Version Description
Security fix to stop XSS exploit
Also coded so should work with PHP 5.3 - although PHP 5.3. has been end of life for over two years it seems some hosts still use this. This is a security risk in its own right and sites using PHP 5.3 should try to upgrade to a supported version of PHP, but this change is for backward compatibility.
Download this release
Release Info
Developer | fullworks |
Plugin | Stop User Enumeration |
Version | 1.3.8 |
Comparing to | |
See all releases |
Code changes from version 1.3.7 to 1.3.8
- readme.txt +9 -2
- settings/settings-general.php +1 -1
- stop-user-enumeration.php +13 -6
readme.txt
CHANGED
@@ -2,8 +2,8 @@
|
|
2 |
Contributors: fullworks
|
3 |
Tags: User Enumeration, Security, WPSCAN, fail2ban
|
4 |
Requires at least: 3.4
|
5 |
-
Tested up to: 4.
|
6 |
-
Stable tag: 1.3.
|
7 |
License: GPLv2 or later
|
8 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
9 |
|
@@ -53,6 +53,13 @@ Adjusted to your own requirements.
|
|
53 |
|
54 |
== Changelog ==
|
55 |
=
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
56 |
= 1.3.7 =
|
57 |
|
58 |
Fix to allow deprecated PHP Version 5.4 to work, as 5.4 seems to still be in common use despite end of life
|
2 |
Contributors: fullworks
|
3 |
Tags: User Enumeration, Security, WPSCAN, fail2ban
|
4 |
Requires at least: 3.4
|
5 |
+
Tested up to: 4.8
|
6 |
+
Stable tag: 1.3.8
|
7 |
License: GPLv2 or later
|
8 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
9 |
|
53 |
|
54 |
== Changelog ==
|
55 |
=
|
56 |
+
= 1.3.8 =
|
57 |
+
|
58 |
+
Security fix to stop XSS exploit
|
59 |
+
|
60 |
+
Also coded so should work with PHP 5.3 - although PHP 5.3. has been end of life for over two years it seems some hosts still use this. This is a security risk in its own right and
|
61 |
+
sites using PHP 5.3 should try to upgrade to a supported version of PHP, but this change is for backward compatibility.
|
62 |
+
|
63 |
= 1.3.7 =
|
64 |
|
65 |
Fix to allow deprecated PHP Version 5.4 to work, as 5.4 seems to still be in common use despite end of life
|
settings/settings-general.php
CHANGED
@@ -28,7 +28,7 @@ function sue_settings( $wpsf_settings ) {
|
|
28 |
),
|
29 |
array(
|
30 |
'id' => 'comment_jquery',
|
31 |
-
'title' => '
|
32 |
'desc' => 'This plugin uses jQuery to remove any numbers from a comment author name, this is because numbers trigger enumeration checking.
|
33 |
You can untick this if you do not use comments on your site or you use a different comment method than standard',
|
34 |
'type' => 'checkbox',
|
28 |
),
|
29 |
array(
|
30 |
'id' => 'comment_jquery',
|
31 |
+
'title' => 'Remove numbers from comment authors',
|
32 |
'desc' => 'This plugin uses jQuery to remove any numbers from a comment author name, this is because numbers trigger enumeration checking.
|
33 |
You can untick this if you do not use comments on your site or you use a different comment method than standard',
|
34 |
'type' => 'checkbox',
|
stop-user-enumeration.php
CHANGED
@@ -3,10 +3,10 @@
|
|
3 |
Plugin Name: Stop User Enumeration
|
4 |
Plugin URI: http://fullworks.net/wordpress-plugins/
|
5 |
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
6 |
-
Version: 1.3.
|
7 |
Author: Fullworks Digital Ltd
|
8 |
Author URI: http://fullworks.net/wordpress-plugins/
|
9 |
-
License: GPLv2 or later
|
10 |
*/
|
11 |
|
12 |
/*
|
@@ -101,7 +101,7 @@ class Stop_User_Enumeration_Plugin {
|
|
101 |
* Enqueue and register JavaScript files here.
