Plugin Author
Eli
(@scheeeli)
You can turn off directory transversal blocking on the firewall options page in your wp-admin, however it might be wise to investigate which plugin or code on your website has added hidden fields.or values to your post forms that contain these directory transversal strings because this code could lead to a security issue on your website that you may not be aware of.
when you’re on the edit post page but before you submit the form which is being blocked you can inspect the elements on the page in search for any fields on that form that might contain “../” in the string values.
I perfectly knows what is Directory Traversal attack and review code, but dont find nothing “../”. I think this firewall reaction is caused by Cloudflare proxy. I can’t find any other explanation yet. And frankly, it makes me very nervous because I can’t publish the post properly. And it makes no sense to disable the Traversal module completely, because it creates security risks.
And in my opinion, its not very correct that the blocking is performed on the side of https://safe-load.gotmls.net, and not on the side of my host.
Plugin Author
Eli
(@scheeeli)
First, I don’t see how it could be caused by Cloudflare Proxies unless they are inserting a variable with a path that contains a directory transversal.
Slight correction here: disabling the Transversal module would not create a security risk, it would only stop blocking variables passed with Directory Transversal paths in them, which is only a problem if you have added something to your WordPress site that opens up a security hole creating that risk you are worried about. To be clear, if you don’t have any code that could process an insecure path in the first place then you don’t need this protection. I’ll admit though that this protection is generally important because most people add a lot plugins and code that they don’t complete know inside and out and so they cannot be sure that they have not opened up some kind of security hole. That’s why it’s nice to have a firewall watching your back.
Why do you feel that it’s not correct to be redirecting attacks to my safe-load URL? I have done this because this type of redirect diverts the server load away from your server which is a critical feature of the Brute-Force Protection and is the reason why it not only prevents bots from guessing your password but also prevents a flood of bad login attempts from causing a DoS attack to your server.
If you cannot find any directory transversal fields on your Post Form then would you be willing to capture the HTML code rendered in your browser’s Inspector before you submit a test Post that you know will be blocked and then send me that HTML in a direct email so that I can test it and debug the firewall from my end?
eli AT gotmls DOT net
The URL address where the firewall rule was triggered is specified: SERVER_REMOTE_ADDR=172.68.159.149
This IP address belongs to the Cloudflare IP-range. And this IP is constantly changing.
Why I feel that it’s not correct to be redirecting attacks to my safe-load URL? Because a third party services involved to obtain sensitive data. A report is generated on the side of your server, not mine: https://safe-load.gotmls.net This is the main reason why I avoided your plugin for a long time. But now I wanted to test it, because Wordfence is very heavy and resource-intensive. Accordingly, your server stores information that actually concerns only me. The first rule of security is the rule of zero trust. But in this case, of course, it doesn’t matter.
I looked at the source code, intercepted requests through BurpSuite, and found only one thing – Cloudflare’s challenge protection. I didn’t find anything else. For now, I disabled the plugin GOTMLS because it’s impossible to work.
As for me, it would be nice if the firewall provided some logs for customers. What exactly it saw, why and when it was triggered, what code triggered it…
Thanks for answers.
Analysing the fields, I found only a placeholder that relates to the wordpress functionality:
placeholder="http://…’
Also:
/js/../../images/admin/blockquote-info-ico.png')">
Could this be the reason?
The problem has been detected! If the article in wordpress editor contain text /etc/shadow, the firewall blocking the request for publishing)). I checked it on other sites.
The logic of GOTMLS needs to be improved.
Plugin Author
Eli
(@scheeeli)
DING! DING! DING! You found it! Thanks so much for sticking with it and finding the cause. I know your were about to give up and I personally really wanted to find out what the firewall was catching (mostly for my own peace of mind TBH).
Anyway, it is certainly that image path that is getting flagged by the firewall. Is there any reason why that field needs to have the ../ in the path and can’t just be a directly path to the image?
Plugin Author
Eli
(@scheeeli)
Oh, Just saw your last post here. I think I understand. You might be blogging about the /etc/shadow file, and that might be bad if that path was found in a hidden meta field all by itself, but because you are talking about it in the context of a paragraph of text it should be ok, right?
If this is the case and I am understanding the situation correctly then I certainly see your point and I will look for a solution to ignore that type of usage so as to avoid false positives like this one.
What about that image path with the ../ in it was that put there by a specific plugin or what?
Yes, I wrote an article, and the text simply mentioned /etc/shadow.
As for the image path, it did not affect the triggering.
