KR. Laboratories
Forum Replies Created
-
Thanks!
Forum: Plugins
In reply to: [LiteSpeed Cache] Is LiteSpeed Cache vulnerable?I dont use CF APO.
We can close this discussion. I deleted LiteSpeed Cache WordPress plugin and fix problem.
Forum: Plugins
In reply to: [LiteSpeed Cache] Is LiteSpeed Cache vulnerable?I don’t have any extraordinary settings in CF… The only thing is that Cloudflare used in High Security mode with access granted to the respective WordPress and LiteSpeed services. The solution I mentioned, Own Redis Server + Own WebServer LS Cache – this is the best solution I’ve come up, because it does not depend on third parties. It is an autonomous system that takes care of the cache, adhering to the Zero Trust Security principle.
I would add that, when hackers hacked LiteSpeed through the CVE-2024-50550 vulnerability, users also thought that it was a problem on their side… Therefore, discussing this is like looking for a needle in a haystack. In my opinion, the LiteSpeed Team just needs to publish comprehensive documentation on their blog about which LiteSpeed WordPress + Cloudflare settings are ideal in terms of avoiding errors.
Best regards, K.R.Forum: Plugins
In reply to: [LiteSpeed Cache] Is LiteSpeed Cache vulnerable?We have already discussed my settings in previous threads. I can only say that there were no non-standard settings in the plugin. And if there were, I changed them on the advice of qtwrk. And after that, the same thing happened again. One day I went to the site and saw a broken layout. I went to the Chrome Developer console and saw MIME-type errors (this was also described in detail in previous threads). I cleared the LS cache, cleared the CF cache, and then everything returned to normal. But this is not solution.
At first, I thought the problem was with Server Cron, the scheduler was not running, or there was no access to it. But everything is fine here. Then, I checked the cache configuration on the server itself – everything is fine there too. Then I checked Cloudflare, whitelisted access to all the necessary IP addresses. Then everything seemed to suddenly go quiet. And then it happened again.
It’s as if someone who knows about this “hole” is periodically accessing the site and exploiting it. I just assumed that it could be a cache attack. If I had been sure, I would have written a CVE report a long time ago. But this is an assumption. Considering that your plugin already had serious vulnerabilities. There may be a risk of cache manipulation. Also, before that, I noticed a surge in website traffic. Perhaps someone caught up with traffic and overflowed the cache.
The plugin LiteSpeed Cache contains a lot of functionality that hackers can try to exploit. For example, in 2024, at least 10 vulnerabilities of varying degrees were discovered in LS Cache: https://wpscan.com/plugin/litespeed-cache/. And no one knew about it, users only observed various anomalies with the cache. Therefore, I do not dismiss the security problem of your plugin. And I don’t understand how your team of experienced professionals could have allowed such a huge number of vulnerabilities. So where is the guarantee that there is no other hole, no Zero Day?
Unfortunately, I don’t have time to test it now. It’s easier to just remove the WordPress plugin and develop your own solution. No plugin – no problem.Forum: Plugins
In reply to: [LiteSpeed Cache] Is LiteSpeed Cache vulnerable?I found for myselft perfect solution.
So, I settled on an incredibly efficient configuration:- Installed WP-CLI
- Installed Redis Server
- Installed the PHP Redis module
- Set up rules for LiteSpeed caching in the web server configuration file.
And now everything works like clockwork, everything is laid out on the shelves and I know everything that happens to my cache.
- Redis Server performs the function of an object cache – it caches dynamic requests, database queries, etc.
- LiteSpeed Cache (in-build server, without plugin) performs the function of a static cache – it caches html/css and other content.
Plus, I have Cloudflare connected, which provides network-level caching (Edge Caching) and additional security.
I can see everything and control everything myself. Nothing api, no server load, no malicious queries, no broken layout, no problems.
Thank you for your work.I think your plugin is great, but just not for all configurations. It needs to be tested and improved.- This reply was modified 1 year, 4 months ago by KR. Laboratories.
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
Yes, I wrote an article, and the text simply mentioned
/etc/shadow.As for the image path, it did not affect the triggering.
