Home › Forums › BulletProof Security Pro › BPS Pro-Tools 404 error
Tagged: 404 error, Pro-Tools 404 error
- This topic has 23 replies, 2 voices, and was last updated 11 years, 8 months ago by Paul D..
-
AuthorPosts
-
AITpro AdminKeymaster
This is actually the same issue/problem and does not have anything to do with a php.ini file. Your web host just needs to whitelist the tools.php file on this particular site. The issue/problem is that your Host has a security scanner that is seeing the standard php functions regarding base64 encoding/decoding/deflating and inflating php functions in that file as malicious.
Paul D.ParticipantGot it all mixed up with another issue I posted in the forum regarding php.ini.. my bad. I apologize.
If they (webhost tech support) “whitelisted” the file, how come that after clone deployment to the same domain it reverted to the old problem (404 error and wrong path to the BPS Pro-Tools) ?
This is not an issue with BPS-Pro, yes ? And an issue with webhost settings/whitelisting/scanner ?
Thank you for the great support for this plugin.
PaulAITpro AdminKeymasterLogically what they must have done was to create an exclude/exception rule in their Server security scanner for only the literal path to the other website instead of doing something like creating an exclude/exception rule in their Server security scanner for all of your websites under your hosting account. 😉 I guess the best thing to do would be to ask them to create an exclude/exception rule for your entire hosting account based on the hosting account root folder name. They can do this safely by also explicitly whitelisting the tools.php file ONLY.
Paul D.ParticipantOkay.. I will try to inform them of that and will post developments in this thread soon.
Thanks.
AITpro AdminKeymasterPlease ask them what Server Scanner software they are using so it can be documented here. Thank you.
Paul D.ParticipantSadly, webhost won’t tell us their scanner and won’t exclude tools.php. Tech said :
I have investigated the automated malware scanner logs and am not seeing tools.php to be classed as malware and quarantined therefore making exception rules is unnecessary for this file. I have added the only trouble file within the account accountnamehere to the whitelist/exclude list.
Unfortunately we cannot guarantee that our malware scanners will not pick up newly created files of this type, if the file has any signs of eval(base64_decode in PHP, it will be classed as malware automatically, for example, as it is the most popular kind of ‘infection’/code injection around the web currently.
Oh well.
AITpro AdminKeymasterThe tech is saying that tools.php was not seen as malicious, but it is obviously seen as malicious by their scanner. Yeah, no big deal really. Pro-Tools is not essential and is just a collection of extra tools that most people would not ever use anyway. I use several of them regularly, but the average person would not really need any of them.
BPS Pro does not use the php eval “function”, but it does reference this very dangerous language construct “function” in text only (display or help files text) and not the actual eval “function” itself. The php base64_decode and base64_encode functions are standard safe php functions, but eval is definitely not really safe to use. In any case, a lot of scanners just look for base64_decode, which is completely understandable since hackers commonly use this php function in their hacking scripts.
Source: http://php.net/manual/en/function.eval.php
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
AITpro AdminKeymasterThe only tab pages that contain the base64_decode and base64_encode functions are for the Base 64 Decoder and Encoder Tools so if you want I can send you a Pro-Tools page with the code removed from those 2 tab pages. Or if you are comfortable with doing yourself then you would just open the tools.php file with a code editor or Notepad++ and then delete the code for those 2 tabs.
<div id="bps-tabs-1">
delete everything after the div above to the closing div tag
</div>
<div id="bps-tabs-2">
delete everything after the div above to the closing div tag
</div>
Paul D.ParticipantIt’s okay.. I may not be even using that Pro Tool .. so I think we are good without those advanced tools in BPS Pro.
Thanks for the support.. and you can consider this thread closed.
-
AuthorPosts
- You must be logged in to reply to this topic.