|
102 |
*/
|
103 |
public function register_scripts() {
|
104 |
-
if($this->
|
105 |
wp_enqueue_script( 'comment_author', plugins_url( '/js/commentauthor.js' , __FILE__ ), array( 'jquery' ) );
|
106 |
}
|
107 |
}
|
@@ -117,7 +117,7 @@ class Stop_User_Enumeration_Plugin {
|
|
117 |
if ( ! is_user_logged_in() && isset($_REQUEST['author'])){
|
118 |
if( $this->ContainsNumbers($_REQUEST['author'])) {
|
119 |
$this->sue_log();
|
120 |
-
wp_die('forbidden - number in author name not allowed = ' . $_REQUEST['author']);
|
121 |
}
|
122 |
} elseif ( is_admin() ) {
|
123 |
$setting = wpsf_get_setting( 'sue_settings', 'general', 'stop_rest_user' );
|
@@ -131,8 +131,15 @@ class Stop_User_Enumeration_Plugin {
|
|
131 |
private function ContainsNumbers($String){
|
132 |
return preg_match('/\\d/', $String) > 0;
|
133 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
134 |
public function only_allow_logged_in_rest_access_to_users ($access) {
|
135 |
-
if($this->
|
136 |
if( preg_match('/users/', $_SERVER['REQUEST_URI']) !== 0 ) {
|
137 |
if( ! is_user_logged_in() ) {
|
138 |
$this->sue_log();
|
@@ -143,7 +150,7 @@ class Stop_User_Enumeration_Plugin {
|
|
143 |
return $access;
|
144 |
}
|
145 |
public function sue_log() {
|
146 |
-
if($this->
|
147 |
openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH);
|
148 |
syslog(LOG_INFO,"Attempted user enumeration from {$_SERVER['REMOTE_ADDR']}");
|
149 |
closelog();
|
3 |
Plugin Name: Stop User Enumeration
|
4 |
Plugin URI: http://fullworks.net/wordpress-plugins/
|
5 |
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
6 |
+
Version: 1.3.8
|
7 |
Author: Fullworks Digital Ltd
|
8 |
Author URI: http://fullworks.net/wordpress-plugins/
|
9 |
+
License: GPLv2 or later.
|
10 |
*/
|
11 |
|
12 |
/*
|
101 |
* Enqueue and register JavaScript files here.
|
102 |
*/
|
103 |
public function register_scripts() {
|
104 |
+
if($this->checkOption('general_comment_jquery') == 1 ) {
|
105 |
wp_enqueue_script( 'comment_author', plugins_url( '/js/commentauthor.js' , __FILE__ ), array( 'jquery' ) );
|
106 |
}
|
107 |
}
|
117 |
if ( ! is_user_logged_in() && isset($_REQUEST['author'])){
|
118 |
if( $this->ContainsNumbers($_REQUEST['author'])) {
|
119 |
$this->sue_log();
|
120 |
+
wp_die('forbidden - number in author name not allowed = ' . esc_html($_REQUEST['author']));
|
121 |
}
|
122 |
} elseif ( is_admin() ) {
|
123 |
$setting = wpsf_get_setting( 'sue_settings', 'general', 'stop_rest_user' );
|
131 |
private function ContainsNumbers($String){
|
132 |
return preg_match('/\\d/', $String) > 0;
|
133 |
}
|
134 |
+
private function checkOption($option){
|
135 |
+
$options=$this->wpsf->get_settings();
|
136 |
+
if($options[$option] == 1) {
|
137 |
+
return true;
|
138 |
+
}
|
139 |
+
return false;
|
140 |
+
}
|
141 |
public function only_allow_logged_in_rest_access_to_users ($access) {
|
142 |
+
if($this->checkOption('general_stop_rest_user') == 1 ) {
|
143 |
if( preg_match('/users/', $_SERVER['REQUEST_URI']) !== 0 ) {
|
144 |
if( ! is_user_logged_in() ) {
|
145 |
$this->sue_log();
|
150 |
return $access;
|
151 |
}
|
152 |
public function sue_log() {
|
153 |
+
if($this->checkOption('general_log_auth') == 1 ) {
|
154 |
openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH);
|
155 |
syslog(LOG_INFO,"Attempted user enumeration from {$_SERVER['REMOTE_ADDR']}");
|
156 |
closelog();
|