From 4fe242931463cc3f1372fa91d43e9aaad569a919 Mon Sep 17 00:00:00 2001 From: Mark eM Date: Mon, 28 Mar 2016 03:20:51 +0200 Subject: [PATCH 01/21] Bug #93: Ignore port number in host comparison Repair bug 93 from WordPress Trac: https://plugins.trac.wordpress.org/ticket/93 Bump to rev @1055160 https://plugins.trac.wordpress.org/browser/bad-behavior/branches?rev=1055160 --- bad-behavior/post.inc.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bad-behavior/post.inc.php b/bad-behavior/post.inc.php index 00739d0..10446de 100644 --- a/bad-behavior/post.inc.php +++ b/bad-behavior/post.inc.php @@ -58,6 +58,8 @@ function bb2_post($settings, $package) $url = parse_url($package['headers_mixed']['Referer']); $url['host'] = preg_replace('|^www\.|', '', $url['host']); $host = preg_replace('|^www\.|', '', $package['headers_mixed']['Host']); + # Strip port + $host = preg_replace('|:\d+$|', '', $host); if (strcasecmp($host, $url['host'])) { return "cd361abb"; } From 1027da40d265bbfd5a153769b2abb09c31487a5a Mon Sep 17 00:00:00 2001 From: Mark eM Date: Mon, 28 Mar 2016 03:30:20 +0200 Subject: [PATCH 02/21] Bug #12: Workaround for fatal error logging PHP... Bug #12: Workaround for fatal error logging PHP arrays in POST variables WordPress Trac - https://plugins.trac.wordpress.org/ticket/12 Revision 1055175 - https://plugins.trac.wordpress.org/browser/bad-behavior/branches?rev=1055175 --- bad-behavior/core.inc.php | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/bad-behavior/core.inc.php b/bad-behavior/core.inc.php index 324454f..6f6de1e 100644 --- a/bad-behavior/core.inc.php +++ b/bad-behavior/core.inc.php @@ -68,6 +68,19 @@ function bb2_reverse_proxy($settings, $headers_mixed) return false; } +# FIXME: Bug #12. But this code doesn't currently work. +function bb2_unpack_php_post_array($key, $value) +{ + $unpacked = array(); + foreach ($value as $k => $v) { + $i = $key. '[' . $k . ']'; + if (is_array($v)) + $v = bb2_unpack_php_post_array($i, $v); + $unpacked[$i] = $v; + } + return $unpacked; +} + // Let God sort 'em out! function bb2_start($settings) { @@ -87,6 +100,10 @@ function bb2_start($settings) $request_entity = array(); if (!strcasecmp($_SERVER['REQUEST_METHOD'], "POST") || !strcasecmp($_SERVER['REQUEST_METHOD'], "PUT")) { foreach ($_POST as $h => $v) { + if (is_array($v)) { + # Workaround, see Bug #12 + $v = "Array"; + } $request_entity[$h] = $v; } } From d7aa45be6d448026594fa1d63b3b347593cede8c Mon Sep 17 00:00:00 2001 From: Mark eM Date: Mon, 28 Mar 2016 03:35:34 +0200 Subject: [PATCH 03/21] Check for MySQL error using $wpdb class WordPress Trac rev 1143525 - https://plugins.trac.wordpress.org/changeset/1143525/ --- bad-behavior-wordpress.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-behavior-wordpress.php b/bad-behavior-wordpress.php index a3f1f1e..4d8436f 100644 --- a/bad-behavior-wordpress.php +++ b/bad-behavior-wordpress.php @@ -76,7 +76,7 @@ function bb2_db_query($query) { $result = $wpdb->get_results($query, ARRAY_A); if ( defined('WP_DEBUG') and WP_DEBUG == true ) $wpdb->show_errors(); - if (mysql_error()) { + if ($wpdb->last_error) { return FALSE; } return $result; From 9f25181946594b9247c115d3be9fab17648e7e71 Mon Sep 17 00:00:00 2001 From: Mark eM Date: Mon, 28 Mar 2016 03:39:30 +0200 Subject: [PATCH 04/21] Add to blacklist ArchiveTeam ArchiveBot WordPress Trac rev 1189787 - https://plugins.trac.wordpress.org/changeset/1189787/ --- bad-behavior/blacklist.inc.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bad-behavior/blacklist.inc.php b/bad-behavior/blacklist.inc.php index f0b358b..e847880 100644 --- a/bad-behavior/blacklist.inc.php +++ b/bad-behavior/blacklist.inc.php @@ -6,6 +6,7 @@ function bb2_blacklist($package) { // These user agent strings occur at the beginning of the line. $bb2_spambots_0 = array( "8484 Boston Project", // video poker/porn spam + "ArchiveTeam", // ignores robots.txt and hammers server "adwords", // referrer spam "autoemailspider", // spam harvester "blogsearchbot-martin", // from honeypot @@ -77,6 +78,7 @@ function bb2_blacklist($package) { " Date: Mon, 28 Mar 2016 03:41:59 +0200 Subject: [PATCH 05/21] Tested with 4.4 WordPress Trac rev 1292363 - https://plugins.trac.wordpress.org/changeset/1292363/ --- README.