The problem has been detected! If the article in wordpress editor contain text
/etc/shadow, the firewall blocking the request for publishing)). I checked it on other sites.The logic of GOTMLS needs to be improved.
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
Analysing the fields, I found only a placeholder that relates to the wordpress functionality:
placeholder="http://…’Also:
/js/../../images/admin/blockquote-info-ico.png')">Could this be the reason?
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
- This reply was modified 1 year, 4 months ago by KR. Laboratories.
The URL address where the firewall rule was triggered is specified: SERVER_REMOTE_ADDR=172.68.159.149
This IP address belongs to the Cloudflare IP-range. And this IP is constantly changing.Why I feel that it’s not correct to be redirecting attacks to my safe-load URL? Because a third party services involved to obtain sensitive data. A report is generated on the side of your server, not mine: https://safe-load.gotmls.net This is the main reason why I avoided your plugin for a long time. But now I wanted to test it, because Wordfence is very heavy and resource-intensive. Accordingly, your server stores information that actually concerns only me. The first rule of security is the rule of zero trust. But in this case, of course, it doesn’t matter.
I looked at the source code, intercepted requests through BurpSuite, and found only one thing – Cloudflare’s challenge protection. I didn’t find anything else. For now, I disabled the plugin GOTMLS because it’s impossible to work.
As for me, it would be nice if the firewall provided some logs for customers. What exactly it saw, why and when it was triggered, what code triggered it…
Thanks for answers.- This reply was modified 1 year, 4 months ago by KR. Laboratories.
I perfectly knows what is Directory Traversal attack and review code, but dont find nothing “../”. I think this firewall reaction is caused by Cloudflare proxy. I can’t find any other explanation yet. And frankly, it makes me very nervous because I can’t publish the post properly. And it makes no sense to disable the Traversal module completely, because it creates security risks.
And in my opinion, its not very correct that the blocking is performed on the side of https://safe-load.gotmls.net, and not on the side of my host.
- This reply was modified 1 year, 5 months ago by KR. Laboratories.
Here URL, which i was redirected when request blocked by firewall:
https://safe-load.gotmls.net/report.php?ver=4.23.73&attack%5B%5D=FW_Traversal&SERVER_REMOTE_ADDR=172.68.159.149&SERVER_HTTP_HOST=research.kr-labs.com.ua&SERVER_REQUEST_URI=%2Fwp-admin%2Fpost.php&SERVER_HTTP_REFERER=https%3A%2F%2Fresearch.kr-labs.com.ua%2Fwp-admin%2Fpost.php%3Fpost%3D289%26action%3Dedit&SERVER_HTTP_USER_AGENT=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F130.0.0.0+Safari%2F537.36Forum: Plugins
In reply to: [WP Responsive Menu] How to change the viewport tag in WP Responsive Menu?Hello,
I recently encountered an issue with the
<meta name="viewport">tag while using the WP Responsive Menu plugin. By default, the plugin modifies the viewport to disable user scaling on mobile devices. After some investigation, I found the option Enable/Disable Scale in the plugin settings, which allowed me to control the scaling behavior.However, I believe it would be a great enhancement if the plugin provided an option for users to fully customize or override the viewport tag, allowing more flexibility without the plugin intervening.
Would it be possible to add such a feature in a future update, where users can either set their own viewport values or choose to prevent the plugin from modifying the tag altogether?
Best regards
Do you tested with filename with space “Текстовий документ.docx”?..
I use FREE VERSION.
No. You are not telling the truth. Your plugin removes Cyrillic names if they contain a space and simply leaves a “-” instead. I understand that this is for security reasons. But then this is a bug in the functionality. Once again, the users who send files through the form are complete strangers to me, and none of them will rename files specifically for me. And your plugin takes these names and deletes them, after which all the files on my server in the folder are named: -.docx. This is a problem. And it needs to be silently fixed. It’s not difficult.Good luck
Then why don’t you make it so that the original name was saved? I think it’s a flaw. Users who send documents through the form are not computer savvy and will never rename files. This should be done automatically by the plugin. Instead, it completely removes the name and leaves only a “-” sign (-.docx). This is not how it should be.
- This reply was modified 2 years ago by KR. Laboratories.