class SiteGuard_Base {
132
  }
133
  return false;
134
  }
135
- function get_ip( ) {
136
- global $siteguard_config;
137
- $ip_mode = $siteguard_config->get( 'ip_mode' );
138
- if ( ! in_array( $ip_mode, SiteGuard_Base::$ip_mode_items ) ) {
139
- $ip_mode = '0';
140
- $siteguard_config->set( 'ip_mode', $ip_mode );
141
- $siteguard_config->update( );
142
- }
143
- $ip_mode_num = intval( $ip_mode );
144
- $remote_addr = '127.0.0.1';
145
- if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
146
- $remote_addr = $_SERVER['REMOTE_ADDR'];
147
- }
148
- if ( '0' === $ip_mode ) {
149
- return $remote_addr;
150
- }
151
- if ( ! isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
152
- return $remote_addr;
153
- }
154
- $xff = $_SERVER['HTTP_X_FORWARDED_FOR'];
155
- if ( empty( $xff ) ) {
156
- return $remote_addr;
157
- }
158
- $ips = explode( ',', $xff );
159
- $count = count( $ips );
160
- $idx = $count - $ip_mode_num;
161
- if ( $idx < 0 ) {
162
- return $remote_addr;
163
- }
164
- $ip = $ips[ $idx ];
165
- if ( ! filter_var($ip, FILTER_VALIDATE_IP ) ) {
166
- return $remote_addr;
167
- }
168
- return $ip;
169
  }
170
  }
132
  }
133
  return false;
134
  }
135
+ function get_ip( ) : string {
136
+ if (
137
+ ! isset($_SERVER['REMOTE_ADDR'])
138
+ || ! is_string($_SERVER['REMOTE_ADDR'])
139
+ || '' === $_SERVER['REMOTE_ADDR']
140
+ ){
141
+ throw new MyPluginBrokenEnvironment('Your webserver is misconfigured. REMOTE_ADDR is not set.');
142
+ }
143
+
144
+ // Don’t bother with validating that $_SERVER['REMOTE_ADDR'] is a valid IP.
145
+ // If a user cannot trust his webserver to correctly set the REMOTE_ADDR he is in much bigger problems.
146
+ return $_SERVER['REMOTE_ADDR'];
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
147
  }
148
  }
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: -
4
  Tags: security, waf, brute force, password list, login lock, login alert, captcha, pingback, fail once
5
  Requires at least: 3.9
6
  Tested up to: 6.0
7
- Stable tag: 1.6.1
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -77,7 +77,7 @@ Basic of security is that always you use the latest version. If WordPress core,
77
  * WAF Tuning Support
78
 
79
  It is the function to create the rule to avoid the false detection in WordPress (including 403 error occurrence with normal access,)
80
- if WAF ( SiteGuard Lite ) by JP-Secure is installed on a Web server. WAF prevents the attack from the outside against the Web server,
81
  but for some WordPress or plugin functions, WAF may detect the attack which is actually not attack and block the function.
82
  By creating the WAF exclude rule, the WAF protection function can be activated while the false detection for the specified function is prevented.
83
 
@@ -106,6 +106,8 @@ If you have created your own language pack, or have an update of an existing one
106
  [Japanese Page](https://www.jp-secure.com/siteguard_wp_plugin/faq/)
107
 
108
  == Changelog ==
 
 
109
  = 1.6.1 =
110
  * Fix the problem that an error occurs when suppressing the redirect from the management page to the login page
111
  = 1.6.0 =
4
  Tags: security, waf, brute force, password list, login lock, login alert, captcha, pingback, fail once
5
  Requires at least: 3.9
6
  Tested up to: 6.0
7
+ Stable tag: 1.7.0
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
77
  * WAF Tuning Support
78
 
79
  It is the function to create the rule to avoid the false detection in WordPress (including 403 error occurrence with normal access,)
80
+ if WAF ( SiteGuard Server Edition ) by EG Secure Solutions is installed on a Web server. WAF prevents the attack from the outside against the Web server,
81
  but for some WordPress or plugin functions, WAF may detect the attack which is actually not attack and block the function.
82
  By creating the WAF exclude rule, the WAF protection function can be activated while the false detection for the specified function is prevented.
83
 
106
  [Japanese Page](https://www.jp-secure.com/siteguard_wp_plugin/faq/)
107
 
108
  == Changelog ==
109
+ = 1.7.0 =
110
+ * Removed ability to get client IP address from X-Forwarded-For due to IP spoofing risk
111
  = 1.6.1 =
112
  * Fix the problem that an error occurs when suppressing the redirect from the management page to the login page
113
  = 1.6.0 =
siteguard.php CHANGED
@@ -7,7 +7,7 @@ Author: JP-Secure
7
  Author URI: http://www.jp-secure.com/eng/
8
  Text Domain: siteguard
9
  Domain Path: /languages/
10
- Version: 1.6.1
11
  */
12
 
13
  /* Copyright 2014 JP-Secure Inc
@@ -270,6 +270,14 @@ class SiteGuard extends SiteGuard_Base {
270
  if ( version_compare( $old_version, '1.6.0' ) < 0 ) {
271
  $siteguard_author_query->init();
272
  }
 
 
 
 
 
 
 
 
273
  if ( $upgrade_ok && SITEGUARD_VERSION !== $old_version ) {
274
  $siteguard_config->set( 'version', SITEGUARD_VERSION );
275
  $siteguard_config->update( );
7
  Author URI: http://www.jp-secure.com/eng/
8
  Text Domain: siteguard
9
  Domain Path: /languages/
10
+ Version: 1.7.0
11
  */
12
 
13
  /* Copyright 2014 JP-Secure Inc
270
  if ( version_compare( $old_version, '1.6.0' ) < 0 ) {
271
  $siteguard_author_query->init();
272
  }
273
+ if ( version_compare( $old_version, '1.7.0' ) < 0 ) {
274
+ if ( '1' === $siteguard_config->get( 'admin_filter_enable' ) ) {
275
+ if ( true !== $siteguard_admin_filter->feature_on( $this->get_ip( ) ) ) {
276
+ siteguard_error_log( 'Failed to update at admin_filter from ' . $old_version . ' to ' . SITEGUARD_VERSION . '.' );
277
+ $upgrade_ok = false;
278
+ }
279
+ }
280
+ }
281
  if ( $upgrade_ok && SITEGUARD_VERSION !== $old_version ) {
282
  $siteguard_config->set( 'version', SITEGUARD_VERSION );
283
  $siteguard_config->update( );