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.txt b/README.txt index 74288fa..48df6e3 100644 --- a/README.txt +++ b/README.txt @@ -3,7 +3,7 @@ Tags: comment,trackback,referrer,spam,robot,antispam Contributors: error Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20%28From%20WordPress%20Page%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0¤cy_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8 Requires at least: 3.1 -Tested up to: 4.0.1 +Tested up to: 4.4 Stable tag: 2.2.16 Bad Behavior prevents spammers from ever delivering their junk, and in many From 0467b8a5b64ee3f7a081f4f00f6a6f0ca02cdda1 Mon Sep 17 00:00:00 2001 From: Mark eM Date: Mon, 28 Mar 2016 03:47:07 +0200 Subject: [PATCH 06/21] Bad Behavior 2.2.17 --- README.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.txt b/README.txt index 48df6e3..8a116aa 100644 --- a/README.txt +++ b/README.txt @@ -2,9 +2,9 @@ Tags: comment,trackback,referrer,spam,robot,antispam Contributors: error Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20%28From%20WordPress%20Page%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0¤cy_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8 -Requires at least: 3.1 +Requires at least: 3.5 Tested up to: 4.4 -Stable tag: 2.2.16 +Stable tag: 2.2.17 Bad Behavior prevents spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. From 247682d38b2e5496c1f35669cb649b619067a203 Mon Sep 17 00:00:00 2001 From: Mark eM Date: Mon, 28 Mar 2016 03:47:45 +0200 Subject: [PATCH 07/21] Bad Behavior 2.2.17 --- bad-behavior-wordpress.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-behavior-wordpress.php b/bad-behavior-wordpress.php index 4d8436f..f83ec38 100644 --- a/bad-behavior-wordpress.php +++ b/bad-behavior-wordpress.php @@ -1,7 +1,7 @@ Date: Mon, 28 Mar 2016 03:48:11 +0200 Subject: [PATCH 08/21] Bad Behavior 2.2.17 --- bad-behavior/core.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-behavior/core.inc.php b/bad-behavior/core.inc.php index 6f6de1e..04da50e 100644 --- a/bad-behavior/core.inc.php +++ b/bad-behavior/core.inc.php @@ -1,5 +1,5 @@ Date: Mon, 28 Mar 2016 03:49:36 +0200 Subject: [PATCH 09/21] Bad Behavior 2.2.18 --- README.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.txt b/README.txt index 8a116aa..75db36d 100644 --- a/README.txt +++ b/README.txt @@ -3,8 +3,8 @@ Tags: comment,trackback,referrer,spam,robot,antispam Contributors: error Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20%28From%20WordPress%20Page%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0¤cy_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8 Requires at least: 3.5 -Tested up to: 4.4 -Stable tag: 2.2.17 +Tested up to: 4.4.1 +Stable tag: 2.2.18 Bad Behavior prevents spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. From b8916b0dcba136b12a22e9403cd5bf7c3fb3ae4c Mon Sep 17 00:00:00 2001 From: Mark eM Date: Mon, 28 Mar 2016 03:49:55 +0200 Subject: [PATCH 10/21] Bad Behavior 2.2.18 --- bad-behavior-wordpress.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-behavior-wordpress.php b/bad-behavior-wordpress.php index f83ec38..8eac1fd 100644 --- a/bad-behavior-wordpress.php +++ b/bad-behavior-wordpress.php @@ -1,7 +1,7 @@ Date: Mon, 28 Mar 2016 03:50:26 +0200 Subject: [PATCH 11/21] Bad Behavior 2.2.18 --- bad-behavior/core.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-behavior/core.inc.php b/bad-behavior/core.inc.php index 04da50e..7766f1b 100644 --- a/bad-behavior/core.inc.php +++ b/bad-behavior/core.inc.php @@ -1,5 +1,5 @@ Date: Mon, 28 Mar 2016 03:53:23 +0200 Subject: [PATCH 12/21] Add new IP address range for Bing bot (v2.2.18) Add new IP address range for Bing bot Bad Behavior 2.2.18 WordPress Trac rev 1327184 - https://plugins.trac.wordpress.org/changeset/1327184/ --- bad-behavior/searchengine.