Blog Documentation Try Vanilla Cloud
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Install BBQ php script

GermontGermont New
edited November 2017 in Vanilla 2.0 - 2.8

Compared to WordPress, one serious downside of many other CMSs, is that they don't have security solutions and firewalls, like Wordfence or others.

Vanilla is no exception and there is no built in solution to prevent to prevent flood or malicious requests.
Still... I found this script derived from WordPress BBQ.
The developer says:

To use BBQ on non-WP sites, include the following code for each page request:_

How could I do that for Vanilla 2.3? Thank you!

Comments

  • Options
    x00x00 MVP

    What do I think?

    This whole approach is backwards.

    Server security like this starts at much lower level. At the http server level the very least.

    Using a CMS to control a firewall is the tail wagging that dog.

    If there is a web interface at all to such security, it should be sandboxed and not part of your CMS. Thought you could do without the web interface and not have that worry.

    I'm also not that impressed by such a script. Most of those 'exploits' would not occur on a properly configured server. If your security is that bad then you seriously need to consider getting a sys admin. It is very lacklustre and basic. It does nothing to stop serious threats.

    That is not to say there not specific security issue to do with frameworks. Of course there are, but they are much more specific than that script.

    grep is your friend.

  • Options
    LincLinc Detroit Admin

    Security is not an addon.

  • Options
    x00x00 MVP

    Honestly I'm sorry I have to come down so hard on that script, but if it was really that easy there wouldn't be any issues with url exploits and it only deals with the uri. It is kind of emabrassing bad tbh ignorance like this shouldn't be spread becuase it gives people false confidence and for such a minimal script it doesn't stop more than badly coded bots.

    This is not a firewall. it stops nothing of note. Even the exploit it trying to stop it is possible to trigger, with minimal knowledge of how text comparison works.

    grep is your friend.

  • Options
    x00x00 MVP
    edited November 2017

    if you sent %65val( in the URL via curl it would get though this check, yet in the GET environment parameter it will be converted to eval(

    This script is a as good as useless for doing string comparison exclusively on REQUEST_URI which preserves url encoding.

    grep is your friend.

Sign In or Register to comment.