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-behavior/searchengine.inc.php b/bad-behavior/searchengine.inc.php index 2e49459..1f2e15b 100644 --- a/bad-behavior/searchengine.inc.php +++ b/bad-behavior/searchengine.inc.php @@ -23,7 +23,7 @@ function bb2_google($package) function bb2_msnbot($package) { if (@is_ipv6($package['ip'])) return false; # TODO - if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14", "131.253.21.0/24", "131.253.22.0/23", "131.253.24.0/21", "131.253.32.0/20")) === FALSE) { + if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14", "131.253.21.0/24", "131.253.22.0/23", "131.253.24.0/21", "131.253.32.0/20", "40.76.0.0/14")) === FALSE) { return false; # Soft fail, must pass other screening #return "e4de0453"; # Hard fail } From 89edb55372bb7ffbcea6de9f9e60f0d49a59ee46 Mon Sep 17 00:00:00 2001 From: Mark eM Date: Mon, 28 Mar 2016 04:12:06 +0200 Subject: [PATCH 13/21] Protection against PHP Notice Protection against PHP Notice: "A session had already been started" in bad-behavior-wordpress-admin.php:12 --- bad-behavior-wordpress-admin.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bad-behavior-wordpress-admin.php b/bad-behavior-wordpress-admin.php index 785635e..d61f822 100644 --- a/bad-behavior-wordpress-admin.php +++ b/bad-behavior-wordpress-admin.php @@ -9,7 +9,9 @@ function bb2_admin_pages() { add_options_page(__("Bad Behavior"), __("Bad Behavior"), 'manage_options', 'bb2_options', 'bb2_options'); add_options_page(__("Bad Behavior Whitelist"), __("Bad Behavior Whitelist"), 'manage_options', 'bb2_whitelist', 'bb2_whitelist'); add_management_page(__("Bad Behavior Log"), __("Bad Behavior Log"), 'manage_options', 'bb2_manage', 'bb2_manage'); - @session_start(); + if(session_id() == '') { + @session_start(); + } } } From ae1becb304dc92fa031a37ae3506f87ea00b2a4b Mon Sep 17 00:00:00 2001 From: Mark eM Date: Mon, 28 Mar 2016 04:18:24 +0200 Subject: [PATCH 14/21] Protection against PHP Notice Protection against PHP Notice "Undefined offset: 1" in bad-behavior/functions.inc.php:53 This error occurs when $cidr does not contain a "/" wanted by explode --- bad-behavior/functions.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-behavior/functions.inc.php b/bad-behavior/functions.inc.php index 45d3645..fb83e0f 100644 --- a/bad-behavior/functions.inc.php +++ b/bad-behavior/functions.inc.php @@ -50,7 +50,7 @@ function match_cidr($addr, $cidr) { } } } else { - @list($ip, $mask) = explode('/', $cidr); + @list($ip, $mask) = array_merge(explode('/', $cidr), array(true)); if (!$mask) $mask = 32; $mask = pow(2,32) - pow(2, (32 - $mask)); $output = ((ip2long($addr) & $mask) == (ip2long($ip) & $mask)); From fe2c904d5b9c9dd5800e82f64a0df0a3eb7415a7 Mon Sep 17 00:00:00 2001 From: Mark eM Date: Thu, 18 Aug 2016 22:42:52 +0200 Subject: [PATCH 15/21] Tested up to 4.6 https://plugins.trac.wordpress.org/changeset/1464067/bad-behavior --- README.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.txt b/README.txt index 75db36d..796aee3 100644 --- a/README.txt +++ b/README.txt @@ -3,7 +3,7 @@ Tags: comment,trackback,referrer,spam,robot,antispam Contributors: error Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20%28From%20WordPress%20Page%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0¤cy_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8 Requires at least: 3.5 -Tested up to: 4.4.1 +Tested up to: 4.6 Stable tag: 2.2.18 Bad Behavior prevents spammers from ever delivering their junk, and in many From 5d0322f634ca84b5e2d153bb25b1c0fccc40c0d9 Mon Sep 17 00:00:00 2001 From: Mark eM Date: Fri, 26 Aug 2016 16:31:26 +0200 Subject: [PATCH 16/21] Bad Behavior 2.2.19 Add XSS protection to whitelist forms Add CSRF protection to whitelist and options forms --- bad-behavior-wordpress-admin.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/bad-behavior-wordpress-admin.php b/bad-behavior-wordpress-admin.php index d61f822..1f98fe4 100644 --- a/bad-behavior-wordpress-admin.php +++ b/bad-behavior-wordpress-admin.php @@ -245,6 +245,7 @@ function bb2_whitelist() if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS if ($_POST) { + check_admin_referer('bad-behavior-whitelist'); $_POST = array_map('stripslashes_deep', $_POST); if ($_POST['ip']) { $whitelists['ip'] = array_filter(preg_split("/\s+/m", $_POST['ip'])); @@ -279,18 +280,20 @@ function bb2_whitelist()

- +

- +

- +
+ +

@@ -306,6 +309,7 @@ function bb2_options() if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS if ($_POST) { + check_admin_referer('bad-behavior-options'); $_POST = array_map('stripslashes_deep', $_POST); if ($_POST['display_stats']) { $settings['display_stats'] = true; @@ -440,6 +444,8 @@ function bb2_options()